Search the Community

Noob here. Been trying to run some ettercap filters through my virtual machine while ARP-poisoning my host computer.

I'm trying to perform a javascript injection with ettercap 0.8.2 and its filter, but it did not work. All the relevant topics I found are before 2016, I am not sure if this kind of attack still works now? Anyway, this is my filter script if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "Accept-Encoding")) { replace("Accept-Encoding", "Accept-Nothing!"); msg("zapped Accept-Encoding!\n"); } } if (ip.proto == TCP && tcp.dst == 80) { if (search(DATA.data, "<head>")) { replace("<head>", "<HEAD>"); msg("Code injected"); } } And I run it as ettercap -T -q -i wlan0 -F test.ef -M arp:remote /192.168.0.1// /192.168.0.100// test.ef is the compiled filter file. When the victim opens any web page, I got a lot of "zapped Accept-Encoding!" messages, but no "Code injected", and of course the html source code on the victim side is untouched. The part I really don't understand is, if I remove the search condition for the second part, if (ip.proto == TCP && tcp.dst == 80) { replace("<head>", "<HEAD>"); msg("Code injected"); } "Code injected" message shows, but html code on the web client is not changed, which means, the problem is that the filter cannot find any named strings (in this case <head>) in the html file, it can only deal with the header (Accept-Encoding). Does anyone know a solution or work around, please, any suggestions will be appreciated, thanks

Hi I'm experimenting with Ettercap to perform MiTM attacks, and DNS-spoof. My setup exists out of two laptops. Laptop A running Kali Linux 2.0 and is the 'attacker' machine (IP: 192.168.0.131), and Laptop B running Windows 7 as 'victim' (IP: 192.168.0.150). I'm encountering a few problems when I try this, first of all, the command 'route' doesn't find my actual default gateway. It says the default is '192.168.0.0', but Ettercap and the Windows machine say it is '192.168.0.1' which is the correct one. But that ain't he biggest problem, the biggest problem is, that my DNS-spoof attack is working when performing it using the Ettercap-GUI. But as soon as I try to do it by using the terminal it fails; it doesn't even intercept the requests made from the victim. My command: ettercap -T -q -i wlan0 -M arp:remote -P dns_spoof //192.168.0.1//192.168.0.150// What is wrong with this command, because the attack works in graphical mode there is something wrong with the command, not with my network setup. I also made a video showing the problem: https://sendvid.com/8o8p2ssz like you can see there it is working graphical, but not from terminal using the command. And than my second question Can someone point me in the right direction/tutorial on how to use this attack with SSLstrip? This to perform a downgrade attack to also be able to DNS-spoof SSL-protected (HTTPS) websites. Of course I have searched myself, but none tutorial or video found showing it with Ettercap etc. Thanks!

Hello guys, I'm looking for a tool to gather informations about hosts connected to my network (eventualy pirates hosts), the only way that I found to do that on a passive way (not active by discovering the whole network everytime using nmap or snmp scan for example), are tools like ettercap and p0f or python scapy with passive OS fingerprinting, but what I need is to gather informations on host each time a new one is discovered, so ettercap (or another tool) have to send me this information in real time, i'm trying to use API that those tools gives but they don't work this way. For example, I tried with p0f tool (which ettercap use too I think) using his API, and I can ask information about an IP address or a couple of IP address (or the whole network) but this is not good for me since I don't want to ask for that everytime but I need to make it automatic or easier, so basically I want to have a server (mine) who will receive hosts informations from a tool like ettercap. The other way I tired is to code a packet sniffer like ettercap, which is in fact a really basic packet analyzer, but this way I can only have basics informations such as IP and MAC address, but ettercap give some more interesting informations like operating systems and some other informations. I can also pars the log file of a tool but this is not a good way too, since I have to pars this log file each time. Is there a specific tool who can make this possible? I know it's possible, all I need is a little clue and I don't know where I can find it. Thanks in advance, Regards.

So here are the facts i am working with kali sana trying to spoof dns with ethercap 1.internal network 2.I can spoof dns ===> when pinging facebook.com from victim machine i get my internal IP (192.168.1.6) 3.but when i try to browse with edge, chrome to facebook.com it says no connection 4.when i spoof a different url i get the index page of the server of the attacker 5.tried to spoof dns on xp and on windows 10 same results how can i solve this problem and what is the cause Thank you in advance

What are some effective attacks using the pineapple against encrypted networks where the passphrase is already known? Let's assume you only get to use the pineapple, so no kali or laptops or anything like that. One method I can think is for an attacker to respond to beacon requests with an encrypted, spoofed AP using the known passphrase, but I don't think that is possible using the pineapple. I realize that may be a convoluted, ill-thought up method, but is that even possible at all? I understand a bit about handshakes etc, but would it be possible if the pineapple had a little different hardware or software? Just curious about that one really. Would most of you just use ssl-strip and ettercap or something? Thanks for your time.

Hello everyone, I am trying to sniff a network. Adapter TL-WN722N Target AP signal: %80-85 Target network topology: 1 router, 15 clients (mostly windows) My steps are: echo 1 > /proc/sys/net/ipv4/ip_forward airmon-ng start wlan0 going to /etc/ettercap/etter.conf to set: ec_uid = 0 ec_gid = 0 -- Commenting out iptables # if you use iptables: redir_command_on = "iptables -t n.... redir_command_off = "iptables -t ...... and then ettercap -G Sniff -> Unified Sniffing, selecting adapter wlan0 Hosts -> Scan Hosts -> Add victims to target list and then MITM->Arp and then Start->Start Sniffing And then running dsniff -i wlan0 to sniff interesting packets... Okay everything works great until here. Sometimes, ettercap kills the connection of client. As far i understand, i am forwarding packets with ARP Poisoning. So here are my questions: - Is that possible to sniff network in "passive" or "unoffensive" mode? Ettercap has "Unoffensive" option but if i go with that, i can't scan hosts. I can't understand by. - My purpose is that just sniffing network, not ALTER or EDIT any packets. Just sniffing. - How can i start a proper sniffing? My target AP has %80-85 signal quality. No packet loss to gateway. Any suggestions would be great. Thanks.

Hi I was always able to do a mitm attack targetting a specific IP and using sslstrip, ettercap, arpspoof, ... But today I tried (for the first time) to do the whole network at once and it was like sslstrip wasn't doing anything. No errors whatsoever and yet all I could see was the usual "sslstrip 0.9 by Moxie Marlinspike" and then nothing. When I target one computer I usually do something like: echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000 sslstrip -a -k -f arpspoof -i wlan0 -t <targetIP> -r <gatewayIP> ettercap -Tq -L etterlogs -i wlan0 urlsnarf -v -i wlan0 and it works. To do the whole network I tried the same only replacing the <targetIP> by the Bcast (ie 192.168.1.255). I think one time it said "couldn't arp for ..." So then I tried method 2: echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 10000 ettercap -T -q -i wlan0 -M ARP:REMOTE // // sslstrip -a -l 10000 urlsnarf -i wlan0 It ran I think but nothing happened and I couldn't see the traffic. What am I doing wrong? I'm not very experienced at this and if anyone knows a better way to do an sslstrip on the whole network I'd be grateful. I have the latest version of Kali btw. Cheers

So I just want to bring to the attention of the experts.. We're currently on assignment and our Mark V is really dropping the ball for us. Scenario 1.) Pine AP - enabled Karma MK5 - enabled Beacon Responder - enabled Harvester - Enabled using the TILE FOR ETTERCAP ettercap on br-lan, hit start. using the TILE FOR SSLSTRIP hit start. -- So long and short, we activate this. Ettercap turns off / stops working after about 30 seconds. -- In otherwords it STOPS WORKING. SSL Strip looks like its working Pine AP, Karma, Beacon, Harvester all reset back to 'disabled' after about 5 minutes. What am I doing wrong? Scenario 2.) To actually get ETTERCAP to work we've gone ahead and ssh'd into it Via Putty cd /sd ettercap -Tq -i br-lan -w filename.pcap This scenario works, but prevents us from enabling pineap or any of those options in the web browser. sure enough after about 30 minutes It stops working too. Can someone please tell me why this isn't working. We bought hte pineapple with intention of using it for our pen testings. but so far its been headache after headache We are having far more benefi from kali linux and simple etter capping the network that way Ultimately we want to use the Mark V though Please someone - anyone... :\ Sadly, not impresssed or happy at the moment. I even followed the advice of Whistleblower in another thread, but still no dice -- it simply stops working.

I am attempting to perform a MitM-style attack from my machine (MacBook Pro running 64-Bit Kali), by means of ARP-poisoning the communication between my router and my targetted machine (a MacBook Air running OSX Mavericks) on my WLAN (WPA2-secured network). In addition, I would like to employ a dns_spoof. I am using a combination of the following: - SSLStrip - Ettercap (with the dns_spoof plugin enabled). - urlsnarf - Wireshark (for examining post-test PCAP results) The commands I perform are as follows: iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain sslstrip -p -k -w /root/sslstrip.log iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 urlsnarf -i wlan0 | grep http > /root/session.txt # 192.168.2.1 = router, 192.168.2.130 = Macbook Air echo 1 > /proc/sys/net/ipv4/ip_forward; ettercap -T -q -i wlan0 -P dns_spoof -M arp:remote /192.168.2.1/ /192.168.2.130/ ettercap -T -i wlan0 -w /root/session.pcap -P dns_spoof -L /root/session -M arp:remote /192.168.2.1/ /192.168.2.130/ # This runs for a while,I then stop manually... and then clean up and examine results in Wireshark wireshark & killall sslstrip killall python killall urlsnarf iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain etterlog -p -i /root/session.eci I am able to intercept and decode http packets just fine. Unfortunately, I've had little success in capturing redirecting an HTTPS connection to an HTTP one (which I presume SSLStrip should be doing for me). I've tested by targeting multiple machines running different operating systems. For example, when I attempt to access https://www.foo.com/, I'd expect to be redirected to http://www.foo.com/. Instead, what happens is I will receive an untrusted certificate error (Windows 7 + IE, sometimes OSX Mavericks + Safari), a timeout (Mavericks + Safari, iPhone 4s + Safari). Furthermore, the dns_spoof doesn't load; just resolves the domain as it should. (see my /etc/ettercap/etter.dns configuration below). I've un-commented the iptables redirect commands within /etc/etter/etter.conf, as well as set the ec_uid and ec_gid to 0 (from the default of 65534) . . . [privs] ec_uid = 0 # nobody is the default ec_gid = 0 # nobody is the default . . . # if you use iptables: redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" . . . Alternatively, for a simple dnsspoof, I've tried a simple combination of arpsoof + dnsspoof. Doesn't work either. :( echo 1 > /proc/sys/net/ipv4/ip_forward arpspoof -i wlan0 -t 192.168.2.130 192.168.2.1 dnsspoof -i wlan0 -f /root/hosts.txt I've Googled for a few days now, but after reading post-upon-post of the same ill-fated solutions, alternatives and workarounds, I'm kind of stumped, to say the least. Some configuration files can be seen below... Any help would be greatly appreciated. Thanks,

Ettercap and sslstrip will not install on my MK5. Notifications says they install successfully; but when I go back to the infusion list is says they need to be updated again. I have tried removing and rebooting but no love. Still does the same thing on these 2 infusions.

Hi! I am new to ettercap (although I am not new to security, and I am not a kiddy ). Because I am working on a mac I enabled the "quick and dirty fix" in etter.conf. I followed the standard tutorials to spoof arp (Added roter and victim to target 1 and 2, arp poisoning, start sniffing). What I expect: My victim is able to browse HTTP ordinarily. What I get: The arp is spoofed correctly (the cache got my attacker's mac instead of the router's), but I get request timeouts when pinging my router. I cannot open web pages anymore, nothing loads. Although the connections tab lists the victim's connections correctly. First I thought I needed a software that listens on my attacker in order to tunnel the traffic to the router (man in the middle). I found a thread saying it should listen on 8080. But after watching a video I guess that's already included when I select ARP poisoning? What point am I missing? I hope I provided enough information. Thanks for any help!

Hi Ettercap is no longer working. As soon I hit the start the process stops. how can i find out what is not working without reflashing it. Im seeing the following errors when I try to download previous captures ettercap log_1389567143.log [January 12 2014 22:52:25] Listening on eth0... (Ethernet) eth0 -> 00:13:37:XXXXXXXX invalid invalid SSL dissection needs a valid 'redir_command_on' script in the etter.conf file Privileges dropped to UID 65534 GID 65534... 28 plugins 39 protocol dissectors 53 ports monitored 7587 mac vendor fingerprint 1698 tcp OS fingerprint 2183 known services Starting Unified sniffing... al i se from df-h that the root folder is full. should i at least free some space or this ir correcto to be 100% occupied. Filesystem Size Used Available Use% Mounted on rootfs 4.1M 1.1M 3.0M 26% / /dev/root 11.0M 11.0M 0 100% /rom tmpfs 30.2M 192.0K 30.0M 1% /tmp tmpfs 512.0K 0 512.0K 0% /dev /dev/mtdblock3 4.1M 1.1M 3.0M 26% /overlay overlayfs:/overlay 4.1M 1.1M 3.0M 26% / /dev/sdcard/sd1 1.8G 62.6M 1.6G 4% /sd any help in troubleshooting this will be much apreciated.! :)

To get ettercap going , do i need to edit the iptables like i would in Linux ? Or should it work out of the box? any tips or tutorials would be very helpful

I recently started to experiment with ettercap and its filters to see what can be done with them. I read through some tutorials avaliable online and was able to successfull create my own filter. Now my problem is that inside the filter I have the replace function that should replace the first sting with the second one. However this is not the case. My filter is very simple and is as follows: I compile this filter as filter .eg and run ettercap, replacing the * with the relevant IP address. ettercap -T -F filter.eg -w testdump -M arp /***.***.***.***/ // output: I activate the filter and expect the Netcat message sent to that machine "Hello" to be changed to " Bye " and "Data Changed" to be outputted to the local terminal. However although "Data changed!" is outputted to the local terminal the Netact message remains unchanged and appears on the target machine as "Hello". Can anybody correct me as to where I have gone wrong with this basic filter.

is there anyone who can explain how ettercap works? the different opportunities the program has? settings that can be used? thanks in advance masler77

I'm having a problem with my tablet and laptop losing internet connection through the pineapple after running ettercap for the first time. The first time ettercap runs, it works great, but the 2nd, 3rd, 4th, etc times, it creates a problem. Here is what my setup looks like: Tablet and Laptop -> Pineapple -> Home Access Point -> Internet I boot the pineapple up that is directly connected to a reliable AC outlet and connect to it from my laptop wireless network card. I then configure the pineapple through the web interface to connect to my WPA2 home network. I'm able to browse the internet from both the tablet and laptop. I can generate some heavy traffic through my laptop and tablet (downloaded a 708MB file) so I don't think its a resource issue in the pineapple itself. Keep in mind all this is working great JUST AFTER a ettercap session and then a reboot so we are resource clean. As soon as I run "ettercap -T -i wlan0" from a remote ssh session, the tablet and laptop have no internet access. I'm not able to ping google from the tablet nor the laptop. I can however ping google from the pineapple's remote ssh session. Something is happening at the lan side of the pineapple. Not sure how to pinpoint this.

Hello all, I am having an issue with DNS spoofing in backtrack 5 r3 ove rmy wireless interface. My attacking computer is a hp pavilion laptop with 2 gigs of ram, x64 processor, backtrack 5 r3, and my wireless card is a Atheros AR2425 with driver ath5k. My victim computer is a windows 7 serv pack 1 box with kasperski antivirus (turned off) and firewall down. I first modified my set_config file to set ETTERCAP=ON and the ETTERCAP_INTERFACE=wlan0. I then ran SET and chose >Social-Engineering Attacks>Website Attack Vectors>Java Applet Attack Method>Site Cloner>Nat/protforwarding NO>Ip addy for reverse connection"192.168.0.8">url to clone: http://www.google.com>Windows'>http://www.google.com>Windows Reverse_TCP Meterpreter>Backdoored Executable>Port 443>It tells me Arp Cache Poisoning is ON>Site to redirect: http://www.google.com>Says'>http://www.google.com>Says its launching attack,loads up metasploit and starts two listners. At this point when I browse to http://www.google.com on my victim computer using ie it simply loads the real google website. Now if I type my subnet ip for the attackign computer SET is hosting the server on it will take me to the fake page and the java applet will appear and work when clicked. My problem is it does not seem to be redirectiong traffic on my wifi network to the fake site when i try to go to the real one. I have tried doing this the old way as well and turning off ETTERCAP inside the SET_config file. I then would launch my fake site in SET and then edit the ETTER.dns file wif the website connect info and my attacker ip. This did not work either. I have also apt-get updated and upgraded backtrack, as well as msfupdate for metasploit and svn updates for set and ettercap. What could I be missing about getting Ettercap to redirect my network traffic? Thank you for your help and let me know if there is any more information you need to help you trouble shoot this issue!

Hello there, i am interested in ettercap. I want to know, if there is possible way to have ettercap on one laptop and be on it both, as a victim an attacker. for example, i start ettercap with filter setting instead of acceptencoding to acceptrubbish and as parameter i set my ip address, so i can edit my packets? i can't make it work fro some unknown reasons. thanks for reply

I have installed dsniff on my linux laptop (linux mint 14, nadia) and have figured out how to use arpspoof/ettercap to deliver an ARP poison. The problem: whenever I deliver the attacks to the devices that I am test-attacking (usually my other laptop or smart phone via wifi), their internet connections merely stop working! When I killall arpspoof, the internet on the test machines goes back to working. I cannot figure out what I am doing wrong! For people who want more detail (arpspoof method I use): 1. set up port forwarding by editing the /proc/sys/net/ipv4/ip_forward file 2. change the iptables by issuing a really long command that i dont feel like entering here but starts with "iptables -t nat -p tcp ... " 3. ARP poison by saying "arpspoof -i wlan0 -t <target> <router> *** THIS IS WHERE THE TEST MACHINES' INTERNET STOPS WORKING *** 4. ARP poison by saying "arpspoof - wlan0 -t <router> <target> 5. continue with attack using other tools. Note: This sort of works when I do it through backtrack5 on virtualbox, but it only works if I attack my host machine, if I try to attack any other device on the network, it does the same thing as above: the internet stops working on the target machine until I stop arpspoofing. How can I fix??

Can someone give me an example of ettercap usage with -W (i.e. --wep-key) for sniffing via wlan? It says something interesting in -h about the -W... it sounds like if you have the WEP key then you can actually decrypt something that you're sniffing...but I'm trying it on myself and I can't get it to work right. Using the -T user interface i got it to say that it's starting unified sniffing but it never does anything interesting. Should I be able to use the WEP key with -W to see all my data being transferred in plain text or how does it work? I wanna see the WEP key decrypt something...

Hi Everyone, I want to clear my doubts on arp-posioning. Following is the situation described where I tried to perform this attack :- Every Host in the LAN segment uses proxy for accessing internet . Attacker : IP = 10.101.25.100 [running linux mint with all required tools installed] Victim : Virtual m/c running linux mint using proxy to access internet (using bridged mode in virtual box) IP = 10.101.25.200 / can be any other host in the LAN Switch (Gateway) : IP = 10.101.25.2 [Cisco IOS 12.x ] ON ATTACKER M/c: * edited /etc/etter.conf [ ec_uid = 0 ec_gid = 0 port_steal_send_delay = 1 # microseconds remote_browser = "firefox -remote openurl(http://%host%url)" # if you use iptables: redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" ] (read from http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_603839.html) * started ettercap successfully # selected promisc mode then unified sniffing # selected GATEWAY (10.101.25.2) as TARGET1 # selected VICTIME (10.101.25.200) as TARGET2 # started sniffing # selected arp-posioning from the mitm menu # enabled plugins repoison_arp and remote_browser # opened connections tab from view menu ON VICTIM m/c : Before ARP poisoning : ALL fine internet web browsing was working smoothly remember it is using proxy for accessing internet After ARP Poisoning : arp table successfully changed 10.101.25.2 <ATTACKER's MAC ADDR> But no web page is loading now ....whether google.com facebook.com Q: IS IT EVER POSSIBLE TO DO ARP-POISONING CORRECTLY IN THIS KIND OF SITUATUION ? ANY ADVICES/SUGGESTION ARE APPRECIATED ! THANK YOU