The men behind ettercap-NG

An anonymous reader writes "In 2001 two Italians released the first beta version of ettercap, a network protocol analyzer. Ettercap is now covered in most security books. It's number 9 in the Top 75 Security Tools list of the Nmap Hackers mailing list. This summer they released ettercap-NG, which was completely rewritten from scratch with better, modular code, making it easier to add new features and write and submit patches. NewsForge recently caught up with its authors for an Interview."

N o Link?

Where is the link to ettercap?

Re:N o Link?

[lukewarmfusion]

Or the explanation of what it does? It's a security tool. That's all I know about it.

Most ./-ers won't RTFA... what makes the submitter think we'll head on over to Google for more info?

Ok, I'm off to Google to figure out what ettercap is.

Re:N o Link?

[Per+Wigren]

Where is the link to ettercap?

Here it is!

Re:N o Link?

Ever heard of Google?

Re:N o Link?

[pasde]

For the lasy one:
http://ettercap.sourceforge.net/

Re:N o Link?

It's a security tool. That's all I know about it.

It's not actually a 'security' tool in the sense that you use it to make things better. Crackers use it to break into your network.

In fact, most things called "security tools" are actually things intended to break into networks with.

Re:N o Link?

[harikiri]

Practical example for Ettercap? Scaring my boss as I show him why it's important to explicitly disallow SSH v1 connections (ettercap can perform Man-In-The-Middle password sniffing on this). Also to demonstrate why you should never let me mess around on a live network:

Ettercap running under Knoppix crashed, while sniffing the entire floor's network (my laptop was acting as the router for the floor, no wonder it crashed). Slight problem though, almost at once everyone looked up and went "did Exchange go down?". Had to rush from desk to desk flushing the arp table on people's system, as they were still trying to use the laptop as the default gateway.

spoken like a true *nix fan

[necrogram]

Because our mailboxes were full of users' requests for Windows porting and our antispam filter started to get confused.

Thats one way to deal with windows people

Re:Well, I have never liked ettercap

[kentmartin]

I agree re: ethereal.

I don't know why it wasn't linked to in the article, but here you go:

Homepage: http://ettercap.sourceforge.net/
Description: A suite for man in the middle attacks and network mapping

Good summary, this time

[YetAnotherName]

All too often, software announcements mention just the name of the item and not what it is or why it's interesting. As an example, compare this recent summary for Zope.

Not everyone's heard of Ettercap; this summary says what it is (network protocol analyzer) and also why it's important (in top ten of security tools). I hope to see more summaries of this caliber on Slashdot.

Re:Good summary, this time

[TheRaven64]

The summary text was good, but a link to the project would have been a good addition, as would a link to the top 75 list mentioned.

Re:Good summary, this time

[lukewarmfusion]

I don't think this was that good of a summary at all. I've never used ettercap and I've only heard it mentioned in passing. The story simply doesn't explain what it is.

From ettercap project page:
"Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis."

That's a little more informative than "network protocol analyzer."

Re:Good summary, this time

[RollingThunder]

There has to be a limit, otherwise we end up having to define "man in the middle" and "LAN" and "content filtering", etc.

I think that stating "network protocol analyzer" is sufficient - it indicates the general concept area, and gives the reader enough information to decide if it's something he should be going to dig deeper on or not.

I do agree with a different responder that some things that could have been hyperlinked weren't.

Re:Good summary, this time

[interiot]

At LEAST mention how it differs from other network protocol analyzers out there... especially if there's a super-popular one that people may be more familiar with (Ethereal). IMHO, the critical difference is that it allows sniffing of switched networks.

Re:Good summary, this time

I find google impossible to use as well.

Re:Well, I have never liked ettercap

[NicolaiBSD]

You're comparing apples and oranges. Ettercap is not just a packet dumping/protocol analyzer tool like tcpdump. It has many active features, like arp-cache poisoning, data injection etc.

Re:Well, I have never liked ettercap

[SillyNickName4me]

I agree with regards to tcpdump, its small and relatively good at its job. That said, I mostly use it to capture packets and dump them to a file for analysis with other programs (ntop, snort, and tcpdump itself)

Ethereal? Its nice if it wasn't ridden with bugs and security issues. More alternatives in this market are a good thing, especially when talking about gui based capture tools.

Top 75 Security Tools

[Noksagt]

The other top tools.

Re:Well, I have never liked ettercap

[grap]

ettercap has almost nothing to do with ethereal, tcpdump or any other general-purpose sniffers. It's for a men-in-the-middle attack, with ARP poisoning and other techniques, not for simply sniffing packets that already come to your NIC.

It can sniff in a switched enviroment. You can't do this whith TCPDUMP !!!

Network Analizer... duh

Ettercap is evil :)

It's more of a hacking tool than a network analizer. It allows you to sniff switched networks, perform man-in-the-middle-attacks, it looks for passwords, etc.

Re:Network Analizer... duh

[GigsVT]

Wouldn't you rather know if it's possible to do those thing on your own network, rather than keeping the tools only in the hands of those with nefarious intent?

Re:Network Analizer... duh

[slasher999]

I tend to agree. Ettercap is a tool I've played with and it has helped me to understand some new concepts, but I haven't really found a good use for it in my day to day Sr Sys Adm career. Other "grey" tools however, such as ethereal and nmap, I wouldn't be without. As the authors pointed out, it's not the tools that are evil.

Re:Network Analizer... duh

[funk_doc]

No tool can sniff switched networks. The information never makes it to your network adapter, nothing to sniff. A hub on the other hand, no problem.

Re:Network Analizer... duh

you are quite wrong. it is possible. try a google for something like "switch mac flood sniff." hopefully the results will help you, and others, realize that often times there is more to security than what "seems" secure.

Re:Network Analizer... duh

[_Sprocket_]

Maybe you should take a look at ettercap?

Re:Network Analizer... duh

[puddpunk]

You're incorrect. Ettercap uses a technique called "Arp poisoning" which basically tricks the switch into sending you packets that don't belong to you, which ettercap then forwards to the victim and vice-versa.

Google can tell you a lot more about it. Also have a look at the DSniff suite.

Cheers,
Chris.

Interesting comment

We chose the GPL because it's the most used, so it has to be the best.

I have a nice Windows XP CD to sell you, guys.

--
Glass, total pwnage.

Re:Interesting comment

I think someone has forgotten a :) at the end of the statement... indeed the next sentences explain the real meaning...

Re:Well, I have never liked ettercap

[grazzy]

err? If it can be broken into, why not do it yourself first and fix the problem instead of letting someone else do it?

Re:Well, I have never liked ettercap

[strict3]

I don't know why it wasn't linked to in your post, but here you go:

Homepage: http://ettercap.sourceforge.net/

I love ettercap...

[wschalle]

Its man in the middle feature lets me catch botnets on my college campus (I work in the IT dept.) and shut them down immediately.

Re:My little Ettercap...

[FerretFrottage]

"...won't you stay a while"

The fact that it's a *NIX program

[Lifewish]

"anyone care to justify this application, which seems to be yet another blackhat/script kiddy tool?"

Anyone who's smart enough to use it effectively deserves results :)

Seriously, a swiss army knife for kiddies is by definition a swiss army knife for security testers and system managers. I'd prefer for hacking tools to be available for all rather than just for the malicious portion of the online population.

Re:Well, I have never liked ettercap

[garaged]

Actually you only need a poisoning tool for that matters, not that tcpdump have it, but is not that hard to acomplish actually

Re:Well, I have never liked ettercap

[kentmartin]

Because I use linkification which frees me from having to worry about such mundalities.

I find its main use is for reading /. comments when idiots like me forget to put the anchor tags in ;)

Re:Well, I have never liked ettercap

[fafaforza]

As a bit of a sidenote, does anyone know of a program like Windows' Sniffer that has a "dashboard" type of applet which display the current packets per second going through an interface, or any other pps monitor (text or graphical)?

Try it with the new UBCD

[Leigh13]

The new 3.0 release of the excellent Ultimate Boot CD has Ettercap included with the INSERT live CD. If you're a Windows user, it's an easy way to boot into Linux and try it out without having to worry about compiling and what not.

Re:Well, I have never liked ettercap

[grap]

Can tcpdump take ownership of a connection you are sniffing (for example, take control of a telnet session between two hosts, anc close the connection to one of the two host while retaining the one with th other)?

ettercap can.

I like ettercap..

[sque]

and have used it for long for time. I tend to use it for evil and not good though =/. Being on a switched enviroment at work makes it the perfect happy fun time tool! :-)

Re:Well, I have never liked ettercap

[sque]

ettercap has a nice ncurses and gtk2 'gui' for teh win

Re:Legal uses of ettercap

[warpSpeed]

anyone care to justify this application, which seems to be yet another blackhat/script kiddy tool?

It is perfectly legal for me to do anything I like on my network. What more justification do I need?

Perhaps we should ban debuggers too, because all we can use them for is breaking into commercial software...

Re:Well, I have never liked ettercap

[moyix]

iptraf does this pretty well. You can have a look at screenshots of it in action here.

Re:Legal uses of ettercap

You're being deliberately obtuse in your statement about debuggers. A debugger is most frequently used to debug a program that you're working on. The fact that it can be and is sometimes used to hack somebody else's work is an unfortunate side effect.
A protocol sniffer on the other hand is useful only for intruding on other people's IMs/e-mails and grabbing their passwords. If it was your own traffic you were sniffing, you wouldn't need to ... you'd already know what you were saying.
Nice try at rationalising blatant criminal behaviour though, Mr. slashbot.

Re:Legal uses of ettercap

Yes I would. Used ethereal for that purpose just yesterday.

We were making our system interface with a server, and the documentation we got was - well, very little. The test program worked, but the main program didn't. Only when we started comparing packed dumps, did we notice the four bytes that were different.

Kinda Neat, OT Question

[MBCook]

Neat program. I'll mess around with it more later. But looking at the screenshots on the site reminded me of an old /. story (I think) and I'd like help finding it if anyone can help me, this is somewhat OT.

The program did something similar, it would monitor network traffic and show you all the images that were being transmitted. So you could run it and figure out what sites people were surfing and stuff like that. It was very cool, but I have been unable to find it recently and I don't remember the name. Can anyone help me? Any programs that do this? Thanks.

Re:Kinda Neat, OT Question

Yes, it's called driftnet. Googling for "driftnet" you'll eventually come to host that has something like "exparrot" in it. That's it.

Re:Kinda Neat, OT Question

I believe you're looking for Driftnet (for linux, etc.).
There is also a program for Macs called EtherPeg which does the same thing; I believe it was the original one.

Re:Kinda Neat, OT Question

driftnet?

Re:Kinda Neat, OT Question

Umm... dude, Ettercap does it. Or at least the old version did - i've not played with NG much.
Look in the plugins menu, there is one to dump every image it comes across in a HTTP session.

I use (the old) ettercap for tonnes of stuff. Yes, it is a very 'black' tool (and should not be compared to tcpdump and ethereal as others have been doing), but a lot of those uses invented for nefarious purposes are very good for quick jobs in the real world too.

Re:Kinda Neat, OT Question

[_Sprocket_]

I seem to remember dsniff had a utility (webspy?) that allowed you to essentially link a browser to a target machine. Your browser would jump about as your target host browsed.

Re:Legal uses of ettercap

just read what the authors replied... even dynamite is TODAY primarily used in WARS, but Nobel invented it to help the miners...

ettercap is useful to filter and inject bits into connections of your lan... to test network applications, to map the hosts in the lan passively... don't focus your attention only on the password collection... this is a "side effect". this was done to open the eyes of the users that are still using plain text protocols...

Re:Legal uses of ettercap

[slash-tard]

I sniff traffic all the time using ethereal, etherpeek, and tcpdump. I do this to verify traffic from remote customers, help debug developers custom applications, and estimate bandwidth usage by application. I dont have a need for ettercap, man in the middle attacks, or arp poisoning though. Sniffers do have many legitimate uses other than spying on email and IM sessions.

Re:Legal uses of ettercap

Hmmm, so I can alter my XBox without any legal problems? I paid for it.

What about these DVDs and CDs I bought, I can rip them onto my laptop so I don't have to carry my CDs and DVDs around? I bought these too.

So I can burn down my own house? I own it... ah... oh... well half of it, the bank owns the other bit (d'oh). If I select the half I own, say the bathroom and the box room; I can trash that with impunity.

See my cat...

Ownership doesn't necessarily convey infinite rights, just demans good stewardship. Don't forget to tell Bush...

Re:Well, I have never liked ettercap

apart from being ugly it is quite useful app and available in most distros as well

Re:Legal uses of ettercap

so I can alter my XBox without any legal problems?

If you can't then there is something seriously wrong with the laws of your country.

What about these DVDs and CDs I bought, I can rip them onto my laptop so I don't have to carry my CDs and DVDs around?

Again, you *should* be able to - if you live under an oppresive regime that disallows such action, then you should be working to bring your country into the 20th century.

Re:Well, I have never liked ettercap

[GigsVT]

You want gkrellm.

It's great. If you run Red Hat though, they removed it from EL3, because such a useful server monitoring program has no place in the enterprise. (I.E. They are fucking retarded).

You can use the packages for RH9 though.

Re:Legal uses of ettercap

[wickedmm]

Its all in the user, net tools (i.e. ettercap) don't kill networks, people kill networks.

Re:Legal uses of ettercap

[warpSpeed]

You're being deliberately obtuse in your statement about debuggers.

You're being deliberately obtuse in your statement about protocol sniffers. How do you know what I do with a sniffer on my network?

Protocol sniffers do not invade peoples privacy, people do.

Re:Legal uses of ettercap

[warpSpeed]

Hmmm, so I can alter my XBox without any legal problems? I paid for it.

Sure, you just void your warrenty.

What about these DVDs and CDs I bought, I can rip them onto my laptop so I don't have to carry my CDs and DVDs around? I bought these too.

You can back them up, or convert them to some other format for your convinience.

So I can burn down my own house? I own it... ah... oh... well half of it, the bank owns the other bit (d'oh). If I select the half I own, say the bathroom and the box room; I can trash that with impunity.

You can do what you want with your house with in the limit of the law.

Ownership doesn't necessarily convey infinite rights, just demans good stewardship. Don't forget to tell Bush...

Ownership allows you to do what you want with your property as long as it is within the law. Nothing demands good stewardship, unless you count community peer pressure.

And I did tell Bush, I voted for him. :-)

how is it?

Is ettercap uttercrap?

Re:how is it?

your post is toast

Re:Well, I have never liked ettercap

[the_mad_poster]

Soooo... your theory behind network intrusion testing is that you shouldn't try to break into the network while you're doing it, and therefore any tool that would help you do it must be useless or evil?

Remind me to never hire you for anything related to network security testing....

Re:Well, I have never liked ettercap

[virid]

I think it was the terminal font that was ugly and not the program.

any *real* sysadmins use this tool?

By "real" I mean you get paid to admin a box other than your own.

I'm just curious. I tend to avoid the "dark gray" tools like this and stick to the "light gray" tools like nmap.

So have you used this tool? In what capacity? Penetration testing? Just poking around the network? For your own education or did you use the info in a report or to solve a specific problem? Etc?

Just wondering if I should take the time to add it to my toolbox.

Attercop ?

Old fat spider
spinning in a tree!
Old fat spider
can't see me!
Attercop! Attercop!
Won't you stop,
Stop your spinning
and look at me!

Old Tomnoddy, all big body,
Old Tomnoddy can't spy me!
Attercop! Attercop!
Down you drop!
You'll never catch me up your tree!

Readable version

http://shit.slashdot.org/article.pl?sid=04/11/09/1 350205

Re:My little Ettercap...

[RandoX]

Weird. I'm Offtopic but you're funny. Must have been in the delivery.

robertgraham.com

[flibberdi]

What has happened to robertgraham.com ?? I used to send people there to get a clue about security. "Connection refused" ??!! Huh?

Re:Legal uses of ettercap

[PenGun]

PenGun karma bad. From actually being a Cynical old Fart

PenGun
Do What Now ??? ... Standards and Practices !

even works on Mac OS X

[ubiquitin]

Check out: ettercap.darwinports.com

Kiddies

[Plazzma]

I think ettercap really caters to kiddies, like AimSniff.pl and others, especially with all the password tools. It is for switched lans, which is like the popular Linksys routers, so many a thirteen year old adolescent is using ettercap to read someones AIM conversations.

Starting With "I didn't know it existed, but"

[IBitOBear]

[So] I didn't know it existed, but this tool sounds relly useful to me as a completely "white" application.

I work at a company that makes cell phone system test gear. We help cell phone companies set up quality and throughput testing and transport/content correctness.

Many is the time when, as I develop the tidbits, I want to see the data flow and content actually being received. I have become a zen grand master of getting my ass lost piecing together partial frames and retransmits.

A program that reconstructs the session streams into "content" for me would be amazingly useful.

Not so much as an "admin" tool, and more as a development aid, this thing sounds well worth investigating.

Re:Attercop (A Tolkien reference for the clueless)

[Harodotus]

In case you didn't catch this, its a quote of the song Bilbo sang when taunting the spiders of Mirkwood in "The Hobbit"

(Horrors. I almost wrongly said it was a misquote of a Tom Bombadil song from The Fellowship of the Ring.. Shudder, what a public embarasment THAT would have been...)

Re:My little Ettercap...

[FerretFrottage]

"Stay with me, until the end of time...and you'll quickly see that moderators are seldom kind"

Re:Legal uses of ettercap

[jessecurry]

Blaming people for their own actions! You're sounding like a damn republican....there's no place for that on slashdot :)