About SecureMac Advertise Security Consulting Mac Security Store Send Feedback

Site Information
Site Background
Who runs the site
Security Consulting
Feedback Form

SecureMac Software


Mac OS X Security
sudo buffer overflow exploit + fix
Disable Single User Boot Mode
Malevolence - Dumping Passwords
nidump security
Startup Security - Open Firmware Password Protection

Mac OS X Network Security
Secure FTP Wrapper
Ettercap - sniffer interceptor logger
Snort - Network Intrusion Detection System
SSH Admin
SSH Helper
xnu - enable MAC Address spoofing

Mac OS X Virus

Mac OS X Firewalls
Firewalk Firewall Utility
NetBarrier X

Mac OS X App Sec.

Mac OS X Encryption
GPGMail - PGP Functionality

Mac OS X DoS

SecureMac Library
Mac Cable Modem Security
Mac Security Auditing
Mac OS X Security Understanding
Mac OS X Security Second Lessons
Mac OS X Security Third Lesson
Mac OS X Single User Mode Root Access
Mac OS X Shareware Firewalls
Mac OS X Secure Installation
Cable & DSL Connections - Security Measures
Better Safe than Sorry Security Resources
Marketing Macintosh Security Programs

Mac OS X Ettercap

ettercap review for Mac OS X on securemac
0.6.4 Released!

Fix for 10.1 - Read to make work for Mac OS X

Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN. This program is fully unix based and was just ported to Mac OS X after a user requested it. If you are looking for your favorite unix based application to run on Mac OS X just give the programmers remote root so they don't have to buy expensive hardware and they can do all the work from your box. 0.6.0 adds more support for Mac OS X!

Tools like this come in handy when programming, when you believe their is foul play happening, or possibly hackers on your network. This tool will let you see all the connections going to and from your computer.

It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.

MacOSX ettercap connections
Select the connection you wish to monitor

It's possible to sniff in four modes.
IP Based, the packets are filtered on IP source and dest
MAC Based, packets filtered on mac address, useful to sniff connections through gateway
ARP based, uses arp poisoning to sniff in switched lan between two hosts (full-duplex).
PublicARP based, uses arp poisoning to sniff in switched lan from a victim host to all other hosts (half-duplex).

Mac OS X etercap hosts

Addition features the program offers can help you in numerous ways, from killing connections to sniffing the network for any data. Some of the features the author highlights are list below.

Characters injection in an established connection : you can inject character to server (emulating commands) or to client (emulating replies) maintaining the connection alive !!

SSH1 support : you can sniff User and Pass, and even the data of an SSH1 connection. ettercap is the first software capable to sniff an SSH connection in FULL-DUPLEX

HTTPS support : you can sniff http SSL secured data... and even if the connection is made through a PROXY

Plug-ins support : You can create your own plugin using the ettercap's API.

Password collector for : TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC (other protocols coming soon...)

Paket filtering/dropping: You can set up a filter that search for a particular string (even hex) in the TCP or UDP payload and replace it with yours or drop the entire packet.

OS fingerprint: you can fingerprint the OS of the host and even its network adapter

Kill a connection: from the connections list you can kill all the connections you want to discontinue traffic to your network. Hackers trying hard to get in?

Mac OS X Ettercap sniffing connections in hex mode
Ettercap is showing the traffic on a node in hex

ettercap gets 5 lock rating from

Other commercial network analysis programs out there for the Mac OS / Windows like Etherpeek cost up to $995.00! Ettercap is going to cost you nothing. The programmers like you so much they want to share their hard work with you. I suggest sending them feedback letting them know you appreate their hard work. =)

Requirements: Mac OS X, GCC, Developer Tools CD
ettercap 0.6.4 tested on Mac OS X (darwin)

ncurses for Mac OS X can be obtained here
libdl (15K) can be downloaded here
xnu for Mac OS X can be obtained here (allows mac to spoof MAC addresses


New Features in 0.6.4
+ You can sniff remote traffic from a romote cisco router and make mitm attacks on it using GRE tunnels.
+ Added some bits for the passive OS fingerprint database. Now even the length of the packet make sense.
+ The sniffing interface now support JOINED view
+ NEW PLUGIN : thief and zaratan (redirect GRE tunnels)
+ ICQ dissector now search for passwords on all ports
+ Updated the passive OS fingerprint database (675 records)
+ Changed the arg 2 of Plugin_HookPoint for PCK_RECEIVED_RAW
!! Under OpenBSD the pflog interface is ingored
!! Fixed the DATA_PATH issue in the phantom plugin
!! Fixed an unsigned short in state_machine
!! Fixed some plugins that don't recognize the 'yes' answer
!! Fixed the plugins symbol problem on Mac OS X (strip -x)
!! Fixed the possibility of remote exploitation on interface with MTU > 1500

Installation Fix
<< none >>

Could not connect!