The men behind ettercap-NG

An anonymous reader writes "In 2001 two Italians released the first beta version of ettercap, a network protocol analyzer. Ettercap is now covered in most security books. It's number 9 in the Top 75 Security Tools list of the Nmap Hackers mailing list. This summer they released ettercap-NG, which was completely rewritten from scratch with better, modular code, making it easier to add new features and write and submit patches. NewsForge recently caught up with its authors for an Interview."

spoken like a true *nix fan

[necrogram]

Because our mailboxes were full of users' requests for Windows porting and our antispam filter started to get confused.

Thats one way to deal with windows people

Re:N o Link?

[lukewarmfusion]

Or the explanation of what it does? It's a security tool. That's all I know about it.

Most ./-ers won't RTFA... what makes the submitter think we'll head on over to Google for more info?

Ok, I'm off to Google to figure out what ettercap is.

Re:N o Link?

[Per+Wigren]

Where is the link to ettercap?

Here it is!

Re:Well, I have never liked ettercap

[kentmartin]

I agree re: ethereal.

I don't know why it wasn't linked to in the article, but here you go:

Homepage: http://ettercap.sourceforge.net/
Description: A suite for man in the middle attacks and network mapping

Good summary, this time

[YetAnotherName]

All too often, software announcements mention just the name of the item and not what it is or why it's interesting. As an example, compare this recent summary for Zope.

Not everyone's heard of Ettercap; this summary says what it is (network protocol analyzer) and also why it's important (in top ten of security tools). I hope to see more summaries of this caliber on Slashdot.

Re:Good summary, this time

[TheRaven64]

The summary text was good, but a link to the project would have been a good addition, as would a link to the top 75 list mentioned.

Re:Good summary, this time

[lukewarmfusion]

I don't think this was that good of a summary at all. I've never used ettercap and I've only heard it mentioned in passing. The story simply doesn't explain what it is.

From ettercap project page:
"Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis."

That's a little more informative than "network protocol analyzer."

Re:Good summary, this time

[RollingThunder]

There has to be a limit, otherwise we end up having to define "man in the middle" and "LAN" and "content filtering", etc.

I think that stating "network protocol analyzer" is sufficient - it indicates the general concept area, and gives the reader enough information to decide if it's something he should be going to dig deeper on or not.

I do agree with a different responder that some things that could have been hyperlinked weren't.

Re:Good summary, this time

[interiot]

At LEAST mention how it differs from other network protocol analyzers out there... especially if there's a super-popular one that people may be more familiar with (Ethereal). IMHO, the critical difference is that it allows sniffing of switched networks.

Re:Well, I have never liked ettercap

[NicolaiBSD]

You're comparing apples and oranges. Ettercap is not just a packet dumping/protocol analyzer tool like tcpdump. It has many active features, like arp-cache poisoning, data injection etc.

Re:N o Link?

[pasde]

For the lasy one:
http://ettercap.sourceforge.net/

Re:Well, I have never liked ettercap

[SillyNickName4me]

I agree with regards to tcpdump, its small and relatively good at its job. That said, I mostly use it to capture packets and dump them to a file for analysis with other programs (ntop, snort, and tcpdump itself)

Ethereal? Its nice if it wasn't ridden with bugs and security issues. More alternatives in this market are a good thing, especially when talking about gui based capture tools.

Top 75 Security Tools

[Noksagt]

The other top tools.

Re:Well, I have never liked ettercap

[grap]

ettercap has almost nothing to do with ethereal, tcpdump or any other general-purpose sniffers. It's for a men-in-the-middle attack, with ARP poisoning and other techniques, not for simply sniffing packets that already come to your NIC.

It can sniff in a switched enviroment. You can't do this whith TCPDUMP !!!

Network Analizer... duh

Ettercap is evil :)

It's more of a hacking tool than a network analizer. It allows you to sniff switched networks, perform man-in-the-middle-attacks, it looks for passwords, etc.

Re:Network Analizer... duh

[GigsVT]

Wouldn't you rather know if it's possible to do those thing on your own network, rather than keeping the tools only in the hands of those with nefarious intent?

Re:Network Analizer... duh

[slasher999]

I tend to agree. Ettercap is a tool I've played with and it has helped me to understand some new concepts, but I haven't really found a good use for it in my day to day Sr Sys Adm career. Other "grey" tools however, such as ethereal and nmap, I wouldn't be without. As the authors pointed out, it's not the tools that are evil.

Re:Network Analizer... duh

[funk_doc]

No tool can sniff switched networks. The information never makes it to your network adapter, nothing to sniff. A hub on the other hand, no problem.

Re:Network Analizer... duh

you are quite wrong. it is possible. try a google for something like "switch mac flood sniff." hopefully the results will help you, and others, realize that often times there is more to security than what "seems" secure.

Re:Network Analizer... duh

[_Sprocket_]

Maybe you should take a look at ettercap?

Re:Network Analizer... duh

[puddpunk]

You're incorrect. Ettercap uses a technique called "Arp poisoning" which basically tricks the switch into sending you packets that don't belong to you, which ettercap then forwards to the victim and vice-versa.

Google can tell you a lot more about it. Also have a look at the DSniff suite.

Cheers,
Chris.

Interesting comment

We chose the GPL because it's the most used, so it has to be the best.

I have a nice Windows XP CD to sell you, guys.

--
Glass, total pwnage.

Re:Interesting comment

I think someone has forgotten a :) at the end of the statement... indeed the next sentences explain the real meaning...

Re:Well, I have never liked ettercap

[grazzy]

err? If it can be broken into, why not do it yourself first and fix the problem instead of letting someone else do it?

Re:Well, I have never liked ettercap

[strict3]

I don't know why it wasn't linked to in your post, but here you go:

Homepage: http://ettercap.sourceforge.net/

I love ettercap...

[wschalle]

Its man in the middle feature lets me catch botnets on my college campus (I work in the IT dept.) and shut them down immediately.

Re:My little Ettercap...

[FerretFrottage]

"...won't you stay a while"

The fact that it's a *NIX program

[Lifewish]

"anyone care to justify this application, which seems to be yet another blackhat/script kiddy tool?"

Anyone who's smart enough to use it effectively deserves results :)

Seriously, a swiss army knife for kiddies is by definition a swiss army knife for security testers and system managers. I'd prefer for hacking tools to be available for all rather than just for the malicious portion of the online population.

Re:Well, I have never liked ettercap

[garaged]

Actually you only need a poisoning tool for that matters, not that tcpdump have it, but is not that hard to acomplish actually

Re:Well, I have never liked ettercap

[kentmartin]

Because I use linkification which frees me from having to worry about such mundalities.

I find its main use is for reading /. comments when idiots like me forget to put the anchor tags in ;)

Re:Well, I have never liked ettercap

[fafaforza]

As a bit of a sidenote, does anyone know of a program like Windows' Sniffer that has a "dashboard" type of applet which display the current packets per second going through an interface, or any other pps monitor (text or graphical)?

Try it with the new UBCD

[Leigh13]

The new 3.0 release of the excellent Ultimate Boot CD has Ettercap included with the INSERT live CD. If you're a Windows user, it's an easy way to boot into Linux and try it out without having to worry about compiling and what not.

Re:Well, I have never liked ettercap

[grap]

Can tcpdump take ownership of a connection you are sniffing (for example, take control of a telnet session between two hosts, anc close the connection to one of the two host while retaining the one with th other)?

ettercap can.

I like ettercap..

[sque]

and have used it for long for time. I tend to use it for evil and not good though =/. Being on a switched enviroment at work makes it the perfect happy fun time tool! :-)

Re:Legal uses of ettercap

[warpSpeed]

anyone care to justify this application, which seems to be yet another blackhat/script kiddy tool?

It is perfectly legal for me to do anything I like on my network. What more justification do I need?

Perhaps we should ban debuggers too, because all we can use them for is breaking into commercial software...

Re:Well, I have never liked ettercap

[moyix]

iptraf does this pretty well. You can have a look at screenshots of it in action here.

Kinda Neat, OT Question

[MBCook]

Neat program. I'll mess around with it more later. But looking at the screenshots on the site reminded me of an old /. story (I think) and I'd like help finding it if anyone can help me, this is somewhat OT.

The program did something similar, it would monitor network traffic and show you all the images that were being transmitted. So you could run it and figure out what sites people were surfing and stuff like that. It was very cool, but I have been unable to find it recently and I don't remember the name. Can anyone help me? Any programs that do this? Thanks.

Re:Kinda Neat, OT Question

[_Sprocket_]

I seem to remember dsniff had a utility (webspy?) that allowed you to essentially link a browser to a target machine. Your browser would jump about as your target host browsed.

Re:Legal uses of ettercap

[slash-tard]

I sniff traffic all the time using ethereal, etherpeek, and tcpdump. I do this to verify traffic from remote customers, help debug developers custom applications, and estimate bandwidth usage by application. I dont have a need for ettercap, man in the middle attacks, or arp poisoning though. Sniffers do have many legitimate uses other than spying on email and IM sessions.

Re:Well, I have never liked ettercap

[GigsVT]

You want gkrellm.

It's great. If you run Red Hat though, they removed it from EL3, because such a useful server monitoring program has no place in the enterprise. (I.E. They are fucking retarded).

You can use the packages for RH9 though.

Re:Legal uses of ettercap

[wickedmm]

Its all in the user, net tools (i.e. ettercap) don't kill networks, people kill networks.

Re:Legal uses of ettercap

[warpSpeed]

You're being deliberately obtuse in your statement about debuggers.

You're being deliberately obtuse in your statement about protocol sniffers. How do you know what I do with a sniffer on my network?

Protocol sniffers do not invade peoples privacy, people do.

Re:Legal uses of ettercap

[warpSpeed]

Hmmm, so I can alter my XBox without any legal problems? I paid for it.

Sure, you just void your warrenty.

What about these DVDs and CDs I bought, I can rip them onto my laptop so I don't have to carry my CDs and DVDs around? I bought these too.

You can back them up, or convert them to some other format for your convinience.

So I can burn down my own house? I own it... ah... oh... well half of it, the bank owns the other bit (d'oh). If I select the half I own, say the bathroom and the box room; I can trash that with impunity.

You can do what you want with your house with in the limit of the law.

Ownership doesn't necessarily convey infinite rights, just demans good stewardship. Don't forget to tell Bush...

Ownership allows you to do what you want with your property as long as it is within the law. Nothing demands good stewardship, unless you count community peer pressure.

And I did tell Bush, I voted for him. :-)

how is it?

Is ettercap uttercrap?

Re:Well, I have never liked ettercap

[the_mad_poster]

Soooo... your theory behind network intrusion testing is that you shouldn't try to break into the network while you're doing it, and therefore any tool that would help you do it must be useless or evil?

Remind me to never hire you for anything related to network security testing....

Re:Well, I have never liked ettercap

[virid]

I think it was the terminal font that was ugly and not the program.

any *real* sysadmins use this tool?

By "real" I mean you get paid to admin a box other than your own.

I'm just curious. I tend to avoid the "dark gray" tools like this and stick to the "light gray" tools like nmap.

So have you used this tool? In what capacity? Penetration testing? Just poking around the network? For your own education or did you use the info in a report or to solve a specific problem? Etc?

Just wondering if I should take the time to add it to my toolbox.

Attercop ?

Old fat spider
spinning in a tree!
Old fat spider
can't see me!
Attercop! Attercop!
Won't you stop,
Stop your spinning
and look at me!

Old Tomnoddy, all big body,
Old Tomnoddy can't spy me!
Attercop! Attercop!
Down you drop!
You'll never catch me up your tree!

robertgraham.com

[flibberdi]

What has happened to robertgraham.com ?? I used to send people there to get a clue about security. "Connection refused" ??!! Huh?

even works on Mac OS X

[ubiquitin]

Check out: ettercap.darwinports.com

Kiddies

[Plazzma]

I think ettercap really caters to kiddies, like AimSniff.pl and others, especially with all the password tools. It is for switched lans, which is like the popular Linksys routers, so many a thirteen year old adolescent is using ettercap to read someones AIM conversations.

Starting With "I didn't know it existed, but"

[IBitOBear]

[So] I didn't know it existed, but this tool sounds relly useful to me as a completely "white" application.

I work at a company that makes cell phone system test gear. We help cell phone companies set up quality and throughput testing and transport/content correctness.

Many is the time when, as I develop the tidbits, I want to see the data flow and content actually being received. I have become a zen grand master of getting my ass lost piecing together partial frames and retransmits.

A program that reconstructs the session streams into "content" for me would be amazingly useful.

Not so much as an "admin" tool, and more as a development aid, this thing sounds well worth investigating.

Re:Attercop (A Tolkien reference for the clueless)

[Harodotus]

In case you didn't catch this, its a quote of the song Bilbo sang when taunting the spiders of Mirkwood in "The Hobbit"

(Horrors. I almost wrongly said it was a misquote of a Tom Bombadil song from The Fellowship of the Ring.. Shudder, what a public embarasment THAT would have been...)

Re:N o Link?

[harikiri]

Practical example for Ettercap? Scaring my boss as I show him why it's important to explicitly disallow SSH v1 connections (ettercap can perform Man-In-The-Middle password sniffing on this). Also to demonstrate why you should never let me mess around on a live network:

Ettercap running under Knoppix crashed, while sniffing the entire floor's network (my laptop was acting as the router for the floor, no wonder it crashed). Slight problem though, almost at once everyone looked up and went "did Exchange go down?". Had to rush from desk to desk flushing the arp table on people's system, as they were still trying to use the laptop as the default gateway.

Re:My little Ettercap...

[FerretFrottage]

"Stay with me, until the end of time...and you'll quickly see that moderators are seldom kind"

Re:Legal uses of ettercap

[jessecurry]

Blaming people for their own actions! You're sounding like a damn republican....there's no place for that on slashdot :)