Ettercap

A multipurpose sniffer/interceptor/logger for switched LAN.

It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.

Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.

Character injection
in an established connection : you can inject character to server (emulating commands) or to client (emulating replies) maintaining the connection alive !!

SSH1 support
you can sniff User and Pass, and even the data of an SSH1 connection. ettercap is the first software capable to sniff an SSH connection in FULL-DUPLEX

HTTPS support
you can sniff http SSL secured data... and even if the connection is made through a PROXY

Remote traffic through GRE tunnel
you can sniff remote traffic through a GRE tunnel from a remote cisco router and make mitm attack on it

Plug-ins support
You can create your own plugin using the ettercap's API. List of available plugins

Password collector
for [Telnet|TELNET]], FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, HALF LIFE, QUAKE 3, MSN, YMSG (other protocols coming soon...)

Packet filtering/dropping
You can set up a filter that search for a particular string (even hex) in the TCP or UDP payload and replace it with yours or drop the entire packet.

OS fingerprint
you can fingerprint the OS of the victim host and even its network adapter

Kill a connection
from the connections list you can kill all the connections you want

Although it is not documented how you can do this from the text mode. Appearently nobody knows how to do this.

Passive scanning of the LAN
you can retrive infos about: hosts in the lan, open ports, services version, type of the host (gateway, router or simple host) and extimated distance in hop.

Check for other ARP poisoners
ettercap has the ability to actively or passively find other poisoners on the LAN

Bind sniffed data to a local port
you can connect to that port with a client and decode unknown portocols or inject data to it (only in arp based mode)

Interface
Ettercap NG includes a ncurses, text and GTK+ interface.

Platforms
Linux 2.0.x Linux 2.2.x Linux 2.4.x FreeBSD 4.x OpenBSD 2.[789] 3.0 NetBSD 1.5 Mac OS X (darwin 1.3 1.4 5.1) [[Windows 9x/NT/2000/XP (port in progress) Solaris 2.x

Required libraries
Recent versions of libpcap and libnet are required now. The interface libraries like ncurses and GTK+ are optional.

If you want SSH1 and/or HTTPS support, ettercap requires OpenSSL libraries.

Latest release
NG-0.7.3 RELEASED !!

Links

 * http://ettercap.sourceforge.net