Ettercap Ncurses Bug? or I missed the point.

[Pandoxie]

Have been playing with MITM softwares for a while. After toying with MITMPROXY, the author suggested me to ettercap to know more about multi-protocol sniffing. It is really awesome and handy. But I just found some issues with the Ncurses GUI. My platform is OSx 10.9.1 Mavericks, I uses homebrew to build the sources.

Symptom:

After I select MITM items eg, ARP poisoning, A parameter input box comes up and I think this is the place to type in command line parameters like arp ([remote],[oneway]). So I just typed in remote, oneway inside the box and ARP poisoning is turned on.

I believed that worked since no error was generated, but It turned out something was wrong. I know this because when I tried to turn on ICMP redirecting, I typed naturally (MAC/IP) into the box. But the error came up.

The parameters I typed in did not actually get in the system somehow, as if NOTHING was inputed! I confirmed this by looking into the router's ARP table ( I am using DDWRT) and the router was also spoofed although I specified oneway!

So, please tell me what to do the next and Thanks a ton!

BTW, the ettercap instruction about turning on https MITM was outdated. The IPFW commanded is deprecated and pfctl is the new lover. I am new to shell programming but after some observation, I came up with the following script and it worked well.

redir_command_on = "sh /usr/local/etc/ettercap/pf.sh %iface %port %rport" redir_command_off = "sh /usr/local/etc/ettercap/pfunload.sh"

pf.sh--->

!/bin/sh

cd /usr/local/etc/ettercap/ touch EtterPF.conf touch Ettertoken.txt isOldItem=cat EtterPF.conf | grep "rdr pass on $1 inet proto tcp from any to any port $2 -> localhost port $3" if [ -z "$isOldItem" ]; then printf "rdr pass on $1 inet proto tcp from any to any port $2 -> localhost port $3\n" >>EtterPF.conf else printf "Old Item Found, Just Reload\n" >> EtterLog.log 2>&1 fi

Token=cat Ettertoken.txt | grep 'Token' | awk '{ print $3 }' if [ -n "$Token" ]; then printf "Revoke Old Token: $Token\n" >> EtterLog.log 2>&1 pfctl -a sslsniff -Fa -X $Token >> EtterLog.log 2>&1 fi pfctl -a sslsniff -E -f "EtterPF.conf" &> Ettertoken.txt Token=cat Ettertoken.txt | grep 'Token' | awk '{ print $3 }' printf "\n\nNewly Add Token: $Token\n" >> EtterLog.log 2>&1

pfunload.sh

!/bin/sh

cd /usr/local/etc/ettercap/ Token=cat Ettertoken.txt | grep 'Token' | awk '{ print $3 }' if [ -n "$Token" ]; then printf "Revoke Old Token: $Token\n" >> EtterLog.log 2>&1 pfctl -a sslsniff -Fa -X $Token >> EtterLog.log 2>&1 printf "Flushed\n" &> Ettertoken.txt fi

I am doing the stupid if because I found redir_command_on was executed several times at program launch. In order not to mess up with the OSx's pf load, I just did it the stupid way... Enjoy.

[LocutusOfBorg]

can you please apply https://github.com/Ettercap/ettercap/pull/525 and build again?

[Pandoxie]

@LocutusOfBorg Bingo, #525 solved the compilation problem. I tried to type in arguments for port steal, etc, and seemed like the new curses UI fixed the problem~ @koeppea Good job! In case you need to test anything else, just name it.

[Pandoxie]

one more thing, does ettercap need ghostscript to run? I kinda have trouble installing ghostscript on OSx using homebrew, while the brew's official .rb file claims that ettercap depends on ghostscript library. But anyway, I commented out the dependency check line and everything seems running as smoothly as expected.

[koeppea]

@Pandoxie great to hear. Is this issue now ready to be closed?

Regarding ghostscript: isn't that the open source version of postscript for ink printers?

[LocutusOfBorg]

Ghostscript should be disabled by default iirc... it is used for converting man pages into pdf files, so not really needed I'll check and disable it maybe tomorrow

[LocutusOfBorg]

CMakeLists.txt "option(ENABLE_PDF_DOCS "Enable PDF document generation" OFF)"

it is already defaulted to off, how can you experience this problem?

[Pandoxie]

Thanks for the dig. I fount he root of this Ghostscript problem, which got its source from the HomeBrew ettercap.rb configuration for compilation.

Somehow, the author of this formula demands the inclusion of ghostscript by writing:

depends_on 'cmake' => :build depends_on 'ghostscript' => :build depends_on 'pcre' depends_on 'libnet' depends_on 'curl' # require libcurl >= 7.26.0 depends_on 'gtk+' => :optional depends_on 'luajit' => :optional

Here is the link: https://github.com/Homebrew/homebrew/blob/master/Library/Formula/ettercap.rb

FYI, I think a lot of people compile and manage packages by Homebrew or tools alike, maybe you guys can check the formula up and give them some advice. But indeed, not the fault on ettercap itself~

[gvanem]

I've not tested Ghostscript to convert man pages to PDF (what's the direct command?). But these commands produces a good looking result:

groff -Tdvi -mandoc ettercap.8 > ettercap.dvi
dvipdfm  -o ettercap.pdf ettercap.dvi

I think groff should be omnipresent. And dvipdfm is part of MikTeX and TeX Live.

[LocutusOfBorg]

groff -mandoc -Tps ettercap_curses.8 > ettercap_curses.8.ps ps2pdf ettercap_curses.8.ps ettercap_curses.8.pdf

the first from groff the second from ghostscript

[sgeto]

Ghostscript dependancy was removed in https://github.com/Ettercap/ettercap/pull/839

Cheers