Hackint0sh - View Single Post

s0nic · #2 (**permalink**) 07-10-2009, 01:24 PM

Functions...........

Quote:

.SH DESCRIPTION
Ettercap(8) supports loadable modules at runtime. They are called plugins and
they come within the source tarball. They are automatically compiled if your
system supports them or until you specify the --disable-plugins option to the
configure script.
.br
Some of older ettercap plugins (roper, banshee, and so on) have not been ported
in the new version.
By the way, you can achieve the same results by using new filtering engine.
.br
If you use interactive mode, most plugins need to "Start Sniff" before using them.

.TP
To have a list of plugins installed in your system do that command:
.Sp
.I ettercap -P list

.LP
.LP
The following is a list of available plugins:

.TP
.B arp_cop
.Sp
It reports suspicious ARP activity by passively monitoring ARP requests/replies.
It can report ARP posioning attempts, or simple IP-conflicts or IP-changes.
If you build the initial host list the plugin will run more accurately.
.Sp
.I example :
.Sp
ettercap -TQP arp_cop //

.TP
.B autoadd
.Sp
It will automatically add new victims to the ARP poisoning mitm attack when
they come up. It looks for ARP requests on the lan and when detected it will
add the host to the victims list if it was specified in the TARGET. The host is
added when an arp request is seen form it, since communicating hosts are alive

.TP
.B chk_poison
.Sp
It performs a check to see if the arp poisoning module of ettercap was successful.
It sends spoofed ICMP echo packets to all the victims of the poisoning
pretending to be each of the other targets. If we can catch an ICMP reply with
our MAC address as destination it means that the poisoning between those
two targets is successful. It checks both ways of each communication.
This plugin makes sense only where poisoning makes sense.
The test fails if you specify only one target in silent mode.
You can't run this plugin from command line because the poisoning process
is not started yet. You have to launch it from the proper menu.

.TP
.B dns_spoof
.Sp
This plugin intercepts DNS query and reply with a spoofed answer. You can chose
to which address the plugin has to reply by modifying the etter.dns file. The
plugin intercepts A, PTR and MX request. If it was an A request, the name is
searched in the file and the ip address is returned (you can use wildcards in
the name). If if was a PTR request, the ip is searched in the file and the name
is returned (except for those name containing a wildcard). In case of MX
request a special reply is crafted. The host is resolved with a fake host 'mail.host'
and the additional record contains the ip address of 'mail.host'. The first address
or name that matches is returned, so be careful with the order.

.TP
.B dos_attack
.Sp
This plugin runs a d.o.s. attack against a victim IP address. It first "scans"
the victim to find open ports, then starts to flood these ports with SYN
packets, using a "phantom" address as source IP. Then it uses fake ARP replies
to intercept packets for the phantom host. When it receives SYN-ACK from the
victim, it replies with an ACK packet creating an ESTABLISHED connection.
You have to use a free IP address in your subnet to create the "phantom" host
(you can use find_ip for this purpose).
You can't run this plugin in unoffensive mode.
.br
This plugin is based on the original Naptha DoS attack
(http://razor.bindview.com/publish/ad...dv_NAPTHA.html)
.Sp
.I example :
.Sp
ettercap -TQP dos_attack

.TP
.B dummy
.Sp
Only a template to demonstrate how to write a plugin.

.TP
.B find_conn
.Sp
Very simple plugin that listens for ARP requests to show you all the targets an host
wants to talk to. It can also help you finding addresses in an unknown LAN.
.Sp
.I example :
.Sp
ettercap -TQzP find_conn
.Sp
ettercap -TQu -i eth0 -P find_conn

.TP
.B find_ettercap
.Sp
Try to identify ettercap packets sent on the LAN. It could be useful to detect
if someone is using ettercap. Do not rely on it 100% since the tests are only
on particular sequence/identification numbers.

.TP
.B find_ip
.Sp
Find the first unused IP address in the range specified by the user in the target
list. Some other plugins (such as gre_relay) need an unused IP address of the
LAN to create a "fake" host.
It can also be useful to obtain an IP address in an unknown LAN where there is
no dhcp server. You can use find_conn to determine the IP addressing of the LAN,
and then find_ip.
You have to build host list to use this plugin so you can't use it in unoffensive
mode. If you don't have an IP address for your interface, give it a bogus one
(e.g. if the LAN is 192.168.0.0/24, use 10.0.0.1 to avoid conflicting IP), then
launch this plugin specifying the subnet range.
You can run it either from the command line or from the proper menu.
.Sp
.I example :
.Sp
ettercap -TQP find_ip //
.Sp
ettercap -TQP find_ip /192.168.0.1-254/

.TP
.B finger
.Sp
Uses the passive fingerprint capabilities to fingerprint a remote host. It
does a connect() to the remote host to force the kernel to reply
to the SYN with a SYN+ACK packet. The reply will be collected and the
fingerprint is displayed. The connect() obey to the connect_timeout parameter
in etter.conf(5). You can specify a target on command-line or let the plugin ask
the target host to be fingerprinted. You can also specify multiple target with
the usual multi-target specification (see ettercap(8)). if you specify multiple
ports, all the ports will be tested on all the IPs.
.Sp
.I example :
.Sp
ettercap -TzP finger /192.168.0.1/22
.br
ettercap -TzP finger /192.168.0.1-50/22,23,25

.TP
.B finger_submit
.Sp
Use this plugin to submit a fingerprint to the ettercap website. If you found
an unknown fingerprint, but you know for sure the operating system of the
target, you can submit it so it will be inserted in the database in the next
ettercap release. We need your help to increase the passive fingerprint
database. Thank you very much.
.Sp
.I example :
.Sp
ettercap -TzP finger_submit