This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: ETTERCAP-PLUGINS(8) ETTERCAP-PLUGINS(8) NAME ettercap-plugins NG-0.7.3 - A collection of plugins for ettercap DESCRIPTION Ettercap(8) supports loadable modules at runtime. They are called plugins and they come within the source tarball. They are automatically compiled if your system supports them or until you specify the --disable- plugins option to the configure script. Some of older ettercap plugins (roper, banshee, and so on) have not been ported in the new version. By the way, you can achieve the same results by using new filtering engine. If you use interactive mode, most plugins need to "Start Sniff" before using them. To hav e a list of plugins installed in your system do that command: ettercap -P list The following is a list of available plugins: arp_cop It reports suspicious ARP activity by passively monitoring ARP requests/replies. It can report ARP posioning attempts, or simple IP-conflicts or IP-changes. If you build the initial host list the plugin will run more accurately. example : ettercap -TQP arp_cop // autoadd It will automatically add new victims to the ARP poisoning mitm attack when they come up. It looks for ARP requests on the lan and when detected it will add the host to the victims list if it was specified in the TARGET. The host is added when an arp request is seen form it, since communi- cating hosts are alive :) chk_poison It performs a check to see if the arp poisoning module of ettercap was successful. It sends spoofed ICMP echo packets to all the victims of the poisoning pretending to be each of the other targets. If we can catch an ICMP reply with our MAC address as destination it means that the poisoning between those two targets is successful. It checks both ways of each communication. This plugin makes sense only where poisoning makes sense. The test fails if you specify only one target in silent mode. You can’t run this plugin from command line because the poisoning process is not started yet. You have to launch it from the proper menu. dns_spoof This plugin intercepts DNS query and reply with a spoofed answer. You can chose to which address the plugin has to reply by modifying the etter.dns file. The plugin intercepts A, PTR and MX request. If it was an A request, the name is searched in the file and the ip address is returned (you can use wildcards in the name). If if was a PTR request, the ip is searched in the file and the name is returned (except for those name containing a wildcard). In case of MX request a special reply is crafted. The host is resolved with a fake host ’mail.host’ and the additional record contains ettercap NG-0.7.3 1 ETTERCAP-PLUGINS(8) ETTERCAP-PLUGINS(8) the ip address of ’mail.host’. The first address or name that matches is returned, so be careful with the order....
View Full Document
- Spring '09
- IP address, MAC address, ARP, Address Resolution Protocol, Ettercap, ettercap NG-0.7