Ettercap

Ettercap is an open-source tool that can be used to support man-in-the-middle attacks on networks. Ettercap can capture packets and then write them back onto the network. Ettercap enables the diversion and alteration of data virtually in real-time. Ettercap can also be used for the protocol analysis necessary to analyze network traffic. 

Ettercap has a nice Graphical User Interface (UI) as well as a command line interface. While Ettercap can support network traffic analysis, the most frequent use of Ettercap is to set up man-in-the-middle attacks using ARP poisoning. Penetration testing you can emulate includes man-in-the-middle attacks, credentials capture, dns spoofing, and DoS attack. 

Ettercap also supports both active and passive deep analysis of many protocols and includes many features for network and host analysis. Many “sniffing” modes are available – this includes MAC based, IP based, ARP based (full duplex), and PublicARP based (half duplex). Ettercap can also detect a switched local area network (LAN) and use the OS fingerprints to determine the total geometry of the LAN. 

Ettercap is a necessary part of the tool inventory for any penetration tester or ethical hacker.

Man-in-the-middle Attacks

Man-in-the-middle attacks place a threat actor in the middle of secure communications traffic. The primary purpose of a man-in-the-middle attack is to steal data. If authentication data, then the man-in-the-middle can access resources used by the target. Many times there is little to no interaction other than for the interception of data.

There are two approaches to using Ettercap for man-in-the-middle attacks. These are ARP poisoning (Address Resolution Protocol) attacks and Domain Name System (DNS) attacks. In an ARP attack Ettercap is configured to “impersonate” the IP address of your router. The goal is to get the targeted computer to believe the threat actor’s computer is the router. The MAC address of the attacker is linked to the IP address of the router. Once this is in place the threat actor will receive all of the data from the targeted machine which is going to the router. All of this data which originates in HTTPS is accessible as regular HTTP communications.

DNS spoofing requires that the ARP poisoning utilities are running within Ettercap. Once this is set up you can specify the domain names in the format A which diverts all traffic from the targeted victim’s computer to the instead to the IP address. The interception provided by Ettercap’s ARP poisoning has to be operating on the local network for this attack to work.

DoS Attacks

Once the ARP poisoning is in place, you can add the available service for dos_attack. Click on Plugins in the top Ettercap menu and select manage the plugins from the list. This will display available services. Scroll down the list to find the entry for dos_attack plugin. This is usually the following line after the dns_spoof entry. Double click on the dos_attack line to activate the attack.

Authentication Theft

Once you have activated ARP poisoning, you can intercept packets and the data they contain. Ettercap also allows configurability to shut down the use of HTTPS.

Supported Operating Systems

Ettercap can be used with many different operating systems but Ettercap works best on most versions of Linux. Many penetration testers and security analysts favor Kali Linux as the preferred distribution.

Ettercap is available with Linux and Unix-variant operating systems such as:

• RHEL
• CentOS
• OpenSuSe
• Ubuntu
• Kali
• Debian
• BackTrack
• Mint
• Fedora
• Gentoo
• Pentoo
• FreeBSD
• OpenBSD
• NetBSD
• Solaris

Ettercap also runs on Mac operating systems as follows:

• 10.6 SnowLeopard
• 10.7 Lion

Ettercap also runs on 32-bit systems running Windows to include:

• Windows Vista
• Windows 7
• Windows 8

Tools that may be a good alternative to Ettercap include, but are not limited to:

• SQLmap 
  • https://sqlmap.org/ 
  • SQLmap is an open source penetration testing tool. Users can automate the process of detecting and exploiting SQL injection flaws. SQLmap comes with a powerful detection engine and a broad range capabillities.
• Metasploit 
  • https://www.metasploit.com/ 
  • Metasploit is the #1 most used penetration testing framework. Metasploit is a powerful and highly functional tool used by penetration testers around the world.
• Netsparker
  • https://www.netsparker.com/product/ 
  • Netsparker is a web vulnerability management solution that uses their  proprietary scanning technology to identify and confirm vulnerabilities, and then indicate which results are definitely not false positives. 
• Burp suite 
  • https://portswigger.net/burp/communitydownload 
  • Burp Suite is a set of penetration testing tools used on web applications. Burp Suite was developed by tPortswigger. BurpSuite’s capabilities are fairly comprehensive and you can expand them further by installing add-on functionality called BApps.
• Acunetix 
  • https://www.acunetix.com/vulnerability-scanner/web-application-security-testing-tools/ 
  • Acunetix is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, cross site scripting (CSS) and other exploitable vulnerabilities. Acunetix scans the designate website or web application and uses the HTTP/HTTPS protocol.

Want to learn more?

Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help!

Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.