Subject: Re: Encrypted connections can be hijacked at the ISP?
To: Ram Chandar <>
From: Manuel Bouyer <>
List: netbsd-advocacy
Date: 12/12/2001 21:49:24
On Wed, Dec 12, 2001 at 03:31:05PM -0800, Ram Chandar wrote:
> The tool at boasts the following.
> Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN.
> It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis. 
> SSH1 support : you can sniff User and Pass, and even the data of an SSH1 connection. ettercap is the first software capable to sniff an SSH connection in FULL-DUPLEX
> HTTPS support : you can sniff http SSL secured data... and even if the connection is made through a PROXY
> Does this mean that this tool (which works on NetBSD) represents a threat to our
> encrypted connections such as SSH, HTTPS etc can now be hijacked easily by
> people at ISP, Corporate Network etc? 

I tried this tool (on a linux box, couldn't get it to work on -current).
Well, for ssh at last it's a man-in-the-middle attack, so nothing new here.
When it attemps to sniff the connection the connecting ssh will complain that
the ssh key has changed. Keep your known_hosts up to date and you're safe.

Also when a NetBSD host is attacked it logs:
arp info overwritten for <IP> by <ether>
so it's not really silent :)

Manuel Bouyer <>