|
joshboss1234
|
 |
« on: February 18, 2010, 06:27:46 PM » |
|
i ve been looking at tutorials for ettercap. i ve been trying to sniff out passwords with arp injection on my network, but im not having too much luck. a little help please. here is what i have been doing:
in shell: ettercap -G
goes into graphic mode:
sniff > unified sniffing > network interface (i chose wlan0) im pretty sure that this is the correct one for me.
start > start sniffing
hosts > scan for hosts
when done scanning:
hosts > host list
then i set the user as taget1 and the AP as target2
mitm > arp poisoning > sniff remote conections
the tutorial said it should just start printing passwords in plain text. but its not working for me. i went to all kinds of login sites on my other computer, but still nothing. im thinking that i didnt configure something. (even though the tutorial didnt mention it) or it has something to do with the vista security. (even though my anti-virus didnt say anything) apprechiate the help.
|
|
|
|
|
Logged
|
|
|
|
|
Ketchup
|
|
« Reply #1 on: February 18, 2010, 06:55:58 PM » |
|
Are you sure you are logging into sites that transmit authentication in clear text? Encryption will stop you from seeing passwords.
|
|
|
|
|
Logged
|
~~~~~~~~~~~~~~
Ketchup
|
|
|
|
joshboss1234
|
|
« Reply #2 on: February 18, 2010, 07:06:01 PM » |
|
are you saying that the steps that i took are correct? and the tutorial that i watched showed them going to google,hotmail,ebay,etc... and it worked on the video. and i thought that ettercap turns the packets that it captures into plain text. no idea why it isnt working for me?
|
|
|
|
|
Logged
|
|
|
|
|
hayabusa
|
|
« Reply #3 on: February 18, 2010, 10:02:21 PM » |
|
* Edited: Note, the I was half-baked last night, from lack of sleep. the steps below were for SSH downgrade, not SSL. See my last post for something more relevant to SSL * Ketchup and joshboss1234... ettercap has an ssl man-in-the-middle, which will allow you to catch encrypted usernames and passwords, yes. I've used it previously. There is an extra setting that needs to be set / enabled for the ssl piece, though. You can't simply play 'arp man-in-the-middle' To step through configuration and attack, using ettercap on linux: http://openmaniak.com/ettercap.phpthen proceed to the next section, about filters: http://openmaniak.com/ettercap_filter.phpspecifically, where it discusses ssh downgrade attacks: http://openmaniak.com/ettercap_filter.php#ssh-downgrade-attackHope this helps. There are other tutorials about this, but the point being, first you have to configure for the ARP mitm attack, then you have to enable the ssh pieces, to truly get plain-text capture of username and passwords to work from ssl encrypted pages and forms. |
|
|
|
« Last Edit: February 19, 2010, 07:39:16 AM by hayabusa »
|
Logged
|
~ hayabusa ~
"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'
OSCE, OSCP , GPEN, C|EH |
|
|
|
Ketchup
|
|
« Reply #4 on: February 18, 2010, 11:02:47 PM » |
|
Ha, I learned something new  I knew that you could use ettercap with sslstrip, but I had no idea that ettercap had a built-in filter for dealing with SSL. It also doesn't strip the SSL, instead it presents the user with a fake certificate. Do you get any CA trust warnings with the fake cert? I am going to have to test this. |
|
|
|
|
Logged
|
~~~~~~~~~~~~~~
Ketchup
|
|
|
|
joshboss1234
|
|
« Reply #5 on: February 19, 2010, 02:59:17 AM » |
|
thanks man
|
|
|
|
|
Logged
|
|
|
|
|
hayabusa
|
|
« Reply #6 on: February 19, 2010, 07:33:37 AM » |
|
Ha, I learned something new I knew that you could use ettercap with sslstrip, but I had no idea that ettercap had a built-in filter for dealing with SSL. It also doesn't strip the SSL, instead it presents the user with a fake certificate. Do you get any CA trust warnings with the fake cert? I am going to have to test this. It will warn the user, or at a minimum, prompt the user to accept a new certificate, so a truly 'watchful' end-user would likely catch it. (Thus I prefer sslstrip, myself, as it's much more stealthy.) But for spur of the moment needs, ettercap is, at least, a workable / usable solution. Edit: Incidentally, I missed the proper section when I gave steps above. You don't want the 'SSH downgrade attack.' But there IS an ssl plugin for attacking ssl, as well. (Sorry if I confused anyone) Here's one sample video, where they do some https stuff (later in the video): http://www.milw0rm.com/video/watch.php?id=49Cheers! |
|
|
|
« Last Edit: February 19, 2010, 07:43:43 AM by hayabusa »
|
Logged
|
~ hayabusa ~
"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'
OSCE, OSCP , GPEN, C|EH |
|
|
|
LT72884
|
|
« Reply #7 on: February 25, 2010, 06:57:07 PM » |
|
Hope you dont mind me hi-jackin the thread real fast, but i wanna try this with virtual box. So i need a lab. I just bought Toms book and it should be here within the week. The lab that he instructs us to build in the book, will that work with these ettercap attacks and tutorials?? Or do i need to add some other hosts and devices to it for it to work?
thanx
Matt
|
|
|
|
|
Logged
|
|
|
|
|
hayabusa
|
|
« Reply #8 on: February 25, 2010, 10:30:11 PM » |
|
While I never actually setup Tom's lab, 'specifically' per the book (in virtualbox, or otherwise,) assuming you can put the box on a physical (or logical / virtual) network segment which allows ARP injection (which I'm guessing it should,) then this should be perfectly doable in the lab. I've honestly never used virtualbox, but rather VMWare. However, from anything I've read quickly tonight, arp spoofing should be perfectly workable with virtualbox. Case in point, an ARP spoofing tutorial (non-ssl specific) at: http://hack2live.blogspot.com/2008/07/ip-takeover-attack-with-arping.htmlSo assumption is that it's perfectly doable in virtualbox. |
|
|
|
« Last Edit: February 25, 2010, 10:32:54 PM by hayabusa »
|
Logged
|
~ hayabusa ~
"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'
OSCE, OSCP , GPEN, C|EH |
|
|
|
hayabusa
|
|
« Reply #9 on: February 25, 2010, 10:39:16 PM » |
|
Also, if you're looking to do more proactive monitoring / warning for this type of ARP spoofing activity, you can use tools like arpmon and arpwatch to keep an eye on things, and be notified if the arp table entries on the network are changing for the machines on the network. Additionally, SANS has a good read about ARP and monitoring ARP, at: http://www.sans.org/reading_room/whitepapers/protocols/monitoring_the_arp_protocol_on_local_area_networks_1304?show=1304.php&cat=protocols |
|
|
|
|
Logged
|
~ hayabusa ~
"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'
OSCE, OSCP , GPEN, C|EH |
|
|
|
LT72884
|
|
« Reply #10 on: February 25, 2010, 10:50:33 PM » |
|
I appreciate your concern and time. Since i am new to the security world, i lack the experience for it. Hence why i am here. haha. Im looking forward to toms book. At least with that i will have a foot in the door. From there i will use the backtrack labs/tutorials i got from my professor. Im glad that virtual box will do what i need it to do and thank you for researching that for me. I didnt know where to start. The only issue i have is i cant really use VB to do security with routers and switches or firewalls. But luckily for me i have a CCNP cisco lab in my dang room. haha. |
|
|
|
|
Logged
|
|
|
|
|
UNIX
|
|
« Reply #11 on: March 01, 2010, 06:12:19 AM » |
|
Generally there is no problem in simulating ARP spoofing and similar attacks within a virtual lab. You might have to play around with the network settings though, but usually there is no need to further mess around.  |
|
|
|
|
Logged
|
|
|
|
johnnekar
Newbie
 Offline
Posts: 11
Information Revolution
|
|
« Reply #12 on: March 02, 2010, 01:21:14 AM » |
|
hey, first you'll have turn ssl dissection on. Does your ettercap window say valid redir command need for ssl dissection. Browse to the file /etc/etter.conf..
Get it into editing mode and find iptables.. There are two lines of code below iptables, uncomment those lines.. i.e. remove the '#' from front of those lines.
Your edited code should look like this as in the image below. Save and exit.
|
|
|
|
|
Logged
|
Your tomorrow should be better than your today.. j0hnn3k4r
|
|
|
johnnekar
Newbie
Offline
Posts: 11
Information Revolution
|
|
« Reply #13 on: March 02, 2010, 07:22:34 AM » |
|
|
|
|
|
|
Logged
|
Your tomorrow should be better than your today.. j0hnn3k4r
|
|
|
|
