THE problem I had with the strange urls and passwords was fixed by removing all traces of ettercap and recompiling 0.7.5.3 and removing u & p from etter fields

But ettercap doesn't seem to be able to grab the login details when android devices login

USER: Android PASS: wdmZ8z,pv'aGyebETi+jSo&n INFO: android.opt.ws.eurosport.com/

removing the u and p from etter fields seems to solve the weird password and login I was getting from computers on the network but when android devices login it cant capture the details properly

can someone look into this ? Ive tested with arp:remote and still cant get the device login details

Description:
Ettercap fails to scan with "interrupted by user", the ncurses GUI also bugs strangely, printing what appears to be random garbage. Buffer overflow possibly?

Steps to reproduce:

ettercap -C
start unified sniffing
scan for hosts

Not sure if you guys saw this yet, if not heres the link:
http://www.exploit-db.com/exploits/23945/

When i choose my network adapter under "Unified Sniffing" i get the message on the title .. Please help i searched for hours but couldn't find the reason also my drivers and wincap is up to date, Thnx

This is on HEAD, at the moment. I'm getting a EXC_BAD_ACCESS.

cmake -DCMAKE_INSTALL_PREFIX=/opt/ettercap -D ENABLE_GTK=off -D ENABLE_CURSES=off  -DENABLE_IPV6=Off -DCMAKE_BUILD_TYPE=Debug -DCMAKE_PREFIX_PATH=/opt/curl -DBUNDLED_LIBNET=Off ../ettercap 

Here's what GDB tells me:

(gdb) run -T -r /Users/falter/Downloads/http.pcap
Starting program: /opt/ettercap/bin/ettercap -T -r /Users/falter/Downloads/http.pcap
Reading symbols for shared libraries +++++++++.............................. done

ettercap 0.7.6 copyright 2001-2013 Ettercap Development Team


Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: 13 at address: 0x0000000000000000
0x00007fff8639d6b0 in strlen ()
(gdb) bt
#0  0x00007fff8639d6b0 in strlen ()
#1  0x00007fff86424a65 in __vfprintf ()
#2  0x00007fff86423337 in vfprintf_l ()
#3  0x00000001000086f4 in debug_msg (message=0x100079080 "PORT : [%s]") at ec_debug.c:165
#4  0x0000000100032296 in compile_target (string=0x0, target=0x100803800) at ec_sniff.c:349
#5  0x0000000100031eaf in compile_display_filter () at ec_sniff.c:288
#6  0x0000000100022788 in parse_options (argc=4, argv=0x7fff5fbff688) at ec_parser.c:450
#7  0x000000010001cccc in main (argc=4, argv=0x7fff5fbff688) at ec_main.c:86
(gdb) 

There's something goofy with our debug statements.

I believe this came from #92 from jacob-baines.

Happens on debian6 and OSX 10.8.2.

[ 27%] Building C object src/CMakeFiles/ettercap.dir/ec_threads.c.o
/home/mike/code/ettercap/src/ec_threads.c: In function ‘ec_thread_init’:
/home/mike/code/ettercap/src/ec_threads.c:242: error: lvalue required as unary ‘&’ operand
/home/mike/code/ettercap/src/ec_threads.c:242: error: lvalue required as unary ‘&’ operand
/home/mike/code/ettercap/src/ec_threads.c:258: error: ‘id’ undeclared (first use in this function)
/home/mike/code/ettercap/src/ec_threads.c:258: error: (Each undeclared identifier is reported only once
/home/mike/code/ettercap/src/ec_threads.c:258: error: for each function it appears in.)
make[2]: *** [src/CMakeFiles/ettercap.dir/ec_threads.c.o] Error 1
make[1]: *** [src/CMakeFiles/ettercap.dir/all] Error 2
make: *** [all] Error 2

OK, that logo has got to go! Ettercap NG is so 90's ;)

Let's use the logo from the website, or something else...I have all the prof done logo's as does Emilio I believe, lets use one of those....PLEASE!

Thanks

Ive been looking through the bugs and seen the problems with strange passwords .. ettercap captures the login details but then it capturing pages and urls when logged in like below

USER: 12dghv1rf/N=sHo_EWKImjo-/C=-1/D=HBIDL/B=-1/V=0 PASS: msq0ykPDuuyI86rSUVHb_VYiBZWpKlFR3VQAAAAB INFO: http://insider.msg.yahoo.com/client_ad.php?p=81921&ver=11.5.0.228&ts=1364319571609

its capturing insider messages within the users login
it caught the login details and then throws out the above how can i stop this

Ive tried removing the u && p from the etterfeilds but this doesn't help

In ettercap 0.7.5-2, the new "sslstrip"-plugin isn't working at all (all the other plugins do).
Doesn't matter if cli or gui version:

ERROR : 11, Resource not available
[/build/src/ettercap-0.7.5/plug-ins/sslstrip/sslstrip.c:sslstrip_init:215]

SSLStrip: Could not set up HTTP redirect

Easiest way to reproduce is to start the gtk version, start unified sniffing and than activate the "sslstrip"-plugin. Ettercap will close and the error message will occur.

I use ArchLinux. The maintainer said I should report it upstream.

Applies to ettercap-0.7.6, build platform Linux-2.6 x86, gcc-4.1.2, (Slackware)
In include/ec.h

#ifdef OS_LINUX
#define __init       __attribute__((constructor(101)))
#define __init_last  __attribute__((constructor(200))
#else
#define __init __attribute__((constructor))
#define __init_last __init
#endif

Support for the priority parameter in the constructor attribute was added to gcc-4.3.0, i.e. it's a property of the compiler rather than the OS. The above prevents compilation with slightly older version of gcc, but only on Linux. (FWIW it appears that __init_last is never used anywhere, so the conditional isn't required at this time.)

Hello, i cant figure out why ettercap wont install. I am getting error:

$ /build/cmake ../
CMake Error at /usr/share/cmake-2.8/Modules/FindPackageHandleStandardArgs.cmake:97 (MESSAGE):
Could NOT find CURL (missing: CURL_LIBRARY CURL_INCLUDE_DIR) (Required is
at least version "7.26.0")
Call Stack (most recent call first):
/usr/share/cmake-2.8/Modules/FindPackageHandleStandardArgs.cmake:288 (_FPHSA_FAILURE_MESSAGE)
/usr/share/cmake-2.8/Modules/FindCURL.cmake:52 (FIND_PACKAGE_HANDLE_STANDARD_ARGS)
CMakeFiles/lib_check.cmake:110 (find_package)
CMakeLists.txt:31 (include)

-- Configuring incomplete, errors occurred!

but curl is installed:

$ curl -V
curl 7.27.0 (x86_64-pc-linux-gnu) libcurl/7.27.0 OpenSSL/1.0.1c zlib/1.2.7 libidn/1.25 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: Debug GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP

I am using Ubuntu 12.10, ettercap 0.7.6

Hi all,
I am using

• BT5R3-KDE-32 and
• ettercap 0.7.4.1

I have created a simple filter to see (for example) google HTML in plain text. To achive this goal I want to sosbtitute in HTTP header
Accept-Encoding: gzip, deflate with
Accept-Encoding: identity

The filter was made just like this:

if (ip.proto == TCP && search(DATA.data, "gzip") ) {
replace("gzip", "identity");
msg("gzip --> identity.\n");
}

if (ip.proto == TCP && search(DATA.data, "deflate") ) {
replace("deflate", "identity");
msg("deflate --> identity.\n");
}

if (ip.proto == TCP && search(DATA.data, "identity, identity") ) {
replace("identity, identity", "identity");
msg("double identity --> identity.\n");
}

In testing with BT5, I see the logging messages, and the packets
are injected by Ettercap, but the original frames are not dropped. I
validated this on the victim where he gets the original packets
immediately followed by the Ettercap-modified packets. The follow-up
packets are dropped by the victim as TCP retransmissions.

I'm guessing this is due to something having changed in the kernel, but I'm not sure what it could be. I checked /sys/net/ipv4/ip_forward, but it is set to 0.

Can anyone tell me what I have made wrong ?
Thanks in advance.

I started ettercap in Ncurses mode and noticed that scanning for hosts never brings any results (0 hosts added to hosts list). The GUI and the Cli version work as expected and I get like 3 hosts.

Using ArchLinux and latest ettercap release.

ettercap 0.7.5.1 copyright 2001-2013 Ettercap Development Team

Program received signal SIGSEGV, Segmentation fault.
0x000000000042376f in source_init (name=0x950cc0 "ppp0", source=0x6bcbf0, primary=true, live=true)
at /home/locutus/branches/ettercap/src/ec_network.c:257
257 if(ifaddr->ifa_addr->sa_family == AF_INET) {
(gdb) bt
0 0x000000000042376f in source_init (name=0x950cc0 "ppp0", source=0x6bcbf0, primary=true, live=true)
at /home/locutus/branches/ettercap/src/ec_network.c:257
1 0x0000000000422a93 in network_init () at /home/locutus/branches/ettercap/src/ec_network.c:68
2 0x00000000004216ab in main (argc=2, argv=0x7fffffffea78) at /home/locutus/branches/ettercap/src/ec_main.c:107
(gdb)

Guys sorry I know this is not a bug report and I know its not where this should be posted
But I have to say you guys did a f**kin amazing job in 0.7.6 you guys fix a lot of bugs including the sslstrip stacking error

you guys deserrve credit !! you really are doing a great job with ettercap and ettercap is once again an amazing tool

CREDITS TO :
LocutusOfBorg
justfalter
brav0hax
eaescob

and everyone else keep up the great work !!!

n3tw0rk401

Having unit tests in place will give us confidence as we refactor code as well as deploy to various platforms.

I'm not very familiar with unit-testing frameworks for C. In ruby, I've used things like rspec to get things done. I'm left with the sense that testing in C is a DIY endeavor, but I hope I am wrong.

It seems like cmake's CTest stuff will make it easy to run tests on a variety of platforms, so we may as well start looking there.

See #115 (comment)

"-- IPV6 support requested. Will look for libnet >= 1.1.5.
-- Couldn't find a suitable system-provided version of LuaJIT
-- Using bundled version of LUAJIT"

I installed libluajit-5.1-dev luajit

the header file is this package
apt-file search luajit.h
libluajit-5.1-dev: /usr/include/luajit-2.0/luajit.h

and this file is referenced in CMakeModules directory.

Any hint?

BTW the bundled one works just fine

Hi I get two messages after I start ettercap, press "Unified Sniffing", and select my interface:

Cannot change tcp-segmentation-offload
Cannot change large-receive-offload

Why do they appear?
I use ArchLinux with ettercap 0.7.6, but this also happened with the previous version.

https://buildd.debian.org/status/fetch.php?pkg=ettercap&arch=hurd-i386&ver=1%3A0.7.6-1&stamp=1364387340

Hi everyone.
As you know debian and every debian based distro is synced now with ettercap 0.7.4.2 from [1].
I personally think that this ettercap repository should be the default in debian and every other distro, since in this year and more so many improvement has been done in order to have a more stable ettercap release and so many bug fix with new features.

I would ask to put ettercap again in the debian repository (maybe with a new name, don't know) or maybe to merge the drizzt branch into our one, I don't know.

But in order to do this we need to push out the 0.7.5 and to have a "code freeze" and to test the version for a little time...

We are already in rc since a year, I personally think that we can push out this release (maybe without the lua pull request) and let every pull request just for a future release.

What do you think guys?

Just my 0.02$

[1] https://github.com/drizzt/ettercap

./src/ec_update.c is almost everything dead code.

How do you feel about removing references in man pages or creating another php page to answer updates request?

I can provide a patch, this issue is just for discuss what to do.

char host[] = "ettercap.sourceforge.net";
// char host[] = "local.alor.org";
char page[] = "/updateNG.php";
DEBUG_MSG("global_update");
memset(buffer, 0, sizeof(buffer));
fprintf(stdout, "Connecting to http://%s\n", host);

anyway the original php page would be useful to recreate a website for hosting it :)

Hi,

I've not had any success with the Ubuntu package of ettercap (0.7.4.2). I was getting errors like the following:

SEND L3 ERROR: 10250 byte packet (0800:06) destined to was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Message too long)
)

So, I decided to build from source. Even in 0.7.5, I still get these errors. I have tried numerous things, such as enabling ip forwarding, iptables rules, manually editing the source, trying different arguments, etc. It seems that there are many folks out there experiencing this issue, with no answers.

I should mention that I've used ettercap many times before, and that I've had success with it in the past.

When I uncomment line 122 in ec_send.c , e.g.

ON_ERROR(c, -1, "libnet_write %d (%d): %s", po->fwd_len, c, libnet_geterror(l));

I get the following:

libnet_write 2704 (-1): libnet_write_raw_ipv4(): -1 bytes written (Message too long)

I don't know if that helps out or not.

Thanks for looking into it, and thanks for picking the project back up.

I noticed the Description is always empty for me. I've never seen it working.

What is this column for actually? Would it be possible to show the host name there?

http://tech.slashdot.org/story/13/02/06/2024251/intel-gigabit-nic-packet-of-death

What do you think about?

Hello.

I am very new user to ettercap, so I can probably do some silly stuff.
I am trying to obtain username/pasword from gmail. AFAIK they use SSL by default.
I have control of bridge.(enp3s0 <-> br0 <-> wlp4s6) Where first is wired ethernet, second is linux virtual bridge, last is wireless in master mode.

I have Iptables installed on my gentoo. I have not loaded any specific iptables modules.(must I?)
iptables -t nat/mangle/filter -L akk of those give answer.(perhaps i compiled them into kernel) All answers are empty. I have never done any rules on this specific machine.

I have read man documentation, unfortunately I can't make SSL attack over bridge. So i attempted one with ICMP redirection.
ettercap -T -M icmp:00:0c:42:ce:6a:f0/192.168.22.1 -i wlp4s6
where mac address is my ISP gateway, ip is gateway IP.

i get several lines like this: iptables: No chain/target/match by that name, when I just start this command.

I activate sslstrip. As far as I understand, at this stage victim should get warning about SSL cert change with offer of new SSL cert. Obviously it's not happening, as there is something wrong with redirection(my guess). Victim is Android 4.1 with Firefox and Google Chrome.

I can see some output in Ettercap, when I navigate around in browser of victim.

I really have 2 issues.

1. Original issue, whats wrong?(I understand it's something to do with some rule or target that is not loaded into kernel)
2. How can I make messages more verbose? I mean, if only I knew what iptables command fails - I simply wouldn't create this thread.

parts of ettercap config file that I modified:
ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

Thanks a lot in advance,
Dmitri

I think that the combination of the 'u' and 'p' values in etter.fields is too weak to be used with Parse_Method_Get. For example, if I point my browser to www.mlb.com, http://espn.go.com/nba/, and http://www.ksl.com/ I get:

HTTP : 174.129.243.85:80 -> USER: rsc5s0i6na80y1h7  PASS: /  INFO: http://www.ksl.com/
HTTP : 174.129.243.85:80 -> USER: cmjwi9qojljsz9sw  PASS: /index.jsp  INFO: http://mlb.mlb.com/index.jsp
HTTP : 174.129.243.85:80 -> USER: rsc5s0i6na80y1h7  PASS: /  INFO: http://www.ksl.com/
HTTP : 50.19.104.28:80 -> USER: 570tcg1xjk0l7q0w  PASS: /nba/  INFO: http://espn.go.com/nba/
HTTP : 50.19.104.28:80 -> USER: 570tcg1xjk0l7q0w  PASS: /nba/  INFO: http://espn.go.com/nba/
HTTP : 174.129.243.85:80 -> USER: cmjwi9qojljsz9sw  PASS: /index.jsp  INFO: http://mlb.mlb.com/index.jsp
HTTP : 174.129.243.85:80 -> USER: cmjwi9qojljsz9sw  PASS: /index.jsp  INFO: http://mlb.mlb.com/index.jsp
HTTP : 50.19.104.28:80 -> USER: 570tcg1xjk0l7q0w  PASS: /nba/  INFO: http://espn.go.com/nba/

I'm sure there are many more sites that trigger these false positives.

What to do about it? I would suggest simply removing the both 'u' and 'p' from etter.fields. I hesitate to submit a pull request though since they were probably added for a reason. Perhaps someone has a better work around in mind?

looks like a recent change landed to fix up some of the snprintf/strncat behavior. while functionality correct and fixes the bugs, it suffers from a few minor issues:

• you want to use PARAMS_LEN, not PARAMS_LEN-1 -- if you look at where params is declared, it specifically adds 1 to the buffer size for the NUL byte. if anything, it should be sizeof(params) due to the following note ...
• doing memset() on the entire buffer is pointless -- snprintf will always write a NUL byte ... even if its output is truncated. so if you tell it the buffer is 512 bytes and it is given 2000 bytes, it will copy the first 511 bytes and then write out a NUL byte.

also, there are more buggy calls to snprintf. in gtkui_arp_poisoning, the memset is pointless and the len to snprintf is incorrect (should be PARAMS_LEN). and the strcat's after that point lack length checking. you could write the code like:
const char *remote = "", *comma = "", *oneway = "";
if (...button1...) {
remote = "remote";
}
if (...button2...) {
if (remote)
comma = ",";
oneway = "oneway";
}
snprintf(params, PARAMS_LEN, "arp:%s%s%s", remote, comma, oneway);

same feedback applies to gtkui_port_stealing

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690158

The default ettercap working mode is not the "unoffensive" one.

In debian side people are discussing about putting the inoffensive mode a default

what do you think about?

I can provide a patch, but we have to discuss before

hi,when i open ettercap 0.7.5 gtk and select ppp0 iface, i get error

(:5275): GLib-GObject-WARNING **: /build/buildd/glib2.0-2.24.1/gobject/gsignal.c:3079: signal name depressed' is invalid for instance0x82905f8'
Ooops ! This shouldn't happen...
Segmentation Fault...

thanks

Hello Emilio and Eric,

I discovered by accident that ettercap is supported again, for me it was a huge loss when Naga and Alor stopped it, I'm very nice that you keep it working and updated, you know, protocols and attacks changed a lot since 2005 :)

I tried to contact you via e-mail without success, so I'm trying to open a ticket.

I'm writing to request a new feature to impersonate hosts. Let me explain.

Basically my box  (192.168.0.110 and MAC 00:51:46:3c:45:a4) is filtered by the gateway (192.168.0.253 and MAC 00:48:2D:c4:13:b2) to access this host 192.168.1.3 in another network, however this box 192.168.0.50 and MAC 00:3c:48:ba:19:aa) on the same network segment is allowed.

As you are smart I'm pretty sure that you understand what I need, basically I want to use the ARP Poison to "isolate" the machine 192.168.0.50 and MAC 00:3c:48:ba:19:aa that runs Windows 7 and I want to make the gateway 192.168.0.253 and MAC 00:48:2D:c4:13:b2 believe that I'm this box.

I'm sure this feature will be very helpful to many users, unfortunately I'm not a C programmer to help.

Thanks.

After doing SSL MiTM attack, sites stop loading in the browser. I have modified etter.conf to change permissions and enable iptables settings.

After accepting the SSL warning in the browser, the browser shows nothing and I get "The connection was reset" after waiting for a long time.

$ git rev-parse HEAD                
1470c957b49403b12a483314592ffd18f41756e2

Please take a look at this bug report (ArchLinux):
https://bugs.archlinux.org/task/32533

Hello Emilio and Eric,

I discovered by accident that ettercap is supported again, for me it was a huge loss when Naga and Alor stopped it, I'm very nice that you keep it working and updated, you know, protocols and attacks changed a lot since 2005 :)

I'm writing again to request another feature request that I believe that will be very helpful for most users.

One thing that I always missed in ettercap is the possibility of do WTS / RDP mitm attacks, the only tool able to do it is Cain&Abel as far as I know. Should be great, really great to have it in ettercap.

Also, should be nice if an option exist to import certificates to try convince users. For example, an attacker may buy an certificate from a CA and this could make the attack more suspicious.

References:
http://blog.opensecurityresearch.com/2012/10/remediation-help-microsoft-windows.html
http://www.oxid.it/cain.html

Congrats for good work.

System: Ubuntu 12.10 32 bit using libnet version 1.1.4

When IPv6 is enabled Ettercap fails to compile due to undeclared variables. A bunch of these values are defined in netinet/icmp6.h. Also, it appears that some of the values used to be defined in earlier versions of libnet/libnet-headers.h but the values were changed or removed? Finally, some of the definitions have the correct values in ec_proto.h but the wrong name (ie. ICMP6_ECHO is defined in ec_proto.h but ettercap uses ICMP6_ECHO_REQUEST in ec_send.c).

[ 19%] Building C object src/CMakeFiles/ettercap.dir/ec_send.c.o
/ettercap/src/ec_send.c: In function ‘send_icmp6_echo’:
/ettercap/src/ec_send.c:647:33: error: ‘ICMP6_ECHO_REQUEST’ undeclared (first use in this function)
/ettercap/src/ec_send.c:647:33: note: each undeclared identifier is reported only once for each function it appears in
/ettercap/src/ec_send.c: In function ‘send_icmp6_nsol’:
/ettercap/src/ec_send.c:702:39: error: ‘ND_OPT_SOURCE_LINKADDR’ undeclared (first use in this function)
/ettercap/src/ec_send.c:709:12: error: ‘LIBNET_ICMPV6_NDP_OPT_H’ undeclared (first use in this function)
/ettercap/src/ec_send.c:712:37: error: ‘ND_NEIGHBOR_SOLICIT’ undeclared (first use in this function)
/ettercap/src/ec_send.c:722:9: error: ‘LIBNET_ICMPV6_NDP_NSOL_H’ undeclared (first use in this function)
/ettercap/src/ec_send.c: In function ‘send_icmp6_nadv’:
/ettercap/src/ec_send.c:761:36: error: ‘ND_OPT_TARGET_LINKADDR’ undeclared (first use in this function)
/ettercap/src/ec_send.c:767:9: error: ‘LIBNET_ICMPV6_NDP_OPT_H’ undeclared (first use in this function)
/ettercap/src/ec_send.c:769:12: error: ‘ND_NA_FLAG_SOLICITED’ undeclared (first use in this function)
/ettercap/src/ec_send.c:769:33: error: ‘ND_NA_FLAG_OVERRIDE’ undeclared (first use in this function)
/ettercap/src/ec_send.c:771:16: error: ‘ND_NA_FLAG_ROUTER’ undeclared (first use in this function)
/ettercap/src/ec_send.c:772:37: error: ‘ND_NEIGHBOR_ADVERT’ undeclared (first use in this function)
/ettercap/src/ec_send.c:783:9: error: ‘LIBNET_ICMPV6_NDP_NADV_H’ undeclared (first use in this function)

root@kali:~/Desktop/ettercap/build# cmake ..
CMake Error at CMakeLists.txt:49 (include):
include could not find load file:

CMakeFiles/os_test.cmake

CMake Error at CMakeLists.txt:60 (include):
include could not find load file:

CMakeFiles/headers_check.cmake

CMake Error at CMakeLists.txt:61 (include):
include could not find load file:

CMakeFiles/lib_check.cmake

CMake Error at CMakeLists.txt:62 (include):
include could not find load file:

CMakeFiles/variable_check.cmake

HAVING TROUBLE BUILDING ETTERCAP?

1. Install any missing dependencies
2. run 'make clean-all'
3. run 'cmake /root/Desktop/ettercap'

-- Configuring incomplete, errors occurred!

On http://ettercap.github.com/ettercap/about.html there is a dependency list.
This needs to be updated, e.g. there's still automake but ettercap now uses cmake. If the rest of the list is accurate I don't know.

PS: Also you should replace the link ettercap.sourceforge.net in GitHub project description by ettercap-project.org.

What is intended ettercap behaviour during dump file processing reaches the end of file?
What I observe is that ettercap does not exit.

I think we should just provide something better to users who wants to build ettercap their own

something like
"if you are on debian/ubuntu you can build ettercap just by issuing"
sudo apt-get install debhelper cmake bison flex libgtk2.0-dev libltdl3-dev libncurses-dev libncurses5-dev libnet1-dev libpcap-dev libpcre3-dev libssl-dev libcurl4-openssl-dev ghostscript

and with the cmake documentation.

And in about.html the libnet6 part should be dropped, I think only libnet1 is needed.

Where to put this doc?

Hi Guys ..

Ok I know this is not a bug but I don't know where else to ask,because the ettercap forum is not yet up and running

I have 10.10 maverick installed and want to use the latest ettercap
Ive tried to install ettercap but it says curl 7.26 minimum is required
But when I install curl from source .. the Curl path displays 7.26 and the libcurl path displays 7.22 and this causes problems as curl returns curl 48 error so I remove it and complied curl 7.26 into /usr/local/bin/curl using --prefix=/usr/local/bin/curl

what I need to know is how to point cmake to locate the CURL library path so ettercap can detect the 7.26 curl and install ettercap

I can't see a good reason why ghostscript/ps2pdf12 should be a requirement for building Ettercap.

• It shouldn't be a hard-fail if we can't find ps2pdf13. Nobody is going "whoa dude, how can I run Ettercap without my pdf doc?" We can emit a warning/status message, and move on, as far as I'm concerned.
• At the very least, I should be able to disable PDF doc generation. ENABLE_PDF_DOCS=Off or something to that effect.

Hi,

ettercap_rc (c03bd24) crashes when built with Clang with Address Sanitizer enabled.

HOWTO Reproduce

Build ettercap_rc branch using Clang with Address Sanitizer enabled.

export CC=/usr/bin/clang
export CFLAGS="-faddress-sanitizer -g"
cmake ../
make
ettercap -G # crashes!

Crash Log

==25881== ERROR: AddressSanitizer global-buffer-overflow on address 0x0000007581f0 at pc 0x4206d0 bp 0x7fff2f344c10 sp 0x7fff2f344c08
READ of size 8 at 0x0000007581f0 thread T0
#0 0x4206d0 in init_structures ettercap/src/ec_conf.c:0
#1 0x41d11e in load_conf ??:0
#2 0x484df7 in main ??:0
#3 0x7fe0fba9e725 in __libc_start_main ??:0
0x0000007581f0 is located 0 bytes to the right of global variable 'dissectors (ettercap/src/ec_conf.c)' (0x7581e0) of size 16
==25881== ABORTING
Stats: 0M malloced (0M for red zones) by 201 calls
Stats: 0M realloced by 2 calls
Stats: 0M freed by 14 calls
Stats: 0M really freed by 0 calls
Stats: 24M (6146 full pages) mmaped in 6 calls
mmaps by size class: 8:16383; 9:8191; 10:4095; 11:2047; 12:1024; 14:256;
mallocs by size class: 8:185; 9:4; 10:2; 11:3; 12:5; 14:2;
frees by size class: 8:10; 10:2; 11:2;
rfrees by size class:
Stats: malloc large: 0 small slow: 6
Shadow byte and word:
0x1000000eb03e: f9
0x1000000eb038: 00 00 00 00 00 00 f9 f9
More shadow bytes:
0x1000000eb018: 00 00 00 00 00 00 00 00
0x1000000eb020: 00 00 00 00 00 00 00 00
0x1000000eb028: 00 00 00 00 00 00 00 00
0x1000000eb030: f9 f9 f9 f9 00 00 00 00
=>0x1000000eb038: 00 00 00 00 00 00 f9 f9
0x1000000eb040: f9 f9 f9 f9 00 00 00 00
0x1000000eb048: 00 00 00 00 00 00 f9 f9
0x1000000eb050: f9 f9 f9 f9 00 00 00 00
0x1000000eb058: 00 00 00 00 00 00 00 00

Analysis

The "sanity check" loop in the code (src/ec_conf.c) tries to access sections[5].entries[1].value and crashes.

At the end of running "cmake ..", I want to see something like the following, just prettier:

Features:
  Curses UI (ENABLE_CURSES): Off
  GTK2 UI (ENABLE_GTK): On
  IPv6 (ENABLE_IPV6): Off
  SSL (ENABLE_SSL): On
  Plug-ins (ENABLE_PLUGINS): On
  Use System Libraries (SYSTEM_LIBS): On
  Use System Curl (SYSTEM_CURL): On
  Use System Libnet (SYSTEM_LIBNET): Off
  Use Bundled Libraries (BUNDLED_LIBS): On
  Use Bundled Curl (BUNDLED_CURL): On
  Use Bundled Libnet (BUNDLED_LIBNET): On

Libraries:
  Libnet (1.1.6): Bundled
  Curl (7.26.0): /usr/lib/libcurl.so
  bla
  bla

We might be able to use cmake's FeatureSummary module (http://www.cmake.org/cmake/help/v2.8.2/cmake.html#module:FeatureSummary) to summarize what stuff is enabled/disabled.

when using 0.7.5.2 user names and passwords come out as urls and not as they should and also get the L3 ERROR .... when I revert back to 0.7.4.1 its works fine

example :

ETTERCAP 0.7.4.1-Lazarus

DHCP: [192.168.250.1] ACK : 0.0.0.0 255.255.255.0 GW 192.168.250.1 DNS 192.168.250.1
DHCP: [192.168.250.1] ACK : 0.0.0.0 255.255.255.0 GW 192.168.250.1 DNS 192.168.250.1
HTTP : 31.13.72.39:80 -> USER: ****@hotmail.com PASS: **** INFO: http://pt-br.facebook.com/
DHCP: [00xxxxxxxxx] REQUEST 192.168.250.67
DHCP: [192.168.250.1] ACK : 192.168.250.67 255.255.255.0 GW 192.168.250.1 DNS 192.168.250.1
DHCP: [192.168.250.1] ACK : 0.0.0.0 255.255.255.0 GW 192.168.250.1 DNS 192.168.250.1
DHCP: [00xxxxxxxxxx] REQUEST 192.168.250.223
DHCP: [192.168.250.1] ACK : 192.168.250.223 255.255.255.0 GW 192.168.250.1 DNS 192.168.250.1
DHCP: [192.168.250.1] ACK : 0.0.0.0 255.255.255.0 GW 192.168.250.1 DNS 192.168.250.1
HTTP : xxxxxxxxxxxxx -> USER: ken PASS: ********** INFO: http://www.hotmail.com
DHCP: [192.168.250.1] ACK : 0.0.0.0 255.255.255.0 GW 192.168.250.1 DNS 192.168.250.1

VS

ETTERCAP 0.7.5.2-Assimilation

DHCP: [192.168.250.1] ACK : 0.0.0.0 255.255.255.0 GW 192.168.250.1 DNS 192.168.250.1
DHCP: [192.168.250.1] ACK : 0.0.0.0 255.255.255.0 GW 192.168.250.1 DNS 192.168.250.1
HTTP : 31.13.72.39:80 -> USER: http://www.hotmail.com PASS: http://www.http://www.msn.com INFO: http://www.msn.com
DHCP: [00:15:58:71:03Big Grin0] REQUEST 192.168.250.67
DHCP: [192.168.250.1] ACK : 192.168.250.67 255.255.255.0 GW 192.168.250.1 DNS 192.168.250.1
DHCP: [192.168.250.1] ACK : 0.0.0.0 255.255.255.0 GW 192.168.250.1 DNS 192.168.250.1
DHCP: [00:1E:68:7B:E9Big Grin0] REQUEST 192.168.250.223
DHCP: [192.168.250.1] ACK : 192.168.250.223 255.255.255.0 GW 192.168.250.1 DNS 192.168.250.1
DHCP: [192.168.250.1] ACK : 0.0.0.0 255.255.255.0 GW 192.168.250.1 DNS 192.168.250.1
HTTP : 122.155.168.148:80 -> USER:http://www.hotmail.com PASS: http://www.hotmail.com INFO: http://www.hotmail.com
DHCP: [192.168.250.1] ACK : 0.0.0.0 255.255.255.0 GW 192.168.250.1 DNS 192.168.250.1
SEND L3 ERROR: 1512 byte packet (0800:06) destined to xxxxxxxxxxx was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Message too long)

It compiled fine with no errors

Hi,
I just compiled ettercap from the GIT repository.
I created a simple filter:

if (ip.proto == TCP && tcp.src == 80) {
   replace("script", "aaaaa");
}

When doing a MITM on my local network, I just mitm the box one-way, ie router to box (router: 192.168.1.1 and box 192.168.1.145).

attacker$ ettercap -w /tmp/dump -T -M arp:oneway,remote /192.168.1.1/80 /192.168.1.145/ -F filter.ef

While on the box (the "victim") I do a curl on mit.edu, I receive only a partial part of the page and then I have to kill curl:

victim$ curl   www.mit.edu
0 OK
Date: Thu, 21 Mar 2013 12:05:55 GMT
Server: Apache/1.3.41 (Unix) mod_ssl/2.8.31 OpenSSL/0.9.8j
Last-Modified: Thu, 21 Mar 2013 04:00:09 GMT
ETag: "10e81f4a-3564-514a85c9"
Accept-Ranges: bytes
Content-Length: 13668
X-Cnection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head> 
    <title>MIT - Massachusetts Institute of Technology</title> 
    <meta name="keywords" content="Massachusetts Institute of Technology, MIT" /> 
    <meta name="deaaaaaion" content="MIT is devoted to the advancement of knowledge and education of students in areas that contribute to or prosper in an environment of science and technology." /> 
    <meta name="robots" content="index,follow,noodp,noydir" /> 
    <meta name="allow-search" content="yes" /> 
    <meta name="language" content="en" /> 
    <meta name="distribution" content="global" /> 
    <meta http-equiv="content-type" content="text/html; charset=UTF-8" /> 
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta http-equiv="Expires" content="Tue, 01 Jan 1980 1:00:00 GMT" />
    <meta http-equiv="Pragma" content="no-cache" /> 
    <meta http-equiv="cache-control" content="no-store" /> 

^C

When I am not using the filter, it's working perfectly. Note that I purposely changed "script" with "aaaaaa" which are both 6 letters long.

Thanks for your support

I'm using BT5R3 GNOME edition.
I installed ettercap 0.7.5.

When I'm using it, I choose the hosts, target 1 and target 2. and chose an arp poison.

When I use start sniffing nothing appears.
On victim pc I try access an ftp server, or try access an email account, but I dont get any feedback from the ettercap window.

I cant use ettercap filters. I'm writing even the most simple filter I can think of:

if (ip.proto == TCP){
msg("Ran Filter\n");
}

But even that doesn't work. When I compile it using etterfilter and run:

sudo ettercap -F /tmp/filter.ef -T -M arp -i wlan1 /192.168.1.6/ //

the msg is not printed. With the packet visualization I do see TCP packets, but the filter seem to just not working even though ettercap says "Content filters loaded from /tmp/filter.ef".

To solve this I've tried enabling ip_forward, and I've tried deleting the "#" sign in /etc/etter.conf so it will use iptables for it's redir_command (lines 168-169)

I'm using ettercap NG-0.7.4.2 on Ubuntu 12.10

The way pthread mutexes are used in ec_threads is wrong and not portable and leads to SIGABRT on OpenBSD. On other systems, I guess, the whole lock/unlock mechanism (using the macros INIT_LOCK and INIT_UNLOCK) is just bogus. The reason for this is that the unlock happens in a different thread than the lock. See ec_thread_new_detached() and ec_thread_init(), and the comments near the end of ec_thread_new_detached().

Also, the additional INIT_LOCK; INIT_UNLOCK after that comment doesn't make any sense and would cause another SIGABRT on OpenBSD (and unspecified behaviour in general), because the mutex doesn't have the PTHREAD_MUTEX_RECURSIVE attribute set.

Furthermore, the macros INIT_LOCK and INIT_UNLOCK (and, well, THREADS_LOCK and THREADS_UNLOCK, too) don't check the return values of pthread_mutex_lock(3) and pthread_mutex_unlock(3). So, if locking/unlocking fails (which I guess is the case on other systems than OpenBSD), it will fail silently.

Hi all, I don't know the current status of dll loading in ettercap, but I found this CVE online
http://osvdb.org/show/osvdb/67579
http://www.exploit-db.com/exploits/14762/

Is ettercap still vulnerable to it?

Hello,

I'm working on a filter that would catch all the AS-REQ that a client would send to its KDC in order to downgrade the cipher negocation.

I first tried to replay the packet on the fly but, as far as know/understood, it seems that the function pcre_regex() can indeed substitute on value to another BUT the replaced payload is written in ASCII in the data part.
To downgrade kerberosv5 cipher negociation from aes to des, you need to spoof a AS-REQ (MitM required :) ) and replay it with some hexa values changed (values of the cipher).

Here's the regex i wrote down that should downgrade all the client proposal cipher to des (0x03):

if (pcre_regex(DECODED.data, "\x12.{2}\x11.{2}\x17.{2}\x18.{2}\xff\x79.{2}\x03"))

which actually matches the values i want. So this regex is able to detect when an AS-REQ is coming from a client that's about to negociate it's cipher algo with the server. Replacing these values to "\x03" actually write in ASCII in the DATA part "\x03".

Question is : Is there any way i can write a filter that could actually replace these matching regex values to mine ? in this case \x03. It seems weird ettercap filters are able to view the hexa part of a packet but is not able to write into it...

I tried to log() the incoming client packet, modify it with hexedit, and used drop() and replay() function to drop the actual client request and replay my forged packet but i obviously have time skew issues... Not even talking about TCP sessions that aren't the same.

Best way remains to replay the packet on the fly but I still didn't figured out how i could achieve this, assuming ettercap filter can handle this :)

Any help would be much appreciated :)

Thanks !