]>
Commit | Line | Data |
---|---|---|
1d0ff707 | 1 | diff -urN ettercap-0.5.4.orig/ettercap.8 ettercap-0.5.4/ettercap.8 |
2 | --- ettercap-0.5.4.orig/ettercap.8 Thu Jan 1 01:00:00 1970 | |
3 | +++ ettercap-0.5.4/ettercap.8 Thu Sep 6 17:14:33 2001 | |
4 | @@ -0,0 +1,552 @@ | |
5 | +.\" ettercap -- a ncurses-based sniffer/interceptor utility for switched LAN | |
6 | +.\" | |
7 | +.\" Copyright (C) 2001 ALoR <alor@users.sourceforge.net>, NaGA <crwm@freemail.it> | |
8 | +.\" | |
9 | +.\" This program is free software; you can redistribute it and/or modify | |
10 | +.\" it under the terms of the GNU General Public License as published by | |
11 | +.\" the Free Software Foundation; either version 2 of the License, or | |
12 | +.\" (at your option) any later version. | |
13 | +.\" | |
14 | +.\" This program is distributed in the hope that it will be useful, | |
15 | +.\" but WITHOUT ANY WARRANTY; without even the implied warranty of | |
16 | +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
17 | +.\" GNU General Public License for more details. | |
18 | +.\" | |
19 | +.\" You should have received a copy of the GNU General Public License | |
20 | +.\" along with this program; if not, write to the Free Software | |
21 | +.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. | |
22 | +.de Sp | |
23 | +.if n .sp | |
24 | +.if t .sp 0.4 | |
25 | +.. | |
26 | +.TH ETTERCAP "8" "20010906" "ettercap 0.5.4" | |
27 | +.SH NAME | |
28 | +.B ettercap 0.5.4 \- A multipurpose sniffer over switched LANs | |
29 | + | |
30 | +.SH SYNOPSIS | |
31 | +.B ettercap | |
32 | +[\fIOPTIONS\fR] [\fIHOST:PORT\fR] [\fIHOST:PORT\fR] [\fIMAC\fR] [\fIMAC\fR] | |
33 | + | |
34 | +.SH DESCRIPTION | |
35 | +Ettercap was born as a sniffer for switched LAN (and obviously even "hubbed" one), | |
36 | +but during the development process it has gained more and more feature that have | |
37 | +changed it to a powerful and flexible tool for man-in-the-middle attacks. | |
38 | +It supports active and passive dissection of many protocols (even ciphered ones) | |
39 | +and includes many feature for network and host analysis (such as OS fingerprint). | |
40 | +.PP | |
41 | +It has five sniffing methods: | |
42 | +.br | |
43 | ++ IPBASED, the packets are filtered matching IP:PORT source and IP:PORT dest | |
44 | +.br | |
45 | ++ MACBASED, packets filtered matching the source and dest MAC address. (useful | |
46 | +to sniff connections through gateway) | |
47 | +.br | |
48 | ++ ARPBASED, uses arp poisoning to sniff in switched LAN between two hosts | |
49 | +(full-duplex m-i-t-m). | |
50 | +.br | |
51 | ++ SMARTARP, uses arp poisoning to sniff in switched LAN from a victim host to all other | |
52 | +hosts knowing the entire list of the hosts (full-duplex m-i-t-m). | |
53 | +.br | |
54 | ++ PUBLICARP, uses arp poison to sniff in switched LAN from a victim host to all other | |
55 | +hosts (half-duplex). | |
56 | +.br | |
57 | +With this method the ARP replies are sent in broadcast, but if ettercap has the complete | |
58 | +host list (on start up it has scanned the LAN) SMARTARP method is automatically selected, | |
59 | +and the arp replies are sent to all the hosts but the victim, avoiding conflicting MAC | |
60 | +addresses as reported by win2K. | |
61 | +.PP | |
62 | +The most relevant ettercap features are: | |
63 | +.PP | |
64 | +.B Characters injection in an established connection : | |
65 | +you can inject character to server (emulating commands) or to client (emulating replies) | |
66 | +maintaining the connection alive !! | |
67 | +.PP | |
68 | +.B SSH1 support : | |
69 | +you can sniff User and Pass, and even the data of an SSH1 connection. ettercap is the | |
70 | +first software capable to sniff an SSH connection in FULL-DUPLEX | |
71 | +.PP | |
72 | +.B HTTPS support : | |
73 | +you can sniff http SSL secured data... and even if the connection is made through a PROXY | |
74 | +.PP | |
75 | +.B Plug-ins support : | |
76 | +You can create your own plugin using the ettercap's API. | |
77 | +.PP | |
78 | +.B Password collector for : | |
79 | +TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, | |
80 | +SOCKS 5, IMAP 4, VNC (other protocols coming soon...) | |
81 | +.PP | |
82 | +.B Packet filtering/dropping: | |
83 | +You can set up a filter chain that search for a particular string (even hex) in the TCP | |
84 | +or UDP payload and replace it with yours or drop the entire packet. | |
85 | +.PP | |
86 | +.B OS fingerprint: | |
87 | +you can fingerprint the OS of the victim host and even its network adapter (it uses the | |
88 | +nmap (c) Fyodor database) | |
89 | +.PP | |
90 | +.B Kill a connection: | |
91 | +from the connections list you can kill all the connections you want | |
92 | +.PP | |
93 | +.B Packet factory: | |
94 | +You can create and sent packet forged on the fly. The factory let you to forge from Ethernet | |
95 | +header to application level. | |
96 | + | |
97 | +.PP | |
98 | +.SH OPTIONS | |
99 | +Options that make sense together can generally be combined. ettercap will warn the user | |
100 | +about unsupported option combinations. | |
101 | +.TP | |
102 | +.B SNIFFING METHODS | |
103 | +.TP | |
104 | +\fB\-a\fR, \fB\-\-arpsniff\fR | |
105 | +ARP BASED sniffing | |
106 | +.br | |
107 | +This is THE sniffing method for switched LAN, and if you want to use the man-in-the-middle | |
108 | +technique you have to use it. In conjunction with the silent mode (-z option) you must | |
109 | +specify two IP and two MAC for ARPBASED (full-duplex) or one IP and one MAC for PUBLICARP | |
110 | +(half-duplex). in PUBLICARP the ARP replies are sent in broadcast, but if ettercap has | |
111 | +the complete host list (on start up it has scanned the LAN) SMARTARP method is automatically | |
112 | +selected, and the arp replies are sent to all the hosts but the victim, and an hash table | |
113 | +is created to re-route back the packet form victim to client obtaining in this way a full-duplex | |
114 | +man in the middle attack. | |
115 | +.br | |
116 | +Filters that have as action a replacement or a drop, can be used only with ARPBASED | |
117 | +sniffing because it is necessary to re-adjust the sequence number in full-duplex in order | |
118 | +to maintain the connection alive. | |
119 | +.TP | |
120 | +\fB\-s\fR, \fB\-\-sniff\fR | |
121 | +IP BASED sniffing | |
122 | +.br | |
123 | +This is the good old style sniffing method. It rocks on "hubbed" LAN, but useless on switched | |
124 | +ones. You can choose the target specifying only source, only dest, with or without port, or | |
125 | +nothing (to sniff all connections). A special ip "ANY" means from or to every host. | |
126 | +.TP | |
127 | +\fB\-m\fR, \fB\-\-macsniff\fR | |
128 | +MAC BASED sniffing (you must select two host for this) | |
129 | +.br | |
130 | +Very useful to sniff TCP traffic with remote hosts. On hubbed LANs if you want to sniff a | |
131 | +connection through a gateway is useless to specify the victim's ip and the gateway's ip, | |
132 | +because the packet are for an external host, not for the gateway. So you can use this method. | |
133 | +Simply specify the victim's MAC and the gateway's MAC and you will see all the connections | |
134 | +from and to the Internet. | |
135 | + | |
136 | + | |
137 | +.TP | |
138 | +.B GENERAL OPTIONS | |
139 | +.TP | |
140 | +\fB\-N\fR, \fB\-\-simple\fR | |
141 | +NON interactive mode (without ncurses) | |
142 | +.br | |
143 | +This method is useful if you want to launch ettercap from a script or if you already | |
144 | +know some informations of your target or if you want to launch ettercap in background | |
145 | +collecting data or password for you (in combination with the --quiet option). | |
146 | +.br | |
147 | +Some features are not available in this method, obviously the ones which requires | |
148 | +interaction with the user, such as characters injection. But others (for example filtering) | |
149 | +are fully supported, so you can set up ettercap to poison two host (a victim and its gateway) | |
150 | +and to filter all its connection on the port 80 and replace some string with others, | |
151 | +all its traffic to the Internet will be changed as you wish. | |
152 | +.TP | |
153 | +\fB\-z\fR, \fB\-\-silent\fR | |
154 | +start in silent mode (no arp storm on start up) | |
155 | +.br | |
156 | +If you want to launch ettercap with a non invasive method (some NIDS may raise a warn | |
157 | +if they detects too much arp request). You have to know all the requested data of the | |
158 | +target in order to use this options. For example if you want to poison two host, you need | |
159 | +the two IP and the two MAC addresses of the victims. | |
160 | +If you select ipsniff or macsniff this method is automatically selected, because you don't | |
161 | +need to know the list of the host in the LAN. | |
162 | +.br | |
163 | +To know the entire list of the hosts use "ettercap -Nl", but remember that it is a invasive | |
164 | +method. | |
165 | +.TP | |
166 | +\fB\-b\fR, \fB\-\-broadping\fR | |
167 | +use a broadcast ping instead of arp storm on start up. | |
168 | +.br | |
169 | +this method is less intrusive, but even less accurate. some hosts will not respond at the | |
170 | +broadcast ping (es. Windows) so they remain invisible to this method. Useful if you want to | |
171 | +scan a LAN with Linux hosts. As usual you can combine this option with --list to have a | |
172 | +list of the hosts "ettercap -Nlb" | |
173 | +.TP | |
174 | +\fB\-D\fR, \fB\-\-delay <n sec>\fR | |
175 | +the delay in seconds between the arp replies if you have selected an ARP poison sniffing | |
176 | +method. This is useful if you want to be less aggressive in the poisoning. On many OS the | |
177 | +default validity interval of the arp cache is more than a minute (on FreeBSD is 1200 sec). | |
178 | +.br | |
179 | +The default delay value is 30 sec. | |
180 | +.TP | |
181 | +\fB\-Z\fR, \fB\-\-stormdelay <n usec>\fR | |
182 | +the delay in micro-seconds between the arp request on arp storm at start up. | |
183 | +This is useful if you want to be less aggressive in the scanning. Many IDS will report | |
184 | +massive arp request, but if you send them in a slower rate, they will not report any strange | |
185 | +behavior. | |
186 | +.br | |
187 | +The default delay value is 1500 usec. | |
188 | +.TP | |
189 | +\fB\-S\fR, \fB\-\-spoof <IP>\fR | |
190 | +If you want to elude some IDS, you can specify a spoofed IP used to scan the LAN with | |
191 | +arp request. The source MAC can't be spoofed because a well configured switch will block | |
192 | +your request. | |
193 | +.TP | |
194 | +\fB\-H\fR, \fB\-\-hosts <IP1[,IP2][,IP3][,...]>\fR | |
195 | +on start up, scan only these hosts. | |
196 | +.br | |
197 | +this is useful if you want to use an ARP scanning of the LAN but only on certain IPs. | |
198 | +so you can benefit from a ARP scan but remaining less invasive. | |
199 | +Useful even if you want to do PUBLIC ARP but you want to poison only specific hosts. | |
200 | +since with a list PUBLIC ARP is automatically converted to SMARTARP, only these host | |
201 | +will be poisoned and you can leave untouched the arp caches of the other hosts. | |
202 | +.br | |
203 | +the IP list must be in dotted notation and separated by comma (without black spaces | |
204 | +between them), you can use wildcards. | |
205 | +.br | |
206 | +eg: 192.168.0.2? --> from 20 to 29 | |
207 | +.br | |
208 | + 192.168.0.1* --> host 1, from 10 to 19 and from 100 to 199 | |
209 | +.TP | |
210 | +\fB\-d\fR, \fB\-\-dontresolve\fR | |
211 | +don't resolve IPs on start up. this is useful if you experience an insane "Resolving | |
212 | +n hostnames..." message on start up. This is due to a very slow DNS in your environment. | |
213 | +.TP | |
214 | +\fB\-i\fR, \fB\-\-iface <IFACE>\fR | |
215 | +network interface to be used for all the operation. you can even specify network aliases | |
216 | +in order to scan a subnet with different ip form your current one. | |
217 | +.TP | |
218 | +\fB\-n\fR, \fB\-\-netmask <NETMASK>\fR | |
219 | +the netmask used to scan the LAN. (in dotted notation). the default is your current | |
220 | +ifconfig netmask. but your netmask is for example 255.255.0.0 I encourage you to specify | |
221 | +a more restrictive one, if you managed to do an ARP scanning on start up. | |
222 | +.TP | |
223 | +\fB\-e\fR, \fB\-\-etterconf <FILENAME>\fR | |
224 | +use the config file instead of command line options | |
225 | +.br | |
226 | +etter.conf example file is packaged in the tarball, refer to it to know how to write a | |
227 | +config file. all the instruction are written in this example. via the conf file you | |
228 | +can disable selectively one protocol dissector or move it on one other port. | |
229 | +.br | |
230 | +command line options and config file can be mixed for much flexibility, but remember | |
231 | +that the options in the config file override the command line, so if in etter.conf | |
232 | +you have specified IFACE: eth0, and you launch "ettercap -i eth1 -e etter.conf" | |
233 | +the selected iface will be eth0. | |
234 | +.br | |
235 | +NOTE: the "-e etter.conf" options has to be specified after all other options. | |
236 | +.TP | |
237 | +\fB\-v\fR, \fB\-\-version\fR | |
238 | +check for the latest ettercap version. | |
239 | +.br | |
240 | +All operation are under your control. Every step requires a user confirmation. | |
241 | +With this option ettercap will connect to the http://ettercap.sourceforge.net:80 web | |
242 | +side and ask for the page /latest.php. then the result are parsed and compared with | |
243 | +your current version. If there is a newer version available, ettercap will ask you if | |
244 | +you want to wget it. (wget must be in the path). | |
245 | +.br | |
246 | +If you want to automatically answer yes at all the question add the option -y | |
247 | +.TP | |
248 | +\fB\-h\fR, \fB\-\-help\fR | |
249 | +prints the help screen with a short summary of the available options. | |
250 | + | |
251 | + | |
252 | + | |
253 | +.TP | |
254 | +.B SILENT MODE OPTIONS (only combined with -N) | |
255 | +.TP | |
256 | +\fB\-u\fR, \fB\-\-udp\fR | |
257 | +sniff only UDP packets (default is TCP). | |
258 | +This option is only useful in "simple" mode, if you start ettercap in interactive mode | |
259 | +both TCP and UDP are sniffed. | |
260 | +.TP | |
261 | +\fB\-R\fR, \fB\-\-reverse\fR | |
262 | +sniff all the connection but the selected one. This option is useful if you are using | |
263 | +ettercap on a remote machine and you want to sniff all the traffic but you connection from | |
264 | +local to remote, because including it will sniff even the ettercap output and it will be | |
265 | +screwed up... | |
266 | +.TP | |
267 | +\fB\-p\fR, \fB\-\-plugin <NAME>\fR | |
268 | +run the plugin "NAME". | |
269 | +.br | |
270 | +most plugins need a destination host. simply specify it after plugin name, in fact | |
271 | +hosts are parsed on command line as first the DEST and so the SOURCE. | |
272 | +.br | |
273 | +To have a list of the available plugins use "list" (without quotes) as plugin name. | |
274 | +.br | |
275 | +More detailed info about plugins and about how to write your own are found in the | |
276 | +README.PLUGINS file. | |
277 | +.Sp | |
278 | +Currently these plugins are shipped with the official distro: | |
279 | +.Sp | |
280 | + arpcop -- Report suspicious ARP replies (developed by acelent) | |
281 | +.br | |
282 | + banshee -- They kill without discretion... | |
283 | +.br | |
284 | + dummy -- Dummy plugin. It does nothing ! (only a template) | |
285 | +.br | |
286 | + golem -- nice D.O.S. BE CAREFUL !! | |
287 | +.br | |
288 | + leech -- Isolate a host from the LAN | |
289 | +.br | |
290 | + lurker -- try to search for other ettercap | |
291 | +.br | |
292 | + imp -- Retrieves some Windows names | |
293 | +.br | |
294 | + ooze -- Ping a host | |
295 | +.br | |
296 | + phantom -- Sniff/Spoof DNS requests | |
297 | +.br | |
298 | + shadow -- A very simple SYN/TCP port scanner | |
299 | +.br | |
300 | + spectre -- flood a switched LAN with random MAC addresses | |
301 | +.br | |
302 | + triton -- Try to discover the LAN's gateway | |
303 | +.TP | |
304 | +\fB\-l\fR, \fB\-\-list\fR | |
305 | +lists all the hosts in the LAN, reporting each MAC address. | |
306 | +.br | |
307 | +Commonly combined options are -b (for broadcast ping) and -d (don't resolve hostname). | |
308 | +.TP | |
309 | +\fB\-C\fR, \fB\-\-collect\fR | |
310 | +collect all users and password from the hosts specified on command line. | |
311 | +.br | |
312 | +Password collector are configured in the config file (etter.conf), if you want | |
313 | +you can disable them selectively or move them on other port. This is useful if you | |
314 | +don't want to sniff SSH connection (the key change alert will raise suspects) but | |
315 | +want to sniff all other supported protocols. Or even if you know that a host has the | |
316 | +telnet service on port 4567, simply move the telnet dissector on 4567/tcp | |
317 | +.TP | |
318 | +\fB\-f\fR, \fB\-\-fingerprint <HOST>\fR | |
319 | +do OS fingerprinting on HOST. | |
320 | +.br | |
321 | +This option uses the same database and the same method used by | |
322 | +.I nmap (c) Fyodor <fyodor@insecure.org> | |
323 | +so I report a piece of its man page : | |
324 | +.Sp | |
325 | +This option activates remote host identification via TCP/IP fingerprinting. In other | |
326 | +words, it uses a bunch of techniques to detect subtleties in the underlying operating | |
327 | +system network stack of the computers you are scanning. It uses this information to | |
328 | +create a 'fingerprint' which it compares with its database of known OS fingerprints | |
329 | +(the nmap-os-fingerprints file) to decide what type of system you are scanning. | |
330 | +.Sp | |
331 | +the -f options even provides you the vendor of the network adapter of the scanned host. | |
332 | +the info are stored in the mac-fingerprints database. | |
333 | +.TP | |
334 | +\fB\-x\fR, \fB\-\-hexview\fR | |
335 | +to dump data in hex mode. | |
336 | +.br | |
337 | +TIP: while sniffing you can change the visualization mode by hitting 'a' for ascii or 'x' for hex. | |
338 | +on line help is recalled by 'h'. | |
339 | +.TP | |
340 | +\fB\-L\fR, \fB\-\-logtofile\fR | |
341 | +if used alone logs all data to specific file(s). it crates a separate file for each connection | |
342 | +in the form "YYYYMMDD-P-IP:PORT-IP:PORT.log" | |
343 | +.br | |
344 | +if used with -C (collector) it creates a file with all the password sniffed in the session in | |
345 | +the form "YYYYMMDD-collected-pass.log" | |
346 | +.TP | |
347 | +\fB\-q\fR, \fB\-\-quiet\fR | |
348 | +"demonize" ettercap. | |
349 | +.br | |
350 | +useful if you want to log all data in background. this options will detach | |
351 | +ettercap from the current tty and set it as a demon collecting data to files. it must be | |
352 | +combined with -NL (or -NLC) otherwise it has no effects. Obviously the sniffing method | |
353 | +is required, so you have to combine it with this option. | |
354 | +.TP | |
355 | +\fB\-k\fR, \fB\-\-newcert\fR | |
356 | +create a new cert file for HTTPS man-in-the-middle. | |
357 | +.br | |
358 | +useful if you want to create a certfile with social engineered information... | |
359 | +.br | |
360 | +the new file is created in the current working directory. to permanently substitute the | |
361 | +default cert file (etter.sll.crt) you have to overwrite /usr/share/ettercap/etter.ssl.crt | |
362 | +.TP | |
363 | +\fB\-F\fR, \fB\-\-filter <FILENAME>\fR | |
364 | +load the filters chains from FILENAME | |
365 | +.br | |
366 | +the Filtering chains file is written in pseudo XML format. You can write by hand this | |
367 | +file or (better) use the ncurses interface to let ettercap create it (press 'F' in the | |
368 | +connection list interface). If you are skilled in XML parsing, you can write your own | |
369 | +program to make a filter chain file. | |
370 | +.Sp | |
371 | +the rules are simple: | |
372 | +.Sp | |
373 | +If the proto <proto> AND the source port <source> AND the dest port <dest> AND the payload <search> | |
374 | +match the rules, after the filter as done its action <action>, it jumps in the chain | |
375 | +to the filter id specified in the <goto> field, else it jumps to <elsegoto>. | |
376 | +If these field are left blank the chain is interrupted. Source and dest port equal to | |
377 | +0 (zero) means ANY port. You can use wildcards in the search string (see README for detail) | |
378 | +.Sp | |
379 | +NOTE: with this options filter are enabled by default, if you want to | |
380 | +disable them on the fly, press "S" (for source) or "D" (for dest) while sniffing | |
381 | +.Sp | |
382 | +NOTE: on command line the hosts are parsed as "ettercap -F etter.filter DEST SOURCE", so | |
383 | +the first host is bound to the dest chain and the second to the source chain. | |
384 | +.Sp | |
385 | +VERY IMPORTANT: the source chain is applied to data COMING FROM source and NOT GOING TO | |
386 | +source. keep this in mind !! the same is for dest... | |
387 | +.TP | |
388 | +\fB\-c\fR, \fB\-\-check\fR | |
389 | +check if you were poisoned by other poisoners in the LAN | |
390 | +.TP | |
391 | +\fB\-t\fR, \fB\-\-linktype\fR | |
392 | +check if you are on a switched LAN or not... Sometimes this discovery method can fail. | |
393 | +don't trust it at 100% | |
394 | + | |
395 | + | |
396 | +.SH TARGET SPECIFICATION | |
397 | +The targets are parsed on command line in reverse order. The first host is the DEST and the | |
398 | +second is the SOURCE. this doesn't care if you are sniffing in ip based mode, because | |
399 | +source and dest are ignored, but if you are filtering the connection this is crucial for | |
400 | +the binding of the related filter chain. | |
401 | +.br | |
402 | +The reverse order is due to a more intuitive interface for plugins. because some plugins | |
403 | +need the dest host to be specified, it is simpler to type: | |
404 | +"ettercap -Np ooze victim" than "ettercap -Np ooze NOONE victim". | |
405 | +.br | |
406 | +The targets can be specified in dotted notation (192.168.0.1) or with their symbolic name | |
407 | +(victim.mynet.org). Only within the -H (--hosts) option you can use wildcards. | |
408 | + | |
409 | + | |
410 | +.SH INTERACTIVE MODE | |
411 | +The interactive mode (ncurses mode) is automatically selected if ettercap is launched | |
412 | +without the option -N . Explain what you can do with it will take pages and pages... and I'm | |
413 | +not a good writer... so if you don't know what can you do in some circumstances, simply | |
414 | +press 'H' and a help screen will popup. there you can find a detailed list of all available | |
415 | +commands. | |
416 | + | |
417 | + | |
418 | +.SH EXAMPLES | |
419 | +Here are some examples of using ettercap. | |
420 | +.TP | |
421 | +.B ettercap -b | |
422 | +.Sp | |
423 | +On startup use broadcast ping to scan the LAN instead of ARP request all the | |
424 | +subnet IPs. | |
425 | +.TP | |
426 | +.B ettercap -H "192.168.0.?,192.168.0.3?,192.168.0.2*" | |
427 | +.Sp | |
428 | +On startup scan only the host 192.168.0.1-9, 192.168.0.30-39, 192.168.0.2, | |
429 | +192.168.0.20-29 and 192.168.0.200-255. | |
430 | +if the PUBLICARP method will be selected only these host will be poisoned. | |
431 | +.TP | |
432 | +.B ettercap -s 192.168.0.1 192.168.0.2 | |
433 | +.Sp | |
434 | +Enter the interactive mode and sniff only the connections between 192.168.0.1 and 192.168.0.2 | |
435 | +.TP | |
436 | +.B ettercap -Nzs -F etter.filter 192.168.0.1 192.168.0.2 | |
437 | +.Sp | |
438 | +Load filter from etter.filter and activate them on all the connection between 192.168.0.1 | |
439 | +and 192.168.0.2 . Only Log action will be supported because it is a -s (ipsniffing) method. | |
440 | +192.168.0.1 is bound to the dest chain and 192.168.0.2 to the source one. | |
441 | +To enable even the replacement and drop actions you have to launch "ettercap -Nza -F | |
442 | +etter.filter IP IP MAC MAC" | |
443 | +.TP | |
444 | +.B ettercap -zs -e etter.conf | |
445 | +.Sp | |
446 | +Use the ip based sniffing mode and load the other option from the config file (etter.conf). | |
447 | +Note that options in the file override command line. | |
448 | +.TP | |
449 | +.B ettercap -Nzs victim.my.net ANY:80 | |
450 | +.Sp | |
451 | +Sniffs in console mode (non interactive) only the connection to and from "victim.my.net" | |
452 | +starting or ending to all other hosts but on port 80 (www). data are dumped in ASCII | |
453 | +mode. to dump in HEX mode add the -x option. | |
454 | +.TP | |
455 | +.B ettercap -NRzs remote.host.net:23 my.local.host.com | |
456 | +.Sp | |
457 | +Useful to sniffs in console mode (non interactive) all the connection on a remote LAN | |
458 | +on which you are executing ettercap. this example will prevent to show your telnet (:23) | |
459 | +connection from "my.local.host.com" to "remote.host.net". | |
460 | +.TP | |
461 | +.B ettercap -Nclt | |
462 | +.Sp | |
463 | +This will provide you the entire list of hosts in the LAN. Will check if someone is | |
464 | +poisoning you and will report its IP. Will tell you if you are on a switched LAN or not. | |
465 | +.TP | |
466 | +.B ettercap -NCLzs --quiet | |
467 | +.Sp | |
468 | +This will detach ettercap from console and log to a file all the collected password. | |
469 | +Only works if the LAN is hubbed, or if collected password are directed to your host. | |
470 | +.TP | |
471 | +.B ettercap -NCza -D 100 192.168.0.1 192.168.0.2 55:23:A5:B4:C7:89 00:A3:56:FE:4F:6D | |
472 | +.Sp | |
473 | +Collect password to stdout on a switched LAN. this will poison the two host 192.168.0.1 | |
474 | +and 192.168.0.2 each other. The delay between arp replies is set to 100 sec. | |
475 | +.TP | |
476 | +.B ettercap -Np triton | |
477 | +.Sp | |
478 | +Launch the plugin "triton" that will try to passively search for the LAN gateway. | |
479 | +.TP | |
480 | +.B ettercap -Np ooze victim.mynet.org | |
481 | +.Sp | |
482 | +Launch the plugin "ooze" that will portscan the host "victim.mynet.org" that will be translated | |
483 | +with the right IP | |
484 | + | |
485 | +.SH PLATFORMS | |
486 | +Linux 2.0.x 2.2.x 2.4.x | |
487 | +.br | |
488 | +FreeBSD 4.x | |
489 | +.br | |
490 | +OpenBSD 2.[789] | |
491 | +.br | |
492 | +NetBSD 1.5 | |
493 | +.br | |
494 | +Mac OS X (darwin 1.3) | |
495 | + | |
496 | + | |
497 | +.SH FILES | |
498 | +/usr/share/ettercap/etter.conf - the config file | |
499 | +.br | |
500 | +/usr/share/ettercap/etter.filter - the filter chains | |
501 | +.br | |
502 | +/usr/share/ettercap/etter.ssl.crt - the SSL certificate for HTTPS m-i-t-m | |
503 | +.br | |
504 | +/usr/share/ettercap/mac-fingerprints - the network adapter vendor database | |
505 | +.br | |
506 | +/usr/share/ettercap/nmap-os-fingerprints - the nmap (c) Fyodor os fingerprint | |
507 | +.br | |
508 | +/usr/doc/ettercap-0.5.4/* - the DOCUMENTATION | |
509 | + | |
510 | + | |
511 | +.SH AUTHORS | |
512 | +Alberto Ornaghi (ALoR) <alor@users.sourceforge.net> | |
513 | +.br | |
514 | +Marco Valleri (NaGA) <crwm@freemail.it> | |
515 | + | |
516 | + | |
517 | +.SH AVAILABILITY | |
518 | +http://ettercap.sourceforge.net/download/ | |
519 | +.Sp | |
520 | +Or if you want to do an automatic check of the latest version try "ettercap -vy" | |
521 | + | |
522 | + | |
523 | +.SH BUGS | |
524 | +Our software never has bugs. | |
525 | +.br | |
526 | +It just develops random features. ;) | |
527 | +.PP | |
528 | +.B KNOWN-BUGS | |
529 | +.PP | |
530 | +- It is better that you don't launch ettercap on a host that is a gateway | |
531 | +because it needs to disable ip_forwarding, it may cause problem with routing. | |
532 | +.PP | |
533 | +- You cannot use plugins on yourself. outgoing link layer packets are not | |
534 | +captured by the same socket, so they will be ignored. | |
535 | +.PP | |
536 | +- While poisoning on a switched LAN, ettercap won't sniff the traffic made | |
537 | +by your host to others. the technical reason is: otherwise ettercap will | |
538 | +forward your packets two time (and this is not good...) the artistic | |
539 | +reason is: why sniffing yourself with a man-in-the-middle method ? use | |
540 | +simple sniffing instead ! ;) | |
541 | +.PP | |
542 | +- While sniffing in Public ARP mode, ettercap can "view" only one way of | |
543 | +the connection, so some protocol dissectors can fail... | |
544 | +.PP | |
545 | +- under X11 resizing the xterm can give a corrupted visualization of the | |
546 | +interface. SIGWINCH is *partially* supported. | |
547 | +.PP | |
548 | +- ettercap doesn't handle fragmented packets... only the first segment | |
549 | +will be displayed by the sniffer. However all the fragments are correctly | |
550 | +forwarded. | |
551 | +.PP | |
552 | ++ please send bug-report, patches or suggestions to <alor@users.sourceforge.net> | |
553 | +or visit http://ettercap.sourceforge.net/forum/ and post it in the BUGS section. | |
554 | +.PP | |
555 | ++ to report a bug, recompile ettercap with 'configure --enable-debug' | |
556 | +and attach ettercap_debug.log to the mail in which U explain the problem. | |
557 | diff -urN ettercap-0.5.4.orig/ettercap.spec ettercap-0.5.4/ettercap.spec | |
558 | --- ettercap-0.5.4.orig/ettercap.spec Thu Jan 1 01:00:00 1970 | |
559 | +++ ettercap-0.5.4/ettercap.spec Thu Sep 6 17:14:33 2001 | |
560 | @@ -0,0 +1,40 @@ | |
561 | +%define prefix /usr | |
562 | + | |
563 | +Summary: ettercap is a ncurses-based sniffer/interceptor utility | |
564 | +Name: ettercap | |
565 | +Version: 0.5.4 | |
566 | +Release: 1 | |
567 | +Serial: 20010906 | |
568 | +Packager: ALoR <alor@users.sourceforge.net> | |
569 | +Source: http://ettercap.sourceforge.net/download/%{name}-%{version}.tar.gz | |
570 | +URL: http://ettercap.sourceforge.net/ | |
571 | +License: GPL | |
572 | +Group: Networking/Utilities | |
573 | +Prefix: %{prefix} | |
574 | +Buildroot: %{_tmppath}/%{name}-%{version}-root | |
575 | + | |
576 | +%description | |
577 | +ettercap is a multipurpose sniffer/interceptor/logger for switched or "hubbed" LAN. | |
578 | + | |
579 | +%prep | |
580 | +%setup -q | |
581 | + | |
582 | +%build | |
583 | +./configure --prefix=%{prefix} --disable-debug --mandir=%{_mandir} | |
584 | +make | |
585 | +make plug-ins | |
586 | + | |
587 | +%install | |
588 | +rm -rf $RPM_BUILD_ROOT | |
589 | +make install DESTDIR=$RPM_BUILD_ROOT | |
590 | +make plug-ins_install DESTDIR=$RPM_BUILD_ROOT | |
591 | + | |
592 | +%clean | |
593 | +rm -rf $RPM_BUILD_ROOT | |
594 | + | |
595 | +%files | |
596 | +%defattr(-,root,root) | |
597 | +%{_mandir}/man8/* | |
598 | +%doc COPYING README README.PLUGINS HISTORY CHANGELOG AUTHORS TODO THANKS KNOWN-BUGS PORTINGS | |
599 | +%{prefix}/bin/* | |
600 | +%{prefix}/share/ettercap/* | |
5db63559 | 601 | diff -ur ettercap-0.6.2.new/configure.in ettercap-0.6.2/configure.in |
602 | --- ettercap-0.6.2.new/configure.in Sat Nov 17 11:54:22 2001 | |
603 | +++ ettercap-0.6.2/configure.in Sat Nov 17 12:14:02 2001 | |
604 | @@ -324,14 +324,14 @@ | |
605 | curses_warn=0 | |
1d0ff707 | 606 | |
5db63559 | 607 | ac_cv_ec_ncurses=no |
608 | - AC_CHECK_HEADERS(ncurses.h,,ncurses_warn=1) | |
609 | + AC_CHECK_HEADERS(ncurses/ncurses.h,,ncurses_warn=1) | |
610 | AC_CHECK_LIB(ncurses,newpad,,ncurses_warn=1) | |
1d0ff707 | 611 | |
5db63559 | 612 | if test $ncurses_warn -ne 1; then |
613 | AC_DEFINE(HAVE_NCURSES,1) | |
614 | ac_cv_ec_ncurses=yes | |
615 | else | |
616 | - AC_CHECK_HEADERS(curses.h,,curses_warn=1) | |
617 | + AC_CHECK_HEADERS(ncurses/curses.h,,curses_warn=1) | |
618 | AC_CHECK_LIB(curses,newpad,,curses_warn=1) | |
619 | AC_CHECK_LIB(curses,mvwgetnstr,,curses_warn=1) | |
1d0ff707 | 620 | |
5db63559 | 621 | @@ -350,7 +350,7 @@ |
622 | form_warn=0 | |
623 | ac_cv_ec_form=no | |
624 | if test "$ncurses_warn$curses_warn" -eq "00"; then | |
625 | - AC_CHECK_HEADERS(form.h,,form_warn=1) | |
626 | + AC_CHECK_HEADERS(ncurses/form.h,,form_warn=1) | |
627 | AC_CHECK_LIB(form,form_win,,form_warn=1) | |
1d0ff707 | 628 | |
5db63559 | 629 | if test $form_warn -ne 1; then |
630 | @@ -380,12 +380,12 @@ | |
631 | ac_cv_ec_debug=yes | |
632 | ;; | |
633 | no) AC_MSG_RESULT(no.) | |
634 | - CFLAGS="-O3 -funroll-loops -fomit-frame-pointer -Wall" | |
635 | + CFLAGS="${CFLAGS} -funroll-loops -fomit-frame-pointer -Wall" | |
636 | ac_cv_ec_debug=no | |
637 | ;; | |
638 | esac ], | |
639 | AC_MSG_RESULT(no. disabled by default.) | |
640 | - CFLAGS="-O3 -funroll-loops -fomit-frame-pointer -Wall" | |
641 | + CFLAGS="${CFLAGS} -funroll-loops -fomit-frame-pointer -Wall" | |
642 | ac_cv_ec_debug=no | |
643 | ) | |
644 | AC_SUBST(DEBUG) | |
645 | @@ -597,4 +597,4 @@ | |
646 | echo "==================================================" | |
647 | echo | |
1d0ff707 | 648 | |
5db63559 | 649 | -EC_CHECK_DATE() |
650 | \ No newline at end of file | |
651 | +EC_CHECK_DATE() |