Ettercap

Ettercap is designed for comprehensive network reconnaissance and manipulation on switched LANs. It supports active and passive dissection of numerous protocols, including encrypted ones, and offers features for network and host analysis. Users can perform data injection into established connections, filter packets on the fly (substitute or drop), and maintain connection synchronization. Available in multiple packages: ettercap-common for core files, ettercap-graphical for GUI, ettercap-text-only for console, and supporting tools like etterfilter and etterlog.

Common use cases include detecting switched LAN geometry, OS fingerprinting (active or passive), and sniffing in IP-based, MAC-based, ARP-based (full-duplex), or PublicARP-based (half-duplex) modes. It facilitates man-in-the-middle (MITM) attacks and is suitable for penetration testing environments like Kali Linux.

The toolset includes ettercap-pkexec for graphical root-privileged launching via PolicyKit, etterfilter for compiling content filters, and etterlog for analyzing log files. Installation requires sudo apt and dependencies like libpcap and libnet.

Ettercap operates by placing the network interface in promiscuous mode (unless disabled) to capture traffic. It supports four sniffing modes: IP Based, MAC Based, ARP Based (full-duplex multi-sniffing), and PublicARP Based (half-duplex). For MITM, it uses methods like ARP poisoning to intercept traffic between targets. Protocol dissection occurs actively or passively, with capabilities for SSL certificate forging (unless disabled), packet filtering via scripts, data injection, and logging to pcap or custom formats. Plugins, LUA scripts, and filters extend functionality for visualization, regex matching, and host discovery. It detects LAN geometry and uses OS fingerprints for host identification.