What is Ettercap, and what does its dns_spoof plugin do?
Ettercap is a comprehensive MitM toolkit (ARP poisoning, DNS spoofing, sniffing, content filtering). The dns_spoof plugin reads etter.dns and forges DNS replies for any matching query in transit.
Ettercap's modules:
- Sniffing — capture traffic in real time
- ARP poisoning — like arpspoof, but with GUI
- DNS spoofing — forge DNS responses (via plugin)
- SSL strip — downgrade HTTPS where possible
- Filters — modify content in flight (e.g., inject scripts into HTML)
The dns_spoof plugin flow:
Victim sends DNS query: "Where is mycampus.hslu.ch?"
↓
Ettercap sees the query (because ARP poisoning routed it through us)
↓
Match against /etc/ettercap/etter.dns
↓ (match found)
Send forged DNS reply BEFORE the real one arrives
↓
Victim caches the forged answer → connects to attacker's server
Why "before the real one":
The victim accepts the first valid response. If the legit DNS server replies first, the spoof loses. So Ettercap is positioned in-path (via ARP poisoning) and replies immediately, beating the real server.
The two config files:
| File | Purpose |
|---|---|
/etc/ettercap/etter.conf |
Privileges (UID/GID), iptables rules, plugin paths |
/etc/ettercap/etter.dns |
Domain → IP rewrite table |
Common GUI workflow (sudo ettercap -G):
- Sniff → Unified sniffing → pick interface
- Hosts → Scan for hosts
- Add gateway as Target 1, victim as Target 2
- MitM → ARP poisoning → "Sniff remote connections"
- Plugins → Manage plugins → enable
dns_spoof
The privilege requirement:
Ettercap needs to send raw packets → root. Set ec_uid=0 and ec_gid=0 in etter.conf to grant. Some installations require enabling iptables redirect rules (redir_command_on/off) for SSL interception.
Tip: Bettercap is a modern alternative — Go-based, scriptable, better TLS handling. Most pentesters now use Bettercap, but Ettercap is still in Kali by default.
Go deeper:
Ettercap (Wikipedia) — overview of the toolkit's ARP-poisoning, sniffing, and plugin architecture.
bettercap (official site) — the modern Go-based successor; the docs show the scripted ARP/DNS-spoof workflow the card mentions.