07-10-2009, 01:25 PM
|
|
Junior Member
|
|
Join Date: Jul 2009
Posts: 4
Rep Power: 0
|
|
Functions.........
Quote:
.TP
.B gre_relay
.Sp
This plugin can be used to sniff GRE-redirected remote traffic.
The basic idea is to create a GRE tunnel that sends all the traffic on a router
interface to the ettercap machine. The plugin will send back the GRE packets
to the router, after ettercap "manipulation" (you can use "active" plugins
such as smb_down, ssh decryption, filters, etc... on redirected traffic)
It needs a "fake" host where the traffic has to be redirected to (to avoid
kernel's responses). The "fake" IP will be the tunnel endpoint.
Gre_relay plugin will impersonate the "fake" host.
To find an unused IP address for the "fake" host you can use find_ip plugin.
Based on the original Tunnelx technique by Anthony C. Zboralski published
in http://www.phrack.org/show.php?p=56&a=10 by HERT.
.TP
.B gw_discover
.Sp
This plugin try to discover the gateway of the lan by sending TCP SYN packets
to a remote host. The packet has the destination IP of a remote host and the
destination mac address of a local host. If ettercap receives the SYN+ACK
packet, the host which own the source mac address of the reply is the gatway.
This operation is repeated for each host in the 'host list', so you need to
have a valid host list before launching this plugin.
.Sp
.I example :
.Sp
ettercap -TP gw_discover /192.168.0.1-50/
.TP
.B isolate
.Sp
The isolate plugin will isolate an host form the LAN. It will poison the
victim's arp cache with its own mac address associated with all the host it
tries to contact. This way the host will not be able to contact other hosts
because the packet will never reach the wire.
.br
You can specify all the host or only a group. the targets
specification work this way: the target1 is the victim and must be a single
host, the target2 can be a range of addresses and represent the hosts that will
be blocked to the victim.
.Sp
.I examples :
.Sp
ettercap -TzqP isolate /192.168.0.1/ //
.br
ettercap -TP isolate /192.168.0.1/ /192.168.0.2-30/
.TP
.B link_type
.Sp
It performs a check of the link type (hub or switch) by sending a spoofed ARP
request and listening for replies. It needs at least one entry in the host
list to perform the check. With two or more hosts the test will be more
accurate.
.Sp
.I example :
.Sp
ettercap -TQP link_type /192.168.0.1/
.br
ettercap -TQP link_type //
.TP
.B pptp_chapms1
.Sp
It forces the pptp tunnel to negotiate MS-CHAPv1 authentication instead of
MS-CHAPv2, that is usually easier to crack (for example with LC4).
You have to be in the "middle" of the connection to use it successfully.
It hooks the ppp dissector, so you have to keep them active.
.TP
.B pptp_clear
.Sp
Forces no compression/encryption for pptp tunnels during negotiation.
It could fail if client (or the server) is configured to hang off the tunnel
if no encryption is negotiated.
You have to be in the "middle" of the connection to use it successfully.
It hooks the ppp dissector, so you have to keep them active.
.TP
.B pptp_pap
.Sp
It forces the pptp tunnel to negotiate PAP (cleartext) authentication.
It could fail if PAP is not supported, if pap_secret file is missing,
or in case windows is configured with "authomatic use of domain
account". (It could fail for many other reasons too).
You have to be in the "middle" of the connection to use it successfully.
It hooks the ppp dissector, so you have to keep them active.
.TP
.B pptp_reneg
.Sp
Forces re-negotiation on an existing pptp tunnel.
You can force re-negotiation for grabbing passwords already sent.
Furthermore you can launch it to use pptp_pap, pptp_chapms1 or pptp_clear on
existing tunnels (those plugins work only during negotiation phase).
You have to be in the "middle" of the connection to use it successfully.
It hooks the ppp dissector, so you have to keep them active.
.TP
.B rand_flood
.Sp
Floods the LAN with random MAC addresses. Some switches will fail open in
repeating mode, facilitating sniffing. The delay between each packet is
based on the port_steal_send_delay value in etter.conf.
.br
It is useful only on ethernet switches.
.Sp
.I example :
.Sp
ettercap -TP rand_flood
.TP
.B remote_browser
.Sp
It sends to the browser the URLs sniffed thru HTTP sessions. So you
are able to see the webpages in real time. The command executed is configurable
in the etter.conf(5) file. It sends to the browser only the GET requests and
only for webpages, ignoring single request to images or other amenities.
Don't use it to view your own connection 
.TP
.B reply_arp
.Sp
Simple arp responder. When it intercepts an arp request for a host
in the targets' lists, it replies with attacker's MAC address.
.Sp
.I example :
.Sp
ettercap -TQzP reply_arp /192.168.0.1/
.br
ettercap -TQzP reply_arp //
.TP
.B repoison_arp
.Sp
It solicits poisoning packets after broadcast ARP requests (or replies) from a posioned host.
For example: we are poisoning Group1 impersonating Host2. If Host2 makes a broadcast
ARP request for Host3, it is possible that Group1 caches the right MAC address for Host2
contained in the ARP packet. This plugin re-poisons Group1 cache immediately after a
legal broadcast ARP request (or reply).
.br
This plugin is effective only during an arp-posioning session.
.br
In conjuction with reply_arp plugin, repoison_arp is a good support for standard
arp-poisoning mitm method.
.Sp
.I example :
.Sp
ettercap -T -M arp:remote -P repoison_arp /192.168.0.10-20/ /192.168.0.1/
.TP
.B scan_poisoner
.Sp
Check if someone is poisoning between some host in the list and us.
First of all it checks if two hosts in the list have the same mac address.
It could mean that one of those is poisoning us pretending to be the other.
It could generate many false-positives in a proxy-arp environment.
You have to build hosts list to perform this check.
After that, it sends icmp echo packets to each host in the list and checks
if the source mac address of the reply differs from the address we have
stored in the list for that ip.
It could mean that someone is poisoning that host pretending to have our ip
address and forwards intercepted packets to us.
You can't perform this active test in unoffensive mode.
.Sp
.I example :
.Sp
ettercap -TQP scan_poisoner //
.TP
.B search_promisc
.Sp
It tries to find if anyone is sniffing in promisc mode. It sends two different
kinds of malformed arp request to each target in the host list and waits for
replies. If a reply arrives from the target host, it's more or
less probable that this target has the NIC in promisc mode. It could generate false-positives.
You can launch it either from the command line or from the plugin menu.
Since it listens for arp replies it is better that you don't use it while sending
arp request.
.Sp
.I example :
.Sp
ettercap -TQP search_promisc /192.168.0.1/
.br
ettercap -TQP search_promisc //
.TP
.B smb_clear
.Sp
It forces the client to send smb password in clear-text by mangling protocol
negotiation. You have to be in the "middle" of the connection to successfully
use it. It hooks the smb dissector, so you have to keep it active.
If you use it against a windows client it will probably result in a failure.
Try it against a *nix smbclient
.TP
.B smb_down
.Sp
It forces the client to not to use NTLM2 password exchange during smb
authentication. This way, obtained hashes can be easily cracked by LC4.
You have to be in the "middle" of the connection to successfully use it.
It hooks the smb dissector, so you have to keep it active.
.TP
.B stp_mangler
.Sp
It sends spanning tree BPDUs pretending to be a switch with the highest
priority. Once in the "root" of the spanning tree, ettercap can receive
all the "unmanaged" network traffic.
.br
It is useful only against a group of switches running STP.
.br
If there is another switch with the highest priority, try to manually
decrease your MAC address before running it.
.Sp
.I example :
.Sp
ettercap -TP stp_mangler
.SH "SEE ALSO"
.I "ettercap(8)"
.I "ettercap_curses(8)"
.I "etterlog(8)"
.I "etterfilter(8)"
.I "etter.conf(5)"
.LP
|
|