Topic: HOWTO: Ettercap tips and tricks
ettercap is a great tool that is included on S-T-D and many Knoppix variants. ettercap 0.7.3 has a nice GUI, but in order to try to make these tips usable across the widest range of versions, i will stick to Text mode. the S-T-D version is older, but newer versions of S-T-D will include newer versions of ettercap.
ettercap -T this is the text mode interface, hit h and you will see commands. it is fairly interactive. for this first tip, here is how to use the remote_browser command. this will let a netscape-based browser (Firebird, Mozilla, Firefox, Netscape, and probably others) on the attacking machine silently follow the web pages that a victim machine visits.
on the attacking machine, FIRST start your browser. on my test system, the attacking machine was tried both using a local squid proxy (blocks ads, makes everything HTTP faster) and without it. here's the one-liner that does it all:
ettercap -T -Q -M arp:remote -i wlan0 /10.10.10.23/ // -P remote_browser
the -T starts it in text mode.
the -Q will make ettercap be superQuiet (not print raw packets in the terminal window)
the -M starts man in the middle mode, and the arp:remote is the type of poisoning, and remote is a parameter for MITM. these commands can be combined into one switch like -TQM but for clarity i put them separately.
the -i wlan0 specifies the network interface and is optional, if you have only one network interface it is probably not needed. in this case, i was on a laptop using a wifi connection to my AP. this works just as good as a wired connection, and takes no other preparation other than being properly associated with the access point. yours may be eth0, or whatever is specified in ifconfig.
the /10.10.10.23/ is the victim ip and // means 'the rest of the segment'. i tried it without the // in hopes that it wouldn't have to poison the whole segment, but it didn't seem to work. i know that using ettercap in other ways you can single out one machine without making a lot of noise on the network.
the -P remote_browser is the plugin to follow the victim browser.
NOTE: the victim IP must be in the same subnet as your PC.
start it up from a root terminal window with the command:
ettercap -T -Q -M arp:remote -i wlan0 /10.10.10.23/ // -P remote_browseryou will see some messages go by, about the version, the interface it is listening on along with your MAC, IP and subnet. after some information about ettercap's various dissectors and services, you will see the arp scan, "Scanning the whole netmask for 255 hosts". this is definitely noisy to an IDS, and you probably should not be experimenting with this at work anyway, so wait till you get home or in your test lab... ;^)
you will now see your browser follow along with the 10.10.10.23 browser. i tested using both Dillo and Firefox .91 and 1.0.6 be followed on both Damn Small Linux and Fedora 4.. this is not a 'windows trick', it works on basic TCP/IP communications. this will not work on an HTTPS/SSL page, although ettercap's other plugins can use HTTPS. sometimes i would just get a page of HTML. it was interesting to notice that when i trailed it to Slashdot it worked fine, but when i clicked a 'Read More' the trailing machine got hung up with a filename of '1x1 GIF', which is probably a web tracking bug.
when you are done, it is IMPORTANT to end ettercap properly with a q. this re-arps the victims, and restores the network to normal. be careful with ettercap, you have just potentially poisoned the ARP cache on 255 machines, if you just close the window, you may leave the network in a shambles, and IDS systems may easily point to your IP as a problem child.
have fun, and let us know of additions or corrections to this, it is by no means comprehensive.
