Understanding EtterCap and Its Capabilities
EtterCap sits at the intersection of network analysis and penetration testing. It is a command‑line and interactive tool that lets an attacker or a defender sniff, log, or even alter traffic flowing between two endpoints on a switched LAN. The heart of its power is ARP spoofing, a technique that tricks two hosts into believing the attacker’s machine is the other party’s gateway. From there, every packet that passes through the victim’s interface can be captured and optionally modified.
The original authors describe EtterCap as a “multipurpose sniffer / interceptor / logger for switched LANs.” That description captures the breadth of what the tool can do. In practice, a single run of EtterCap can become a full‑blown man‑in‑the‑middle (MITM) playground. It can sniff plain text credentials from protocols such as FTP, Telnet, or SMTP, break the encryption of SSL connections if the proper decryption keys are available, and even inject commands into established connections to keep the handshake alive. These capabilities are exposed through a menu‑driven interface that is intentionally straightforward for seasoned users, yet hides a lot of depth behind simple keypresses.
One of the most striking features is its support for a wide array of protocols. EtterCap can sniff login details from SSH1, capture HTTP traffic even when it passes through a proxy, intercept GRE tunnels from Cisco routers, and conduct MITM attacks on PPTP VPN connections. It also houses a password collector that knows how to extract credentials from an impressive list of services: from classic network protocols like SMB, LDAP, and SNMP, to instant messaging clients such as ICQ or MSN, and even older games like Half‑Life or Quake III. For each of these services, EtterCap can parse the packets, recognize the authentication phase, and print the clear‑text usernames and passwords to the console.
Beyond passive capture, the tool offers dynamic manipulation. Filters can be defined to search for a byte pattern or a string within a TCP or UDP payload and replace it, or to drop the packet entirely. This makes EtterCap useful not only for analysis but also for testing the resilience of applications against traffic corruption or injection. It can also perform OS fingerprinting by sending crafted packets and observing the responses, providing clues about the target’s operating system or network adapter. If a connection becomes a nuisance, it can be terminated on the fly from the connections list.
EtterCap’s scanning capabilities extend to passive discovery of the network. It can enumerate hosts, discover open ports, identify service versions, and infer the role of each host (gateway, router, or workstation). This information is crucial when selecting targets for an ARP spoofing attack because the tool can automatically detect other poisoners on the same LAN and alert the user, preventing multiple MITM attempts from colliding.
All of this is wrapped in a lightweight, cross‑platform package. The Linux version includes optional plugins for DNS spoofing, while the Windows version offers a graphical interface that hides the complexity of command‑line options. The underlying architecture, however, remains the same: a combination of raw packet crafting, ARP table manipulation, and real‑time packet inspection. For anyone who wants to understand the inner workings of network traffic or test security controls, EtterCap provides a hands‑on, interactive learning environment that simulates real attacker behavior without requiring a full‑blown laboratory.
Setting Up a Safe Lab Environment
Before deploying EtterCap on a production network, it is essential to work inside a controlled lab. ARP spoofing is inherently disruptive; it rewrites the ARP tables of target machines, causing them to route traffic through the attacker’s NIC. If the lab shares a network segment with critical devices, you risk bringing down services, triggering intrusion detection systems, or causing data loss. A dedicated VLAN or a separate physical switch keeps the experiments isolated.
The simplest lab configuration consists of a switch, a couple of hosts, and a gateway. For example, a Cisco Catalyst 2900XL or any managed switch will provide the necessary ports and the ability to set up a separate VLAN. Place the attacker’s machine (192.168.1.10), the victim (192.168.1.1), and the gateway (192.168.1.138) on the same VLAN. Configure each host with a static IP address and default gateway pointing to the switch’s IP or to the real gateway if you want to mimic real traffic. Running DHCP can introduce variability, so static addresses give you repeatable results.
Verify that each host can reach the gateway by pinging 192.168.1.138. Run a quick ipconfig (Windows) or ifconfig (Linux) to confirm the interface is up and the ARP cache is empty. Take a screenshot of the ARP table for reference. This “before” snapshot will help you see how EtterCap changes the table when poisoning starts. When you finish the lab, flush the ARP cache on all hosts with arp -d * (Windows) or ip -s -s neigh flush all (Linux) to return the network to a clean state.
Because ARP spoofing affects only the victim’s local network segment, the lab must also emulate typical traffic patterns. Running a simple web server on the gateway or hosting an FTP service will provide the necessary traffic for EtterCap to intercept. It is useful to run a few concurrent sessions to test multiple protocols: a simple HTTP request, an FTP login, and a Telnet session, for instance. By generating traffic in this way, you can see how EtterCap logs each protocol, how filters react, and how the victim’s application behaves when its packets are altered.
Security awareness is also critical. Even though the lab is isolated, the attacker’s machine can still communicate with external hosts if the switch allows it. To avoid accidental data exfiltration, use a firewall or block outbound traffic during the experiment. After each session, inspect the attacker’s outbound traffic with a packet capture tool such as Wireshark or tcpdump to ensure no sensitive data is leaking outside the lab.
Once the lab is configured, you can move to the next step: installing and launching EtterCap. The installation process varies by platform; on Linux, you can install from the package manager (e.g., sudo apt install ettercap-graphical), while on Windows you download the installer from the official project page. After installation, launch EtterCap with administrative privileges so it can capture packets and modify ARP tables. The lab environment provides a safe playground where the consequences of ARP spoofing are visible but harmless, making it the perfect setting for hands‑on learning.
Launching EtterCap and Building the Host Table
With the lab ready, start EtterCap from a terminal or a graphical launcher. The first step is to choose the correct network interface. EtterCap scans all interfaces and displays them in the selection menu. Pick the one that corresponds to your lab switch, usually named eth0 or enp0s3 on Linux, and Ethernet0 on Windows. After selecting the interface, the tool initiates an ARP scan to discover all devices on the network. This scan floods the subnet with ARP requests and listens for replies. The resulting host list appears in the main window, showing each device’s IP, MAC address, and operating system fingerprint if available.
The main screen is the hub of all operations. It displays a grid where each row represents a host, and columns show IP, MAC, hostname, and a brief description of any known services. In the bottom pane, a help prompt appears: pressing h at any time brings up a contextual menu that explains the available commands - such as f for fingerprinting, k for killing connections, or i for intercepting. The interface is intentionally minimalistic to keep focus on the network traffic rather than on UI clutter.
At this point, you can run a quick OS fingerprinting test. Move the cursor to a host, press f, and EtterCap will send a set of crafted packets to the target and analyze the responses. The output may include strings like “Linux 3.x”, “Windows 10”, or “Cisco IOS”. This information can guide you when choosing targets for spoofing; for example, if you want to intercept FTP traffic, you may target a Windows machine that hosts an FTP server.
Next, scan for hidden devices or rogue hosts. EtterCap can detect other ARP poisoners by monitoring ARP traffic for duplicate replies. Press s to start a passive scan that listens for ARP requests and replies; if it sees two hosts advertising the same MAC address for a single IP, it will flag the suspect. This feature is invaluable when you’re not the only attacker on the network, or when a misconfigured device is acting as a proxy.
Once you have a clean host list, you’re ready to pick a victim and a gateway. In a typical MITM scenario, you choose a workstation as the victim and the network’s default gateway as the destination. This setup ensures that every packet that the victim sends toward the internet passes through your attacker machine. To initiate the spoofing, move the cursor to the victim row, press a, and select the gateway from the popup menu. The tool will then modify the victim’s ARP cache to map the gateway’s IP to the attacker’s MAC address, and it will also update the gateway’s ARP cache to map the victim’s IP to the attacker’s MAC. Both sides now see the attacker as the intermediary, and all traffic is routed through EtterCap.
After the attack is active, the ARP table on the victim will show the attacker’s MAC for the gateway. On the gateway, you’ll see the attacker’s MAC listed for the victim’s IP. The main screen updates in real time, displaying new connections as they are established. Press h to see which options are available for monitoring, logging, or injecting traffic. This interactive session sets the stage for the next phase: capturing and analyzing traffic.
Conducting a Basic ARP Spoofing Attack
Once the ARP tables are poisoned, the victim’s traffic starts flowing through your machine. At this point, EtterCap can begin to intercept and log packets in real time. The first test to run is a simple FTP session from the victim to a server hosted on the gateway or an external server. Open an FTP client on the victim, enter the server’s IP, and log in with credentials. In the EtterCap window, you’ll see a new entry appear in the connections list labeled “ftp” with the source and destination IPs. The entry shows a traffic counter and, if you press e, expands to reveal the raw packet data.
With the FTP session active, switch to the logging tab in EtterCap. The log will display each command sent by the client and the server’s responses. Clear‑text usernames and passwords appear in plain view, making it evident how vulnerable older protocols remain when ARP spoofing is used. You can even use the logging feature to filter for specific strings, such as “user” or “pass”, and watch as each occurrence pops up in the log window.
Beyond FTP, you can observe how other protocols behave under interception. Launch a Telnet session, start a simple HTTP request, or use a DNS lookup. Each will appear in the connection list with a distinct protocol label. Some protocols, like HTTPS, are encrypted; however, EtterCap can decrypt them if the proper SSL/TLS keys are available or if you set up a man‑in‑the‑middle HTTPS proxy. This capability demonstrates the breadth of EtterCap’s interception power across both encrypted and unencrypted traffic.
While the victim interacts with the network, you can test the injection feature. For example, press i while a connection is selected to open the injector dialog. You can type an arbitrary command, such as “ls” or “dir”, and EtterCap will inject that command into the ongoing session. The victim’s terminal will show the injected command’s output, proving that you can influence the session without breaking it. This injection works because EtterCap maintains the TCP session alive; it simply alters the payload without resetting the connection.
To verify that the spoofing remains effective, pause the victim’s traffic, then use arp -a on the victim to view the current ARP table. You should see that the gateway’s IP now maps to the attacker’s MAC address. Similarly, check the gateway’s ARP table; it should also list the attacker’s MAC for the victim’s IP. If either side has lost the attacker’s MAC mapping, press a again to resume spoofing.
When you finish the experiment, you can stop the spoofing by pressing s on the victim row. EtterCap will revert the ARP tables to their original state. This graceful shutdown is important to avoid leaving the network in an inconsistent state, especially if other hosts rely on the correct ARP mappings for routing. The lab environment makes it easy to repeat the process with different targets or to test other features like packet dropping or filtering.
Capturing and Interpreting Traffic
EtterCap’s logging feature is a powerful tool for analyzing traffic at a granular level. Once a connection is active, pressing l opens the log window where every packet that passes through the attacker’s NIC is displayed in ASCII form. For protocols that use human‑readable formats, such as HTTP or SMTP, you can see the request and response headers in full detail. For binary protocols, the log shows the raw hex dump, which you can decode manually or with external tools.
To make the most of the logs, you should learn to interpret common patterns. In an HTTP transaction, you’ll see a line like “GET /index.html HTTP/1.1” followed by the host header. The response will include a status line, such as “HTTP/1.1 200 OK”, and then the body of the page. By filtering the log for a specific string, you can track the progress of a file download or locate a particular cookie value. EtterCap’s built‑in filter allows you to search for hex values, making it useful for spotting binary signatures or encrypted payload markers.
For FTP sessions, the log displays commands like “USER” and “PASS” followed by the server’s replies. If you capture a session with a weak password, the log will expose the plain text credentials, underscoring the importance of using secure authentication mechanisms. Similarly, Telnet logs reveal the login prompt and any clear‑text credentials transmitted, which is a stark reminder that legacy protocols remain a weak link in most networks.
When working with encrypted traffic, EtterCap can still display the TLS handshake if you enable the SSL decryption option. You’ll see the client’s “Client Hello” message, the server’s “Server Hello”, and the subsequent key exchange data. While the application data remains encrypted, the handshake information can still be useful for identifying vulnerable SSL/TLS versions or weak cipher suites. In some cases, you can capture the session ID and replay it later to test session resumption vulnerabilities.
EtterCap also supports packet dropping. In the log window, you can set a rule to drop packets containing a specific string. For instance, if you want to stop an application from sending a password, configure a filter that matches the “PASS” command and mark the packet for dropping. When the filter is active, EtterCap will silently discard matching packets, effectively blocking the transmission. This feature is useful for testing intrusion prevention systems or for demonstrating how a malicious attacker could block authentication attempts on a target.
Beyond manual inspection, you can export the log to a file for offline analysis. The Export log option writes the captured packets in a format that can be opened by Wireshark or a hex editor. By comparing the exported log to a live capture, you can validate that EtterCap is not altering the packet structure beyond what you explicitly configure. This level of transparency is essential for researchers who need to prove that the tool behaves as expected without injecting hidden modifications.
By mastering EtterCap’s capture and log capabilities, you gain a comprehensive view of how data flows across a switched LAN. Whether you’re a penetration tester looking to prove the vulnerability of an internal network or a network engineer verifying that your devices handle traffic correctly, the tool’s logging features provide a reliable foundation for analysis.
Tweaking Filters to Modify Traffic
Once you’re comfortable with interception, the next step is to explore how EtterCap can alter traffic on the fly. Filters are the mechanism that allows you to search for a specific pattern in a packet’s payload and replace it or drop the packet. The syntax is straightforward: you specify the direction (source or destination), the protocol, the port, and the string or hex value to match. After a match, you provide the replacement string, and the filter can be toggled on or off.
Consider a classic example: redirecting web traffic from one site to another. Select the victim and gateway, start the spoofing, and then press f to open the filter editor. Choose the source filter, then add a new rule. Set the protocol to TCP, the destination port to 80, and the string to match as “www.google.com”. The replacement string becomes “www.mutsonline.com”. After saving, toggle the filter on with s. Now, every HTTP request that contains the original host header will be rewritten to point to the new domain. If the victim is browsing the web, they will be silently redirected without noticing the change. Note that modern browsers and sites may use HTTPS or HSTS, so the example may fail in practice, but the mechanism remains the same for any HTTP payload.
For a more reliable test, manipulate a plain text protocol. Open a Telnet or FTP session from the victim, then create a filter that replaces a known string in the payload. For instance, if you have an FTP server that returns “Welcome”, create a filter that changes that word to “Greetings”. When the session starts, you’ll see the altered response in real time. This demonstrates that filters do not disrupt the TCP handshake; they only modify the data carried inside the packet.
Filters can also be used to inject malicious payloads. Suppose you want to send a command to a remote system that listens on a custom protocol. Create a filter that matches the start of a packet, then replace it with a string that contains the command you wish to execute. As long as the target application accepts the packet format, your injected command will be processed, allowing you to control the system from afar. This technique is powerful but must be used responsibly, as it can cause unintended damage or trigger incident response procedures.
When writing filters, be mindful of the packet boundaries. If your replacement string is shorter than the original, the remaining bytes are usually padded with zeros; if it is longer, EtterCap will truncate the packet, potentially causing the connection to reset. To avoid this, keep replacements the same length or use null bytes strategically. Also, be aware that many protocols rely on checksums; EtterCap automatically recalculates checksums after a filter modification, so you don’t need to handle that manually.
Beyond string replacement, you can instruct EtterCap to drop packets that match a pattern. This is useful for testing intrusion detection systems. Configure a filter that matches a known attack signature, such as a SQL injection string, and drop those packets. When the victim tries to execute the attack, the packet disappears before reaching its destination, and the attack is thwarted. The attacker can then analyze the logs to see which packets were dropped and adjust the filter accordingly.
Finally, remember that all filter changes are temporary. They persist only for the current session; when you stop EtterCap, the filters vanish. If you need to keep a filter for repeated use, export it to a configuration file and load it on startup. This way, you can quickly apply a set of filters to any new session, streamlining your workflow.
Mitigation and Detection Techniques
Arp spoofing attacks are a common threat on switched LANs. Because the attacker rewrites ARP tables, legitimate traffic can be misrouted, monitored, or dropped. Defending against such attacks requires a layered approach that combines monitoring, configuration hardening, and proactive testing.
First, deploy ARP monitoring tools on each host. Arpwatch is a lightweight daemon that logs any change in the mapping between IP and MAC addresses. When it detects an unexpected update, it sends an email or writes to a central log. By correlating these alerts with other network events, administrators can spot malicious activity early. In environments with strict audit requirements, Arpwatch can be paired with syslog servers to maintain a comprehensive audit trail.
Second, enable switch port security. Managed switches allow you to configure ports to accept a limited number of MAC addresses. Once the threshold is reached, the port can be disabled or placed into a restricted mode. This prevents an attacker from connecting an additional NIC that could perform ARP spoofing. Some switches also support dynamic ARP inspection, which validates each ARP packet against a trusted source such as a DHCP snooping database. Packets that fail the inspection are dropped, thwarting spoofing attempts.
Third, enforce strong authentication mechanisms. Protocols that transmit credentials in clear text - like FTP, Telnet, or HTTP over plain TCP - are especially vulnerable. Replacing them with secure alternatives (SFTP, SSH, HTTPS) eliminates the risk of credential theft via ARP spoofing. When secure protocols must be used for legacy applications, consider adding an application‑level firewall that only allows traffic to known, trusted endpoints.
Fourth, conduct regular EtterCap scans on the network. While EtterCap is typically used by attackers, the same tool can be used by defenders to audit the environment. Run EtterCap in passive mode and let it listen for duplicate ARP replies or suspicious traffic patterns. The “Check for other poisoners” feature alerts you if someone else is already manipulating ARP tables. By automating these scans on a schedule - say, nightly - administrators can maintain situational awareness without manual intervention.
Fifth, implement network segmentation. Separate critical services into isolated VLANs or subnetworks, and restrict inter‑VLAN routing through firewalls that enforce strict policy rules. Even if an attacker manages to spoof ARP in one segment, they cannot directly access assets in another segment without proper authentication.
Lastly, educate users and staff. Many ARP spoofing incidents arise from a lack of awareness. Provide training that explains how switched networks work, why ARP tables can be compromised, and what to do if a device stops responding. Encourage users to report any unexpected network behavior, and make sure that support teams can respond quickly to potential spoofing incidents.
By combining monitoring, hardening, secure protocols, regular testing, and segmentation, organizations can create a robust defense that mitigates the threat posed by ARP spoofing. EtterCap, while a powerful attacker tool, also offers a valuable perspective for defenders looking to understand and guard against MITM attacks in modern LAN environments.
Command‑Line Quick Reference
For users who prefer the terminal, EtterCap offers a rich set of command‑line options. The basic syntax starts with ettercap followed by flags. To scan the LAN with broadcast ping instead of ARP requests, use -b. For example, ettercap -b sends ICMP echo requests to every address in the subnet, which can be faster on large networks.
To sniff traffic between two hosts only, provide the source and destination IPs as arguments: ettercap -s 192.168.0.1 192.168.0.2. This launches EtterCap in interactive mode and limits capture to connections involving the specified pair.
Loading a configuration file is useful for recurring tasks. The command ettercap -zs -e etter.conf switches to IP‑based sniffing and reads options from etter.conf. Anything defined in the file will override command‑line parameters, allowing you to centralize settings for repeated use.
For non‑interactive sessions, EtterCap can operate entirely in the console. The example ettercap -Nzs victim.my.net ANY:80 listens only on port 80 to/from the victim, dumps data in ASCII mode, and writes to standard output. Adding the -x flag switches to hex mode if required.
To avoid recording passwords to the console during a remote session, you can use ettercap -NRzs remote.host.net:23 my.local.host.com. This command filters out telnet traffic between the specified hosts while still logging other activity.
For a full host list without prompts, use ettercap -Nclg. The tool will identify the LAN type, report any poisoners, and display every host it discovers.
When you need to detach EtterCap from the console and log to a file, run ettercap -NCLzs --quiet. This is particularly useful on hubbed networks where captured passwords are sent to your host. Remember that this mode only works when the attacker can see the traffic directly.
Finally, plugins expand EtterCap’s functionality. Launch a plugin by specifying -Np followed by the plugin name and target. For example, ettercap -Np ooze victim.mynet.org runs the “ooze” plugin, which performs a port scan on the victim and translates the results with the correct IP address. By combining plugins with the core features, you can tailor EtterCap to almost any network assessment scenario.
No comments yet. Be the first to comment!