Writing an Ettercap Dissector
A dissector captures protocol-specific information from the network. Most Ettercap dissectors are designed to capture usernames and passwords transmitted over the network in real time. Here is an example of how to run Ettercap in console mode to sniff passwords:
[root]# ettercap --text --quiet
ettercap NG-0.7.0 copyright 2001-2004 ALoR & NaGA
Listening on en0... (Ethernet)
eth0 -> 00:0B:25:30:11:B 192.168.1.1 255.255.255.0
Privileges dropped to UID 65534 GID 65534...
0 plugins
39 protocol dissectors
53 ports monitored
6312 mac vendor fingerprint
1633 tcp OS fingerprint
2183 known services
Starting Unified sniffing...
Text only Interface activated...
Hit 'h' for inline help
FTP : 10.0.0.1:21 -> USER: john PASS: try4ndgu355m3!!
In the preceding example, the FTP dissector successfully sniffed the
FTP password try4ndgu355m3!!
of user
john
logged on to an FTP server running on host
10.0.0.1
.
In the following paragraphs, we will discuss the dissector responsible for capturing FTP usernames and passwords. First we will discuss the FTP authentication mechanism, followed by a detailed analysis of the FTP dissector source code.
Get Network Security Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.