An Intro to ETTERCAP - A multipurpose sniffer over switched LANs
s
Here is a brief intro to Ettercap a multipurpose sniffer over switched LANs. First read this post about What is Ettercap?, What is Man-in-the-Middle Attack? and something more interesting. We will learn how to use ettercap in next tutorial. For those who don't like command line interface, it's also provided with easy graphical interface.
What is Ettercap?
Ettercap was born as sniffer, but during development it has gained more and more features and become more powerful tool for mainly man-in-the-middle attacks. It supports many protocols and includes many features for network and host analysis like OS fingerprinting.Ettercap is able to perform attacks against the ARP protocol by positioning itself as "man in the middle".
What is a "man in the middle" attack?
This is an attack where a pirate put its machine in the logical way between two machines speaking together as shown in the picture below. Once in this position, the pirate can launch a lot of different very dangerous attacks because he/she is in the way between to two normal machines.
Sniffing methods
Characters injection in an established connection : you can inject character to server (emulating commands)
or to client (emulating replies) maintaining the connection alive !!
SSH1 support : you can sniff User and Pass, and even the data of an SSH1 connection. ettercap is the first software capable to sniff an SSH connection in FULL-DUPLEX
HTTPS support : you can sniff http SSL secured data... and even if the connection is made through a PROXY
Remote traffic sniffing through GRE tunnel: you can sniff remote traffic through a GRE tunnel from a remote cisco router and make mitm attack on it
Plug-ins support : You can create your own plugin using the ettercap’s API.
Password collector for : TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11,NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, HALF LIFE,QUAKE 3, MSN, YMSG (other protocols coming soon...)
Packet filtering/dropping: You can set up a filter chain that search for a particular string (even hex) in the TCP or UDP payload and replace it with yours or drop the entire packet.
Passive OS fingerprint: you scan passively the lan (without sending any packet) and gather detailed info about the hosts in the LAN: Operating System, running rervices, open ports, IP, mac address and network adapter vendor.
OS fingerprint: you can fingerprint the OS of the victim host and even its network adapter (it uses the nmap (c) Fyodor database)
Kill a connection: from the connections list you can kill all the connections you want
Packet factory: You can create and sent packet forged on the fly. The factory let you to forge from Ethernet header to application level.
Bind sniffed data to a local port You can connect to that port with a client and decode unknown protocols or inject data to it (only in arp based mode)
Supporting Platforms
Enjoy!!
!
What is Ettercap?
Ettercap was born as sniffer, but during development it has gained more and more features and become more powerful tool for mainly man-in-the-middle attacks. It supports many protocols and includes many features for network and host analysis like OS fingerprinting.Ettercap is able to perform attacks against the ARP protocol by positioning itself as "man in the middle".
What is a "man in the middle" attack?
This is an attack where a pirate put its machine in the logical way between two machines speaking together as shown in the picture below. Once in this position, the pirate can launch a lot of different very dangerous attacks because he/she is in the way between to two normal machines.
Sniffing methods
- IP Based
- MAC Based
- ARP Based
- SMARTARP Based
- Public ARP
Characters injection in an established connection : you can inject character to server (emulating commands)
or to client (emulating replies) maintaining the connection alive !!
SSH1 support : you can sniff User and Pass, and even the data of an SSH1 connection. ettercap is the first software capable to sniff an SSH connection in FULL-DUPLEX
HTTPS support : you can sniff http SSL secured data... and even if the connection is made through a PROXY
Remote traffic sniffing through GRE tunnel: you can sniff remote traffic through a GRE tunnel from a remote cisco router and make mitm attack on it
Plug-ins support : You can create your own plugin using the ettercap’s API.
Password collector for : TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11,NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, HALF LIFE,QUAKE 3, MSN, YMSG (other protocols coming soon...)
Packet filtering/dropping: You can set up a filter chain that search for a particular string (even hex) in the TCP or UDP payload and replace it with yours or drop the entire packet.
Passive OS fingerprint: you scan passively the lan (without sending any packet) and gather detailed info about the hosts in the LAN: Operating System, running rervices, open ports, IP, mac address and network adapter vendor.
OS fingerprint: you can fingerprint the OS of the victim host and even its network adapter (it uses the nmap (c) Fyodor database)
Kill a connection: from the connections list you can kill all the connections you want
Packet factory: You can create and sent packet forged on the fly. The factory let you to forge from Ethernet header to application level.
Bind sniffed data to a local port You can connect to that port with a client and decode unknown protocols or inject data to it (only in arp based mode)
Supporting Platforms
- Linux 2.0.x 2.2.x 2.4.x 2.6.x
- FreeBSD <= 8.2
- OpenBSD 2.[789] 3.0
- NetBSD 1.5
- Mac OS X (Snow Leopard & Lion)
- Windows NT4 2000 XP 2003 Win7
- Solaris 11
Enjoy!!
!
it's copied content from my site http://technoknol.blogspot.com
ReplyDeleteor
if you copy content just add backlink to my site.
http://technoknol.blogspot.com/2012/01/intro-to-ettercap-multipurpose-sniffer.html