LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is Ettercap, and what does its dns_spoof plugin do?

Ettercap is a comprehensive MitM toolkit (ARP poisoning, DNS spoofing, sniffing, content filtering). The dns_spoof plugin reads etter.dns and forges DNS replies for any matching query in transit.

Ettercap's modules:

  • Sniffing — capture traffic in real time
  • ARP poisoning — like arpspoof, but with GUI
  • DNS spoofing — forge DNS responses (via plugin)
  • SSL strip — downgrade HTTPS where possible
  • Filters — modify content in flight (e.g., inject scripts into HTML)

The dns_spoof plugin flow:

Victim sends DNS query: "Where is mycampus.hslu.ch?"
   ↓
Ettercap sees the query (because ARP poisoning routed it through us)
   ↓
Match against /etc/ettercap/etter.dns
   ↓ (match found)
Send forged DNS reply BEFORE the real one arrives
   ↓
Victim caches the forged answer → connects to attacker's server

Why "before the real one":

The victim accepts the first valid response. If the legit DNS server replies first, the spoof loses. So Ettercap is positioned in-path (via ARP poisoning) and replies immediately, beating the real server.

The two config files:

File Purpose
/etc/ettercap/etter.conf Privileges (UID/GID), iptables rules, plugin paths
/etc/ettercap/etter.dns Domain → IP rewrite table

Common GUI workflow (sudo ettercap -G):

  1. Sniff → Unified sniffing → pick interface
  2. Hosts → Scan for hosts
  3. Add gateway as Target 1, victim as Target 2
  4. MitM → ARP poisoning → "Sniff remote connections"
  5. Plugins → Manage plugins → enable dns_spoof

The privilege requirement:

Ettercap needs to send raw packets → root. Set ec_uid=0 and ec_gid=0 in etter.conf to grant. Some installations require enabling iptables redirect rules (redir_command_on/off) for SSL interception.

Tip: Bettercap is a modern alternative — Go-based, scriptable, better TLS handling. Most pentesters now use Bettercap, but Ettercap is still in Kali by default.

Go deeper:

  • doc Ettercap (Wikipedia) — overview of the toolkit's ARP-poisoning, sniffing, and plugin architecture.
  • tool bettercap (official site) — the modern Go-based successor; the docs show the scripted ARP/DNS-spoof workflow the card mentions.

From Quiz: INTROL / Man in the Middle (MitM) | Updated: Jul 14, 2026