Wifi, Backtrack, crack WEP et WPA...

Vous n'êtes pas identifié(e).  


Visitez la boutique, votre revendeur agr Alfa Network: du matriel Wifi slectionn, cartes Wifi USB Awus036h et Awus036nh, antennes omnis, yagis, panel, amplis wifi, accessoires...

#1 21-01-2009 21:30:19

Membre Actif
Inscription : 12-01-2009
Messages : 25

ettercap problème de réseau

Je fais des essais sur mon réseau , et je n'arrive pas a paramétrer ettercap . Je suis sous xp avec vmware et bt3 modifié avec l'alpha 500 ( wlan0 )

Que fait-il faire une fois la clé wep trouvé ?

Qu'elles sont les manip avant de pouvoir aller sniffer le réseau dans ettercap ?

Hors Ligne


Visitez la boutique, votre revendeur agr Alfa Network: du matriel Wifi slectionn, cartes Wifi USB Awus036h et Awus036nh, antennes omnis, yagis, panel, amplis wifi, accessoires...

#2 21-01-2009 22:42:58

Lieu : Lost in the darkness
Inscription : 14-02-2008
Messages : 6 434

Re : ettercap problème de réseau

Dans un premier temps il faut te connecter au réseau. Ensuite si tu souhaites utiliser ettercap la commande

man ettercap

te renseigne sur l'utilisation du programme:

ETTERCAP(8)                                                                                                                                                              ETTERCAP(8)

       ettercap NG-0.7.3 - A multipurpose sniffer/content filter for man in the middle attacks

***** IMPORTANT NOTE ******
       Since ettercap NG (formerly 0.7.0), all the options have been changed. Even the target specification has been changed. Please read carefully this man page.

       ettercap [OPTIONS] [TARGET1] [TARGET2]

       TARGET is in the form MAC/IPs/PORTs
       where IPs and PORTs can be ranges (e.g. /,40,50/20,22,25)

       Ettercap was born as a sniffer for switched LAN (and obviously even "hubbed" ones), but during the development process it has gained more and more features that have changed
       it to a powerful and flexible tool for man-in-the-middle attacks.  It supports active and passive dissection of many protocols (even ciphered ones) and  includes  many  fea-
       tures for network and host analysis (such as OS fingerprint).

       It has two main sniffing options:

       UNIFIED,  this  method  sniffs all the packets that pass on the cable. You can choose to put or not the interface in promisc mode (-p option). The packet not directed to the
       host running ettercap will be forwarded automatically using layer 3 routing. So you can use a mitm attack launched from a different tool and let ettercap modify the  packets
       and forward them for you.
       The  kernel ip_forwarding is always disabled by ettercap. This is done to prevent to forward a packet twice (one by ettercap and one by the kernel).  This is an invasive be-
       haviour on gateways. So we recommend you to use ettercap on the gateways ONLY with the UNOFFENSIVE MODE ENABLED. Since  ettercap  listens  only  on  one  network  interface,
       launching it on the gateway in offensive mode will not allow packets to be rerouted back from the second interface.

       BRIDGED,  it  uses  two  network  interfaces  and  forward the traffic from one to the other while performing sniffing and content filtering. This sniffing method is totally
       stealthy since there is no way to find that someone is in the middle on the cable.  You can look at this method as a mitm attack at layer 1. You will be in the middle of the
       cable  between  two  entities.  Don't use it on gateways or it will transform your gateway into a bridge. HINT: you can use the content filtering engine to drop packets that
       should not pass. This way ettercap will work as an inline IPS wink

       You can also perform man in the middle attacks while using the unified sniffing. You can choose the mitm attack that you prefer. The mitm attack module is  independent  from
       the  sniffing  and  filtering  process, so you can launch several attacks at the same time or use your own tool for the attack. The crucial point is that the packets have to
       arrive to ettercap with the correct mac address and a different ip address (only these packets will be forwarded).

       The most relevant ettercap features are:

       SSH1 support : you can sniff User and Pass, and even the data of an SSH1 connection. ettercap is the first software capable to sniff an SSH connection in FULL-DUPLEX

       SSL support : you can sniff SSL secured data... a fake certificate is presented to the client and the session is decrypted.

       Characters injection in an established connection : you can inject characters to the server (emulating commands) or to the client (emulating replies) maintaining the connec-
       tion alive !!

       Packet  filtering/dropping:  You  can set up a filter script that searches for a particular string (even hex) in the TCP or UDP payload and replace it with yours or drop the
       entire packet. The filtering engine can match any field of the network protocols and modify whatever you want (see etterfilter(8)).

       Remote traffic sniffing through tunnels and route mangling: You can play with linux cooked interfaces or use the integrated plugin to sniff tunneled or route-mangled  remote
       connections and perform mitm attacks on them.

Plug-ins support : You can create your own plugin using the ettercap's API.

       MSN, YMSG (other protocols coming soon...)

       Passive OS fingerprint: you scan passively the lan (without sending any packet) and gather detailed info about the hosts in the LAN: Operating System, running services, open
       ports, IP, mac address and network adapter vendor.

       Kill a connection: from the connections list you can kill all the connections you want

       There is no concept of SOURCE nor DEST. The two targets are intended to filter traffic coming from one to the other and vice-versa (since the connection is bidirectional).

       TARGET is in the form MAC/IPs/PORTs. If you want you can omit any of its parts and this will represent an ANY in that part.
       "//80" means ANY mac address, ANY ip and ONLY port 80
       "/" means ANY mac address, ONLY ip and ANY port

       MAC must be unique and in the form 00:11:22:33:44:55

       IPs  is  a  range  of  IP in dotted notation. You can specify range with the - (hyphen) and single ip with , (comma). You can also use ; (semicolon) to indicate different ip
       ";" expands into ip, 2, 3, 4, 5 and

       PORTs is a range of PORTS. You can specify range with the - (hyphen) and single port with , (comma).
       "20-25,80,110" expands into ports 20, 21, 22, 23, 24, 25, 80 and 110

       you can reverse the matching of the TARGET by adding the -R option to the command line. So if you want to sniff ALL the traffic BUT the one coming or going to  you
       can specify "./ettercap -R /"

       TARGETs  are  also  responsible of the initial scan of the lan. You can use them to restrict the scan to only a subset of the hosts in the netmask. The result of the merging
       between the two targets will be scanned. remember that not specifying a target means "no target", but specifying "//" means "all the hosts in the subnet.

       ettercap needs root privileges to open the Link Layer sockets. After the initialization phase, the root privs are not needed anymore, so ettercap drops them to UID  =  65535
       (nobody).  Since ettercap has to write (create) log files, it must be executed in a directory with the right permissions (e.g. /tmp/). If you want to drop privs to a differ-
       ent uid, you can export the environment variable EC_UID with the value of the uid you want to drop the privs to (e.g.  export EC_UID=500) or set the correct parameter in the
       etter.conf file.

       While  performing  the  SSL mitm attack, ettercap substitutes the real ssl certificate with its own. The fake certificate is created on the fly and all the fields are filled
       according to the real cert presented by the server. Only the issuer is modified and signed with the private key contained in the 'etter.sll.crt' file. If you want to  use  a
       different private key you have to regenerate this file. To regenerate the cert file use the following commands:

       openssl genrsa -out etter.ssl.crt 1024
       openssl req -new -key etter.ssl.crt -out tmp.csr
       openssl x509 -req -days 1825 -in tmp.csr -signkey etter.ssl.crt -out
cat >> etter.ssl.crt
       rm -f tmp.csr NOTE: SSL mitm is not available (for now) in bridged mode.

       Options that make sense together can generally be combined. ettercap will warn the user about unsupported option combinations.


       ettercap  NG  has  a  new unified sniffing method. This implies that ip_forwarding in the kernel is always disabled and the forwarding is done by ettercap. Every packet with
       destination mac address equal to the host's mac address and destination ip address different for the one bound to the iface will be forwarded by ettercap. Before  forwarding
       them, ettercap can content filter, sniff, log or drop them. It does not matter how these packets are hijacked, ettercap will process them. You can even use external programs
       to hijack packet.
       You have full control of what ettercap should receive. You can use the internal mitm attacks, set the interface in promisc mode, use plugins or use every method you want.

       IMPORTANT NOTE: if you run ettercap on a gateway, remember to re-enable the ip_forwarding after you have killed ettercap. Since ettercap  drops  its  privileges,  it  cannot
       restore the ip_forwarding for you.

       -M, --mitm <METHOD:ARGS>
              MITM attack
              This option will activate the man in the middle attack. The mimt attack is totally independent from the sniffing. The aim of the attack is to hijack packets and redi-
              rect them to ettercap. The sniffing engine will forward them if necessary.
              You can choose the mitm attack that you prefer and also combine some of them to perform different attacks at the same time.
              If a mitm method requires some parameters you can specify them after the colon.  (e.g.  -M dhcp:ip_pool,netmask,etc )

              The following mitm attacks are available:

              arp ([remote],[oneway])
                     This method implements the ARP poisoning mitm attack. ARP requests/replies are sent to the victims to poison their ARP cache. Once the cache has been  poisoned
                     the victims will send all packets to the attacker which, in turn, can modify and forward them to the real destination.

                     In  silent  mode  (-z  option)  only the first target is selected, if you want to poison multiple target in silent mode use the -j option to load a list from a

                     You can select empty targets and they will be expanded as 'ANY' (all the hosts in the LAN). The target list is joined with the hosts list (created by  the  arp
                     scan) and the result is used to determine the victims of the attack.

                     The  parameter  "remote"  is optional and you have to specify it if you want to sniff remote ip address poisoning a gateway. Indeed if you specify a victim and
                     the gw in the TARGETS, ettercap will sniff only connection between them, but to enable ettercap to sniff connections that pass thru the gw,  you  have  to  use
                     this parameter.

                     The  parameter  "oneway"  will force ettercap to poison only from TARGET1 to TARGET2. Useful if you want to poison only the client and not the router (where an
                     arp watcher can be in place).


                     the targets are: / /
                     and the host list is:

                     the associations between the victims will be:
                     1 and 16, 1 and 18, 3 and 16, 3 and 18

if the targets overlap each other, the association with identical ip address will be skipped.

                     NOTE: if you manage to poison a client, you have to set correct routing table in the kernel specifying the GW. If your routing table is incorrect, the poisoned
                     clients will not be able to navigate the Internet.

              icmp (MAC/IP)
                     This  attack  implements  ICMP  redirection. It sends a spoofed icmp redirect message to the hosts in the lan pretending to be a better route for internet. All
                     connections to internet will be redirected to the attacker which, in turn, will forward them to the real gateway. The resulting attack is a  HALF-DUPLEX  mitm.
                     Only the client is redirected, since the gateway will not accept redirect messages for a directly connected network. BE SURE TO NOT USE FILTERS THAT MODIFY THE
                     PAYLOAD LENGTH. you can use a filter to modify packets, but the length must be the same since the tcp sequences cannot be updated in both ways.
                     You have to pass as argument the MAC and the IP address of the real gateway for the lan.
                     Obviously you have to be able to sniff all the traffic. If you are on a switch you have to use a different mitm attack such as arp poisoning.

                     NOTE: to restrict the redirection to a given target, specify it as a TARGET


                     -M icmp:00:11:22:33:44:55/

                     will redirect all the connections that pass thru that gateway.

              dhcp (ip_pool/netmask/dns)
                     This attack implements DHCP spoofing. It pretends to be a DHCP server and tries to win the race condition with the real one to force the client to  accept  the
                     attacker's reply. This way ettercap is able to manipulate the GW parameter and hijack all the outgoing traffic generated by the clients.
                     The resulting attack is a HALF-DUPLEX mitm. So be sure to use appropriate filters (see above in the ICMP section).

                     You  have  to  pass  the  ip pool to be used, the netmask and the ip of the dns server.  Since ettercap tries to win the race with the real server, it DOES NOT
                     CHECK if the ip is already assigned. You have to specify an ip pool of FREE addresses to be used. The ip pool has the same form of the target specification.

                     If the client sends a dhcp request (suggesting an ip address) ettercap will ack on that ip and modify only the gw option. If the client makes a dhcp discovery,
                     ettercap  will  use  the first unused ip address of the list you have specified on command line. Every discovery consumes an ip address. When the list is over,
                     ettercap stops offering new ip addresses and will reply only to dhcp requests.
                     If you don't want to offer any ip address, but only change the router information of dhcp request/ack, you can specify an empty ip_pool.

                     BIG WARNING: if you specify a list of ip that are in use, you will mess your network! In general, use this attack carefully. It  can  really  mess  things  up!
                     When you stop the attack, all the victims will be still convinced that ettercap is the gateway until the lease expires...


                     -M dhcp:,35,50-60/
                     reply to DHCP offer and request.

                     -M dhcp:/
                     reply only to DHCP request.

              port ([remote],[tree])
                     This attack implements Port Stealing. This technique is useful to sniff in a switched environment when ARP poisoning is not effective (for example where static
                     mapped ARPs are used).

                     It floods the LAN (based on port_steal_delay option in etter.conf) with ARP packets. If you don't specify the "tree" option, the  destination  MAC  address  of
                     each "stealing" packet is the same as the attacker's one (other NICs won't see these packets), the source MAC address will be one of the MACs in the host list.
This process "steals" the switch port of each victim host in the host list.  Using low delays, packets destined to "stolen" MAC addresses will be  received  by
                     the  attacker,  winning  the race condition with the real port owner.  When the attacker receives packets for "stolen" hosts, it stops the flooding process and
                     performs an ARP request for the real destination of the packet.  When it receives the ARP reply it's sure that the victim has "taken back" his port, so  etter-
                     cap can re-send the packet to the destination as is.  Now we can re-start the flooding process waiting for new packets.

                     If  you  use  the "tree" option, the destination MAC address of each stealing packet will be a bogus one, so these packets will be propagated to other switches
                     (not only the directly connected one). This way you will be able to steal ports on other switches in the tree (if any), but you will generate a huge amount  of
                     traffic (according to port_steal_delay).  The "remote" option has the same meaning as in "arp" mitm method.

                     When you stop the attack, ettercap will send an ARP request to each stolen host giving back their switch ports.
                     You can perform either HALF or FULL DUPLEX mitm according to target selection.

                     NOTE: Use this mitm method only on ethernet switches. Use it carefully, it could produce performances loss or general havoc.

                     NOTE: You can NOT use this method in only-mitm mode (-o flag), because it hooks the sniffing engine, and you can't use interactive data injection.

                     NOTE: It could be dangerous to use it in conjunction with other mitm methods.

                     NOTE:  This  mitm  method  doesn't  work on Solaris and Windows because of the lipcap and libnet design and the lack of certain ioctl().  (We will feature this
                     method on these OSes if someone will request it...)


                     The targets are: / /
                     You will intercept and visualize traffic between and, but you will receive all the traffic for and too.

                     The target is: /
                     You will intercept and visualize all the traffic for

       -o, --only-mitm
              This options disables the sniffing thread and enables only the mitm attack.  Useful if you want to use ettercap to perform mitm attacks and another sniffer  (such  as
              ethereal)  to sniff the traffic. Keep in mind that the packets are not forwarded by ettercap. The kernel will be responsible for the forwarding.  Remember to activate
              the "ip forwarding" feature in your kernel.

       -f, --pcapfilter <FILTER>
              Set a capturing filter in the pcap library. The format is the same as tcpdump(1). Remember that this kind of filter will not sniff packets out of the wire, so if  you
              want to perform a mitm attack, ettercap will not be able to forward hijacked packets.
              These filters are useful to decrease the network load impact into ettercap decoding module.

       -B, --bridge <IFACE>
              BRIDGED sniffing
              You  need two network interfaces. ettercap will forward form one to the other all the traffic it sees. It is useful for man in the middle at the physical layer. It is
              totally stealthy since it is passive and there is no way for an user to see the attacker.
              You can content filter all the traffic as you were a transparent proxy for the "cable".


       -r, --read <FILE>
              OFF LINE sniffing
              With this option enabled, ettercap will sniff packets from a pcap compatible file instead of capturing from the wire.
              This is useful if you have a file dumped from tcpdump or ethereal and you want to make an analysis (search for passwords or passive fingerprint) on it.
Obviously you cannot use "active" sniffing (arp poisoning or bridging) while sniffing from a file.

       -w, --write <FILE>
              WRITE packet to a pcap file
              This is useful if you have to use "active" sniffing (arp poison) on a switched LAN but you want to analyze the packets with tcpdump or  ethereal.  You  can  use  this
              option to dump the packets to a file and then load it into your favourite application.

              NOTE: dump file collect ALL the packets disregarding the TARGET. This is done because you may want to log even protocols not supported by ettercap, so you can analyze
              them with other tools.

              TIP: you can use the -w option in conjunction with the -r one. This way you will be able to filter the payload of the dumped packets  or  decrypt  WEP-encrypted  WiFi
              traffic and dump them to another file.


       -T, --text
              The text only interface, only printf wink
              It is quite interactive, press 'h' in every moment to get help on what you can do.

       -q, --quiet
              Quiet mode. It can be used only in conjunction with the console interface. It does not print packet content. It is useful if you want to convert pcap file to ettercap
              log files.


              ettercap -Tq -L dumpfile -r pcapfile

       -s, --script <COMMANDS>
              With this option you can feed ettercap with command as they were typed on the keyboard by the user. This way you can use ettercap within your favourite scripts. There
              is a special command you can issue thru this command: s(x). this command will sleep for x seconds.


              ettercap -T -s 'lq'  will print the list of the hosts and exit
              ettercap -T -s 's(300)olqq'  will collect the infos for 5 minutes, print the list of the local profiles and exit

       -C, --curses
              Ncurses based GUI. See ettercap_curses(8) for a full description.

       -G, --gtk
              The nice GTK2 interface (thanks Daten...).

       -D, --daemonize
              Daemonize  ettercap. This option will detach ettercap from the current controlling terminal and set it as a daemon. You can combine this feature with the "log" option
              to log all the traffic in the background. If the daemon fails for any reason, it will create the file "./ettercap_daemonized.log" in which the error caught by  etter-
              cap will be reported. Furthermore, if you want to have a complete debug of the daemon process, you are encouraged to recompile ettercap in debug mode.


       -i, --iface <IFACE>
              Use this <IFACE> instead of the default one. The interface can be unconfigured (requires libnet >= 1.1.2), but in this case you cannot use MITM attacks and you should
set the unoffensive flag.

       -I, --iflist
              This option will print the list of all available network interfaces that can be used within ettercap. The option is particulary usefull under windows where  the  name
              of the interface is not so obvious as under *nix.

       -n, --netmask <NETMASK>
              Use  this <NETMASK> instead of the one associated with the current iface. This option is useful if you have the NIC with an associated netmask of class B and you want
              to scan (with the arp scan) only a class C.

       -R, --reversed
              Reverse the matching in the TARGET selection. It means not(TARGET). All but the selected TARGET.

       -t, --proto <PROTO>
              Sniff only PROTO packets (default is TCP + UDP).
              This is useful if you want to select a port via the TARGET specification but you want to differentiate between tcp or udp.
              PROTO can be "tcp", "udp" or "all" for both.

       -z, --silent
              Do not perform the initial ARP scan of the LAN.

              NOTE: you will not have the hosts list, so you can't use the multipoison feature.  you can only select two hosts for an ARP poisoning attack, specifying them  through
              the TARGETs

       -p, --nopromisc
              Usually, ettercap will put the interface in promisc mode to sniff all the traffic on the wire. If you want to sniff only your connections, use this flag to NOT enable
              the promisc mode.

       -u, --unoffensive
              Every time ettercap starts, it disables ip forwarding in the kernel and begins to forward packets itself. This option prevent to do that, so the responsibility of  ip
              forwarding is left to the kernel.
              This  options is useful if you want to run multiple ettercap instances. You will have one instance (the one without the -u option) forwarding the packets, and all the
              other instances doing their work without forwarding them. Otherwise you will get packet duplicates.
              It also disables the internal creation of the sessions for each connection. It increases performances, but you will not be able to modify packets on the fly.
              If you want to use a mitm attack you have to use a separate instance.
              You have to use this option if the interface is unconfigured (without an ip address.)
              This is also useful if you want to run ettercap on the gateway. It will not disable the forwarding and the gateway will correctly route the packets.

       -j, --load-hosts <FILENAME>
              It can be used to load a hosts list from a file created by the -k option. (see below)

       -k, --save-hosts <FILENAME>
              Saves the hosts list to a file. Useful when you have many hosts and you don't want to do an ARP storm at startup any time you use ettercap. Simply  use  this  options
              and dump the list to a file, then to load the information from it use the -j <filename> option.

       -P, --plugin <PLUGIN>
              Run the selected PLUGIN. Many plugins need target specification, use TARGET as always.
              In console mode (-C option), standalone plugins are executed and then the application exits. Hook plugins are activated and the normal sniffing is performed.
              To have a list of the available external plugins use "list" (without quotes) as plugin name (e.g. ./ettercap -P list).

              NOTE: you can also activate plugins directly from the interfaces (always press "h" to get the inline help)

More detailed info about plugins and about how to write your own are found in the man page ettercap_plugin(8)

       -F, --filter <FILE>
              Load  the  filter  from the file <FILE>. The filter must be compiled with etterfilter(8). The utility will compile the filter script and produce an ettercap-compliant
              binary filter file. Read the etterfilter(8) man page for the list of functions you can use inside a filter script.
              NOTE: these filters are different from those set with --pcapfilter. An ettercap filter is a content filter and can modify the payload of a  packet  before  forwarding
              it. Pcap filter are used to capture only certain packets.
              NOTE:  you  can use filters on pcapfile to modify them and save to another file, but in this case you have to pay attention on what you are doing, since ettercap will
              not recalculate checksums, nor split packets exceeding the mtu (snaplen) nor anything like that.

       -W, --wep-key <KEY>
              You can specify a WEP key to decrypt WiFi packets. Only the packets decrypted successfully will be passed to the decoders stack, the others will  be  skipped  with  a
              The  parameter  has  the following syntax: N:T:KEY. Where N is the bit length of the wep key (64, 128 or 256), T is the type of the string ('s' for string and 'p' for
              passphrase). KEY can be a string or an escaped hex sequences.

              --wep-key 128:p:secret
              --wep-key 128:s:ettercapwep0
              --wep-key '64:s:\x01\x02\x03\x04\x05'

       -a, --config <CONFIG>
              Loads an alternative config file instead of the default in /etc/etter.conf.  This is useful if you have many preconfigured files for different situations.


       -e, --regex <REGEX>
              Handle only packets that match the regex.
              This option is useful in conjunction with -L. It logs only packets that match the posix regex REGEX.
              It impacts even the visualization of the sniffed packets. If it is set only packets matching the regex will be displayed.

       -V, --visual <FORMAT>
              Use this option to set the visualization method for the packets to be displayed.

              FORMAT may be one of the following:

              hex    Print the packets in hex format.


                     the string  "HTTP/1.1 304 Not Modified"  becomes:

                     0000: 4854 5450 2f31 2e31 2033 3034 204e 6f74  HTTP/1.1 304 Not
                     0010: 204d 6f64 6966 6965 64                    Modified

              ascii  Print only "printable" characters, the others are displayed as dots '.'

              text   Print only the "printable" characters and skip the others.

              ebcdic Convert an EBCDIC text to ASCII.

html   Strip all the html tags from the text. A tag is every string between < and >.


                     <title>This is the title</title>, but the following <string> will not be displayed.

                     This is the title, but the following will not be displayed.

              utf8   Print the packets in UTF-8 format. The encoding used while performing the conversion is declared in the etter.conf(5) file.

       -d, --dns
              Resolve ip addresses into hostnames.

              NOTE: this may seriously slow down ettercap while logging passive information.  Every time a new host is found, a query to the dns  is  performed.  Ettercap  keeps  a
              cache for already resolved host to increase the speed, but new hosts need a new query and the dns may take up to 2 or 3 seconds to respond for an unknown host.

              HINT:  ettercap collects the dns replies it sniffs in the resolution table, so even if you specify to not resolve the hostnames, some of them will be resolved because
              the reply was previously sniffed. think about it as a passive dns resolution for free... wink

       -E, --ext-headers
              Print extended headers for every displayed packet. (e.g. mac addresses)

       -Q, --superquiet
              Super quiet mode. Do not print users and passwords as they are collected. Only store them in the profiles. It can be useful to run ettercap in text only mode but  you
              don't  want  to  be  flooded with dissectors messages. Useful when using plugins because the sniffing process is always active, it will print all the collected infos,
              with this option you can suppress these messages.
              NOTE: this options automatically sets the -q option.


              ettercap -TzQP finger /


       -L, --log <LOGFILE>
              Log all the packets to binary files. These files can be parsed by etterlog(8) to extract human readable data. With this option, all packets sniffed by  ettercap  will
              be  logged,  together  with  all  the  passive info (host info + user & pass) it can collect. Given a LOGFILE, ettercap will create LOGFILE.ecp (for packets) and LOG-
              FILE.eci (for the infos).

              NOTE: if you specify this option on command line you don't have to take care of privileges since the log file is opened in the startup phase (with high privs). But if
              you enable the log option while ettercap is already started, you have to be in a directory where uid = 65535 or uid = EC_UID can write.

              NOTE: the logfiles can be compressed with the deflate algorithm using the -c option.

       -l, --log-info <LOGFILE>
              Very similar to -L but it logs only passive information + users and passwords for each host. The file will be named LOGFILE.eci

       -m, --log-msg <LOGFILE>
              It  stores  in <LOGFILE> all the user messages printed by ettercap. This can be useful when you are using ettercap in daemon mode or if you want to track down all the
              messages. Indeed, some dissectors print messages but their information is not stored anywhere, so this is the only way to keep track of them.

-c, --compress
              Compress the logfile with the gzip algorithm while it is dumped. etterlog(8) is capable of handling both compressed and uncompressed log files.

       -o, --only-local
              Stores profiles information belonging only to the LAN hosts.

              NOTE: this option is effective only against the profiles collected in memory.  While logging to a file ALL the hosts are logged. If you want to split  them,  use  the
              related etterlog(8) option.

       -O, --only-remote
              Stores profiles information belonging only to remote hosts.


       -U, --update
              Connects to the ettercap website ( and retrieve the latest databases used by ettercap.
              If you want only to check if an update is available, prepend the -z option.  The order does matter: ettercap -zU

              SECURITY NOTE: The updates are not signed so an attacker may poison your DNS server and force the updateNG.php to feed ettercap with fake databases.  This can harm to
              your system since it can overwrite any file containing the string "Revision: ".

       -v, --version
              Print the version and exit.

       -h, --help
              prints the help screen with a short summary of the available options.

       Here are some examples of using ettercap.

       ettercap -Tp

              Use the console interface and do not put the interface in promisc mode. You will see only your traffic.

       ettercap -Tzq

              Use the console interface, do not ARP scan the net and be quiet. The packet content will not be displayed, but user and passwords, as well as other messages, will  be

       ettercap -T -j /tmp/victims -M arp / /

              Will  load the hosts list from /tmp/victims and perform an ARP poisoning attack against the two target. The list will be joined with the target and the resulting list
              is used for ARP poisoning.

       ettercap -T -M arp // //

              Perform the ARP poisoning attack against all the hosts in the LAN. BE CAREFUL !!

       ettercap -T -M arp:remote / /

              Perform the ARP poisoning against the gateway and the host in the lan between 2 and 10. The 'remote' option is needed to be able to sniff the remote traffic the hosts
make through the gateway.

       ettercap -Tzq //110
              Sniff only the pop3 protocol from every hosts.

       ettercap -Tzq /,22,23

              Sniff telnet, ftp and ssh connections to

       ettercap -P list

              Prints the list of all available plugins

       Alberto Ornaghi (ALoR) <[email protected]>
       Marco Valleri (NaGA) <[email protected]>

       etter.conf(5) ettercap_curses(8) ettercap_plugins(8) etterlog(8) etterfilter(8)


       cvs -d:pserver:[email protected]:/cvsroot/ettercap login
       cvs -d:pserver:[email protected]:/cvsroot/ettercap co ettercap_ng

       Our software never has bugs.
       It just develops random features.   wink


       - ettercap doesn't handle fragmented packets... only the first segment will be displayed by the sniffer. However all the fragments are correctly forwarded.

       + please send bug-report, patches or suggestions to <[email protected]> or visit  and post it in the BUGS section.

       + to report a bug, follow the instructions in the README.BUGS file

       "Even if blessed with a feeble intelligence, they are cruel and smart..."  this is the description of Ettercap, a monster of the RPG Advanced Dungeons & Dragon.

       The name "ettercap" was chosen because it has an assonance with "ethercap" which means "ethernet capture" (what ettercap actually does) and also because such monsters have a
       powerful poison... and you know, arp poisoning... wink

The Lord Of The (Token)Ring
       (the fellowship of the packet)

       "One Ring to link them all, One Ring to ping them,
        one Ring to bring them all and in the darkness sniff them."

Last words
       "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the  Universe  trying  to  produce  bigger  and  better
       idiots. So far, the Universe is winning." - Rich Cook

ettercap NG-0.7.3

Le manuel est assez complet... Amuses toi bien, ettercap est un outil très puissant wink

Hors Ligne

#3 21-01-2009 22:57:48

Membre Actif
Inscription : 12-01-2009
Messages : 25

Re : ettercap problème de réseau

en faite , tu me dis que dans un  premier temps il faut te connecter au réseau.

J'ai déja du mal a partir du moment ou j'ai trouvé la clé wep

J'ai suivis se tuto ici mais ça ne marche pas

Hors Ligne

#4 21-01-2009 23:49:40

Lieu : Lost in the darkness
Inscription : 14-02-2008
Messages : 6 434

Re : ettercap problème de réseau

C'est un tuto qui concerne le sniffing d'informations en mode monitor grace à airtun-ng. Tu peux également procéder de cette manière si tu le souhaites, dans ce cas effectivement tu n'as pas besoin d'etre connecté puisque tu vas décrypter les paquets en direct grace à airtun-ng et les analyser au travers d'une interface réseau virtuelle avec ettercap.

Je crois que tu t'attaques à des trucs un peu trop complexes pour débuter. Connectes toi sur le réseau, utilises ettercap pour te placer en situation de man in the middle comme je l'ai décrit dans le Tutoriel sur la rogue AP, et analyses les paquets qui transitent avec wireshark. Quand tu sauras faire cela, ce sera déja une bonne base et tu pourras poursuivre avec des attaques plus avancées wink

Hors Ligne


Visitez la boutique, votre revendeur agr Alfa Network: du matriel Wifi slectionn, cartes Wifi USB Awus036h et Awus036nh, antennes omnis, yagis, panel, amplis wifi, accessoires...

Sujets similaires

Discussion Réponses Vues Dernier message
0 336 13-09-2018 16:13:48 par Bob36180
1 322 12-09-2018 22:10:58 par jawher
1 434 27-08-2018 09:20:08 par MiscL
1 835 21-05-2018 19:45:53 par Cr0wn3d
1 654 08-05-2018 22:00:55 par johny12

Pied de page des forums

Le coin des bonnes affaires, achats informatiques:

|   Alfa 1000 mW AWUS036H   |    Linksys WRT54GL   |    Misco, informatique   |   
 |    Ebay   |    PC portables   |    PC Gamers & Tuning   |    Cles USB   |   
|   Disques durs externes 2 To   |   
|   |   

Server Stats - [ Generated in 0.046 seconds ]   Forum Stat - [ Most users ever online on the forum was : 150 on 20-09-2009 17:06:59 ]