Article: Fun with Ettercap

Fun with Ettercap


Ettercap is a tool made by Alberto Ornaghi (ALoR) and Marco Valleri (NaGA) and is basically a suite for man in the middle attacks on a LAN. It supports active and passive dissection of many protocols and includes many features for network and host analysis. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting active eavesdropping against a number of common protocols.

Ettercap uses four models:

  • IP: The packets are filtered based on source and destination.
  • MAC: Packet filtering based on MAC address.
  • ARP: ARP poisoning is used to sniff/hijack switched LAN connections (full-duplex).
  • Public ARP: ARP poisoning is used to allow sniffing of one host to any other host.

To see a list of plugins installed in your system, run this command:
ettercap -P list

Figure: Ettercap Plugin List

Some of the available plugins:

  • autoadd - it will automatically add new victims to the ARP poisoning MITM attack when they come up.
  • chk_poison - it performs a check to see if the ARP poisoning module of ettercap was successful.
  • dos_attack - this plugin runs a DOS attack against a victim’s IP address.
  • find_conn - search connection on a switched LAN.
  • find_ip - find the first unused IP address in the range specified by the user in the target list.
  • finger - uses the passive fingerprint capabilities to fingerprint a remote host.
  • gw_discover - this plugin tries to discover the gateway of the LAN by sending TCP SYN packets to a remote host.
  • isolate - the isolate plugin will isolate a host from the LAN.
  • pptp_clear - forces no compression/encryption for PPTP tunnels during negotiation.
  • pptp_reneg - forces tunnel renegotiation.
  • rand_flood - floods the LAN with random MAC addresses.
  • remote_browser - it sends to the browser the URLs sniffed thru HTTP sessions.
  • search_promisc - it tries to find if anyone is sniffing in promisc mode.
  • scan_poisoner - check if someone is poisoning between some host in the list and us.
  • find_ettercap - try to identify ettercap packets sent on the LAN.

How to install Ettercap

The program is pre-installed on Kali Linux.

ettercap –h

Usage: ettercap [OPTIONS] [TARGET1] [TARGET2]

Ettercap Usage Example

Start Ettercap with GUI (-G): ettercap –G
In this article, will see how to perform a DNS spoofing attack and playing with ettercap filter.

DNS Spoofing

The Domain Name System (aka DNS) is used to resolve human-readable hostnames like into machine-readable IP addresses. DNS Spoofing (sometimes referred to as DNS Cache Poisoning) allows the attacker to re-direct the victim to the server of the attacker’s choosing. This results in traffic being diverted to the attacker's computer (or any other computer).

Before starting the attack, as shown in the screenshot, just ping to the and observe the IP address.

Figure: Ping to

Now let’s redirect our victim to websites of our choosing. First open a new console and change to our DNS configuration file located in the following directory:


Enter the following command to open the configuration file so we can edit it; I use leafpad to edit it but you can use many other programs.

leafpad etter.dns


Figure: etter.dns config file

Now see the highlighted line in the above screenshot. I will give you an example by showing you I can redirect the victim to web server running on IP address ( if they attempt to visit let’s say This example also uses a wildcard (*). We do this by adding the following line:

* A

Now we can issue the actual command that begins Ettercap, uses the DNS spoofing addon and if we want to target a specific victim’s IP address, use this:

ettercap -i yourinterface -T -q -P dns_spoof -M ARP /victimslocalip/ //
In my case

Figure: Using dns_spoof addon

Leave that running.

The output that ettercap displays will clearly notify you as people are redirected.

Figure: Ettercap Output


Figure: Ping to Here you can see the victim redirected to

Fiddling with Traffi

Another nice feature of Ettercap are its filters. You can do lots of stuff while playing with them. Filters can be created to manipulate packets to perform a desired function. The below filter monitors all packets and if it finds TCP traffic on port 80, it will be stored in /tmp/http.log.\

Filter log all HTTP traffic (Http_Traffic.filter):

if (ip.proto == TCP) {

if (tcp.src == 80 || tcp.dst == 80) {

log(, "/tmp/http.log");

msg("HTTP packet\n");



  • replace(what, with)

        This function replaces the string ‘what’ with the string ‘with’.

  • log(what, where)

        This function dumps in the file ‘where’ the buffer ‘what’. So you will see the stream in the file.

Now compile the filter with the below command,

etterfilter <Filter Text> -o <Compiled Filter>

Figure: Execution Command

You will see the below output.

Figure: Ettercap Output
Now, wait for the victim to visit any HTTP website. For example, the victim visits way2sms website and tries to login.

Figure: Way2sms website

Figure: Username and Password

Successfully, username and password will get captured.


In this article, we learned different features of ettercap and performed different attacks. I hope you found this article informative and useful in understanding Ettercap.


About the Author

Sachin Wagh has been working within IT field since last 2.5 year. He is an independent security researcher. He acquired knowledge & experience in Web Application and Network VAPT as well as Information Security & Ethical Hacking Training. He has acquired several certifications like CEH, and ECSA. Acknowledged by Google, Microsoft, Ebay, Nokia, Intel, ESET, F-secure, Tesla, IBM and many more for reporting security vulnerabilities.

For more his profile on:

Facebook: &amp;


My email ID: [email protected]

March 3, 2017
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013

Privacy Preference Center


Cookies that are necessary for the site to function properly. This includes, storing the user's cookie consent state for the current domain, managing users carts to using the content network, Cloudflare, to identify trusted web traffic. See full Cookies declaration

gdpr, PYPF, woocommerce_cart_hash, woocommerce_items_in_cart, _wp_wocommerce_session, __cfduid [x2],


These are used to track user interaction and detect potential problems. These help us improve our services by providing analytical data on how users use this site.

_global_lucky_opt_out, _lo_np_, _lo_cid, _lo_uid, _lo_rid, _lo_v, __lotr
_ga, _gid, _gat, __utma, __utmt, __utmb, __utmc, __utmz


tr, fr