Ettercap – All roads lead to CLI

Posted on January 24, 2012


For the tutorial about the MTM attack, I started an article in the Sec IT’s wiki about Ettercap. Ettercap is a free and open-source tool for man in the middle (MITM) attack on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.

The first issue was to install it on my OS X Lion. I already had the required libraries installed so I directly downloaded the source code of the version 0.7.4. I first run the ./configure but it stopped because GTK+ was not installed so I downloaded it. Since I wanted to do an article, I wanted to get GTK+ to illustrate it with printscreens and describe the application in a manner that anyone could uses and understands it. Once installed, I run ./configure again. Everything worked properly and I had a nice output telling ettercap has been configured. Then I run the make command which stuck for a problem with libtool. After couple of googling and tests, I finally decided to install ettercap with MacPorts. It was the first time I used this system and I was pretty impressed by its effectiveness. I run the command: sudo port search ettercap, I found 2 packages: ettercap and ettercap-ng. I installed ettercap-ng: sudo port install ettercap-ng, everything worked properly. MacPorts checks for all dependencies and installed them. Once the installation done, I run ettercap with the Graphic User Interface (GUI) using GTK+: sudo ettercap -G. The window appeared, I select the unified sniffing configuration and select my interface en1. I performed an ARP poisoning, started the sniffing and checked the statistics. Ettercap intercepted packets, but not from the victim. I figured out that the device spoofed couldn’t reach the default gateway. The packet wasn’t forwarded properly. After other tests on Virtual Machines (Windows and Ubuntu) I figured out that my configuration was ok (I tried to perform a successful MITM attack with Cain & Abel) I decided to come back on my OS X and use ettercap in line code. After a quick look in the man, I run the command:
sudo ettercap -T -q -i en1 -w dump -M ARP / /

I browse couple of website with the target computer ( then stop the capture. I run Wireshark and open the dump file generated by ettercap and I got want I wanted for 2 days: the dump of the communication between the computer and the default gateway.

Here is a short description of the command:

  • sudo: It is to run the command with all privileges.
  • ettercap: the application for the ARP poisoning and the sniffing of the communication.
  • -T -q: It is to use ettercap with the text interface (command line).
  • -i en1: It is to use the interface en1 (wireless) connected to the network where I want to perform the MITM attack.
  • -w dump: It stores the captured communication in the file named dump in a format readable by Wireshark.
  • – M ARP: It is the option for performing a MITM attack with the ARP poisoning method.
  • / It is the victim’s IP address.
  • / It is the default GW IP address.

I know at the end, I didn’t really give solutions for the problems I faced, neither described the reasons why it occurs. For Mac users, I found a very interesting post about installing Ettercap 0.7.3 on OS X Lion written by Austen Conrad. I think this might help if you want to install ettercap without MacPorts. It should work fine, but be sure you have the version 0.7.3. For Linux users (Debian-based), just use apt-get and the command line I wrote. For Windows users, let’s hope it is just because I didn’t have the right installer.

Posted in: Tosch production