Penetration TestingSniffing & Spoofing

How to Setup Ettercap on Kali Linux – Complete Tutorial

In this tutorial, We are going to Setup Ettercap on Kali Linux, If you didn’t know about Ettercap you should google around about that and read the documentation on their official website. But Don’t worry we will give you an intro about that tool.

What is Ettercap?

Ettercap is a free and open-source network security tool for man-in-the-middle attacks on LAN. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD, and Solaris, and on Microsoft Windows. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting active eavesdropping against a number of common protocols.

Now Let’s Start!


Open a root terminal and enter the command ettercap -G to launch the graphical interface of ettercap.

  • Once ettercap is open, select the ‘Unified Sniffing‘ option under the ‘Sniff‘ menu.

Now, select your network interface and then click ‘OK‘.

  • WiFi = wlan0, Ethernet = eth0 | I am using WiFi so I will select WLAN0 and click OK.


Now it is time to target our hosts. To begin this, select the “Scan for Hosts” option under the “Hosts” menu, or just press Ctrl + S. It will scan the hosts on your provided network interface, and display how many were found in the Logging box on the bottom. In my case, 4 hosts were added to the host’s list.

Now, open the Hosts List by selecting Hosts List under the “Host” menu, or just press H.

Next – Select the default gateway and click “Add to Target 1.” My default gateway is After that, select the host of the VICTIM to who you are going to perform the attack. My victim will be my Galaxy S3 (connected to my wifi). This works for any device on your network. Ok, so the IP address of my victim host is I will select this host and then click “Add to Target 2.”

Ok, now select Current Targets under the Targets menu, or just press “T” on your keyboard. It will now show you the current targets. If you followed the last step correctly, your default gateway will be on one side, and the victim host on the other.


First, I am going to show you how to ARP poison. We do this for all of the other MITM attacks. Ok, so once you have your targets, Simply select “Arp poisoning” off of the “Mitm” menu. Next, select “Sniff remote connections” and click OK.

Great, now we just need to do one more thing to start the ARP poisoning. Select “Start Sniffing” off of the “Sniff” menu, or you can just use the shortcut: CTRL + W.

Now, you have ARP poisoned the victim! You will now receive information as they log in to sites. Example – I am going to log in to on my phone and Ettercap will show the login information in the logging area. Now, as you see in the image below, we have my username and password to HF :D. It will sniff all logins.

The second Man in the Middle (Mitm) attack I’m going to show you is DNS SPOOFING.

Here is the definition of DNS Spoofing, taken from Wikipedia.

DNS spoofing is a computer hacking attack, whereby data is introduced into a Domain Name System name server’s cache database, causing the name server to return an incorrect IP address, diverting traffic to another computer.

Basically, DNS spoofing is like this scenario:
The attacker does a DNS spoofing attack to replace with (THE ATTACKERS’ TWITTER PHISHER). Having done this, if the victim visits, it will show the ATTACKERS’ phisher instead of real Twitter.

Alright, so before we can DNS spoof, you need to configure a file called etter.dns. In Kali Linux, this file is located in /usr/share/ettercap/etter.dns. If it is not, no problem – you can find it the file by running the following command in the terminal:

“locate etter.dns”

Alright, now we will open etter.dns in any type of text editor. I am just going to use nano, by entering the following commands:

cd usr/share/ettercap
nano etter.dns

Now, etter.dns will be open in the nano terminal text editor.

Take note that your etter.dns should be full of text, mine isn’t because I have done this before. Next, delete all of the text in this file. You can’t do ctrl + A in the terminal, so it might be a little faster/easier to open this file in an editor such as LeafPad and edit it there.

Alright, now I have etter.dns open in nano terminal text editor as seen in the image below.

Ok, so this file tells what we are going to DNS spoof.
What we will do is enter the following: A

This will DNS spoof to (which is going to be my credential harvester for Twitter).

If you wanted, you could enter multiple lines like this: A A A

This would DNS spoof to, to, and to (Twitter). Or, you could just put an asterisk which means it will spoof ALL websites to your desired IP:

* A

I am just going to spoof Twitter for this tutorial, so in etter.dns I am going to delete everything and just enter A Save the file. If you’re using nano, you can save it by pressing Ctrl + X, then Y, then press enter.

Great, now etter.dns is ready. I spoofed twitter to which is going to be my credential harvester. To create a credential harvester, launch the SET framework by entering the command: se-toolkit. **If you wish to simply spoof it to an IP other than your phisher then skip this step 🙂 **

Now, enter 1 for Social-Engineering Attacks.

Secondly, enter 2 for Website Attack Vectors.

Finally, enter 3 for Credential Harvester Attack Method.

Alright, now enter 2 for site cloner.

Next, enter YOUR local IP (find it with ifconfig). mine is, so I’ll enter

Now, it wants you to enter the URL you wish to clone. I am going to make a fake twitter, so I enter Now we are done with that part.

NOW, it is time to conduct the DNS SPOOFING attack. Go back to ettercap and make sure you are NOT ARP POISONING anymore (If you tried that attack) by clicking “Stop Mitm Attacks” under the Mitm menu.

Ok, now select “Manage the Plugins” under the Plugins menu, or just press the shortcut “CTRL +P”

Last but not least, click Start Sniffing under the sniff menu, or just press Ctrl + W (IF YOU ARE NOT ALREADY SNIFFING)

Now, I will go to on the victim device, and it would take me to – BUT this is not the real twitter – it’s the attacker’s fake twitter! if I were to log in, I’d receive the credentials in the SET window.

Also, you can use “Filters” on Ettercap (this is one of my favorites), which allows you to custom filter packets. I will edit this post later when I have time and type up a tutorial on filtering, but right now I will just post a link to a guide:

Credit: WoWoX

Well, I hope this tutorial was helpful, I tried to explain everything the best I can don’t forget to comment if you have any problem!

Related Articles

Back to top button