How To Sniff Passwords Using Ettercap ? [MITM Series : 5]


Welcome Back to all my Hackers and Geeks
Here, In this Article You are going to Know the complete synopsis of Ettercap.


One of the most famous and used tool to perform Man-in-the-middle attack for those who do not like Command line interface, ettercap-gtk provides a graphical interface for beginners.

While most of the users treat Ettercap only for Man in the middle attack, this tool can also perform many tasks other than that, like DOS a target e.t.c.

To access Ettercap in Kali Linux

1.Click on Applications on the top of menu bar.



2.Go to Sniffing & Spoofing, where you will find Ettercap.


3.Click on sniff and select Unified Sniffing and select the interface you want to sniff packets on.

UNIFIED, this method sniffs all the packets that pass on the cable.

The packet not directed to the host running ettercap will be forwarded automatically using layer 3 routeing.

So you can use an MITM attack launched from a different tool and let ettercap modify the packets and forward them for you

BRIDGED, it uses two network interfaces and forwards the traffic from one to the other while performing sniffing and content filtering.

This sniffing method is totally stealthy since there is no way to find that someone is in the middle of the cable.

You can look at this method as an MITM attack at layer 1.

You will be in the middle of the cable between two entities.

Don’t use it on gateways or it will transform your gateway into a bridge.

4.Go to plugins and Load manage.

Here you will find all the plugins of ettercap preinstalled.

Below is the description on the plugins pre-installed in Ettercap:-


It reports suspicious ARP activity by passively monitoring ARP requests.

It can report ARP poisoning attempts or simple IP-conflicts or IP-changes.

If you build the initial host list the plugin will run more accurately.

2.Auto add

It will automatically add new victims to the ARP poisoning MITM attack when they come up.

It looks for ARP requests on the LAN and when detected it will add the host to the victim’s list if it was specified in the TARGET.


It performs a check to see if the arp poisoning module of ettercap was successful.

It sends spoofed ICMP echo packets to all the victims of the poisoning pretending to be each of the other targets.

If we can catch an ICMP reply with our MAC address as a destination it means that the poisoning between those two targets is successful.

It checks both ways of each communication.


This plugin intercepts DNS query and replies with a spoofed answer.

You can choose to which address the plugin has to reply by modifying the etter.dns file.


This plugin runs a DOS attack against a victim IP address.

It first “scans” the victim to find open ports, then starts to flood these ports with SYN packets, using a “phantom” address as source IP.

Then it uses fake ARP replies to intercept packets for the phantom host.

When it receives SYN-ACK from the victim, it replies with an ACK packet creating an ESTABLISHED connection.

You have to use a free IP address in your subnet.


Only a template to demonstrate how to write a plugin.


A simple plugin that listens for ARP requests to show you all the targets a host which wants to talk to. It can also help you find addresses in an unknown LAN.


Try to identify ettercap packets sent on the LAN. It could be useful to detect if someone is using ettercap.


Find the first unused IP address in the range specified by the user in the target list.

Some other plugins (such as gre_relay) need an unused IP address of the LAN to create a “fake” host.

It can also be useful to obtain an IP address in an unknown LAN where there is no DHCP server.


Uses the passive fingerprint capabilities to fingerprint a remote host.

It does a connect() to the remote host to force the kernel to reply to the SYN with an SYN+ACK packet.

The reply will be collected and the fingerprint is displayed.


Use this plugin to submit a fingerprint to the ettercap website.

If you found an unknown fingerprint, but you know for sure the operating system of the target, you can submit it so it will be inserted in the database in the next ettercap release.


The isolate plugin will isolate a host from the LAN.

It will poison the victim’s arp cache with its own mac address associated with all the host it tries to contact.

This way the host will not be able to contact other hosts because the packet will never reach the wire.


Floods the LAN with random MAC addresses.


It solicits poisoning packets after broadcast ARP requests (or replies) from a poisoned host.

For example, we are poisoning Group1 impersonating Host2.

If Host2 makes a broadcast ARP request for Host3, it is possible that Group1 caches the right MAC address for Host2 contained in the ARP packet.

This plugin re-poisons Group1 cache immediately after a legal broadcast ARP request (or reply).

This is all about Ettercap-gtk an MITM attack Tool,

Hope to see you guys in the next article, till then Keep Hacking.