Ettercap command line basics

Odds are this topic has been blogged to death already, but sometimes I need to write things down so not to forget them. Also, there are times when the command line is the only option. Then again, in my opinion, one should start using the command line and then move on to GUI applications.

Ettercap is tool for computer network protocol analysis and security auditing. It’s capable of intercepting traffic, capturing credentials and conducting active “eavesdropping” against a number of common protocols. If you wish to know more, Google “Ettercap” and you’ll have lots of links referring to this tool.

Using Ettercap is a quick and easier alternative then using the “arp” command to arp poison your target(s) and redirecting traffic to you own network adapter, then re-forwarding those packets to their original destination. Again, it’s always good to be aware and able to use the “arp” command seeing that every situation is different and Ettercap may not always be available.

Imagine a simple scenario: Computer A, on the local LAN, connects to Computer B using the FTP protocol to retrieve a file. Our goal is to sniff the traffic between these two computers, retrieve either the username and password, or the file he/she is transferring over FTP. Do accomplish this we need to “arp cache poison” our victim’s machine, so to redirect traffic to our machine, sniff the traffic and then send it out to its original destination. Of course, let us assume this is on a switched environment. If you are unfamiliar with the concept of “arp cache poisoning”, I suggest you look it up… I’ll provide links at the end of this blog to push you in the right direction.

The simplest way to do this using ettercap from the command line is this:

ettercap -T -w dump -M ARP /xx.xx.xx.xx/ // output:

Where ‘xx.xx.xx.xx’ is our target machine’s IP address.

This will poison his arp cache, replacing the MAC address with our own. Of course, this is a very basic example. There are far more complex and more precise usage of this command, which are beyond the scope of this blog entry.

Let us continue…

“ –T” switch is for using the text based GUI only.

“-w dump” writes to file our packet capture session to a file called “dump”

“-M ARP” is the type of attack, in our case a “man in the middle”

“/xx.xx.xx.xx/ //” is our target’s IP address and port. Notice I have not entered any ports. So we’ll just grab everything.

“output:” just outputs everything on the screen. A “-q” or “-Tq” would’ve provided with less information on the monitor, but I always choose to see as much as possible.

Press “enter”, Ettercap will scan the network and start doing out bidding. Let it run for as long as you wish. Once you feel you have gathered enough, hit the “Q” key and ettercap will return our target’s arp cache table to its original state.

Now all you need to do is analyze the dump file. This can be done with “etterlog” or wireshark. To use wireshark, you may need to rename the file to “dump.pcap”. As for “etterlog” you’ll have to convert it to the proper format. Type “etterlog –h” and see all the wonderful options, it’s very complete.  Once you have your capture file, you can use tools such as chaosreader or network miner to retrieve the information. Or you could do it manually using wireshark.

Later on, I may just post something about filters and more “advance” methods. For now this will have to do. All the information is already on the Internet, and is readably available for anyone that takes the time to search and read.

On another note, we at Kioptrix.com are leaving for the HackUS.org CTF event this weekend. I’ll report back next week with a report. Also don’t forget that Hackfest.ca is accepting papers for the convention being held in November of this year (2010) in Quebec City Canada. Kioptrix should come out with episode 3 of our monthly podcast (French only) a week or so after the CTF in Sherbrooke. New VM images soon to be released (hint). Should be out within the next 2 weeks.





Hope you enjoyed the read.