.

ettercap with backtrack 4

<<

joshboss1234

Newbie
Newbie

Posts: 12

Joined: Wed Feb 17, 2010 8:50 am

Post Thu Feb 18, 2010 7:27 pm

ettercap with backtrack 4

i ve been looking at tutorials for ettercap. i ve been trying to sniff out passwords with arp injection on my  network, but im not having too much luck. a little help please. here is what i have been doing:

in shell: ettercap -G

goes into graphic mode:

sniff > unified sniffing > network interface (i chose wlan0) im pretty sure that this is the correct one for me.

start > start sniffing

hosts > scan for hosts

when done scanning:

hosts > host list

then i set the user as taget1 and the AP as target2

mitm > arp poisoning > sniff remote conections

the tutorial said it should just start printing passwords in plain text. but its not working for me. i went to all kinds of login sites on my other computer, but still nothing. im thinking that i didnt configure something. (even though the tutorial didnt mention it) or it has something to do with the vista security. (even though my anti-virus didnt say anything) apprechiate the help.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu Feb 18, 2010 7:55 pm

Re: ettercap with backtrack 4

Are you sure you are logging into sites that transmit authentication in clear text?  Encryption will stop you from seeing passwords.
~~~~~~~~~~~~~~
Ketchup
<<

joshboss1234

Newbie
Newbie

Posts: 12

Joined: Wed Feb 17, 2010 8:50 am

Post Thu Feb 18, 2010 8:06 pm

Re: ettercap with backtrack 4

are you saying that the steps that i took are correct? and the tutorial that i watched showed them going to google,hotmail,ebay,etc... and it worked on the video. and i thought that ettercap turns the packets that it captures into plain text. no idea why it isnt working for me?
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu Feb 18, 2010 11:02 pm

Re: ettercap with backtrack 4

* Edited:  Note, the I was half-baked last night, from lack of sleep.  the steps below were for SSH downgrade, not SSL.  See my last post for something more relevant to SSL *

Ketchup and joshboss1234...

ettercap has an ssl man-in-the-middle, which will allow you to catch encrypted usernames and passwords, yes.  I've used it previously.  There is an extra setting that needs to be set / enabled for the ssl piece, though.  You can't simply play 'arp man-in-the-middle'

To step through configuration and attack, using ettercap on linux:

http://openmaniak.com/ettercap.php

then proceed to the next section, about filters:

http://openmaniak.com/ettercap_filter.php

specifically, where it discusses ssh downgrade attacks:

http://openmaniak.com/ettercap_filter.p ... ade-attack

Hope this helps.  There are other tutorials about this, but the point being, first you have to configure for the ARP mitm attack, then you have to enable the ssh pieces, to truly get plain-text capture of username and passwords to work from ssl encrypted pages and forms.
Last edited by hayabusa on Fri Feb 19, 2010 8:39 am, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri Feb 19, 2010 12:02 am

Re: ettercap with backtrack 4

Ha, I learned something new :)  I knew that you could use ettercap with sslstrip, but I had no idea that ettercap had a built-in filter for dealing with SSL.  It also doesn't strip the SSL, instead it presents the user with a fake certificate.    Do you get any CA trust warnings with the fake cert? I am going to have to test this.
~~~~~~~~~~~~~~
Ketchup
<<

joshboss1234

Newbie
Newbie

Posts: 12

Joined: Wed Feb 17, 2010 8:50 am

Post Fri Feb 19, 2010 3:59 am

Re: ettercap with backtrack 4

thanks man
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Feb 19, 2010 8:33 am

Re: ettercap with backtrack 4

Ketchup wrote:Ha, I learned something new :)   I knew that you could use ettercap with sslstrip, but I had no idea that ettercap had a built-in filter for dealing with SSL.  It also doesn't strip the SSL, instead it presents the user with a fake certificate.    Do you get any CA trust warnings with the fake cert? I am going to have to test this.


It will warn the user, or at a minimum, prompt the user to accept a new certificate, so a truly 'watchful' end-user would likely catch it.  (Thus I prefer sslstrip, myself, as it's much more stealthy.)  But for spur of the moment needs, ettercap is, at least, a workable / usable solution.  

Edit:  Incidentally, I missed the proper section when I gave steps above.  You don't want the 'SSH downgrade attack.'  But there IS an ssl plugin for attacking ssl, as well.  (Sorry if I confused anyone)  Here's one sample video, where they do some https stuff (later in the video):

http://www.milw0rm.com/video/watch.php?id=49

Cheers!
Last edited by hayabusa on Fri Feb 19, 2010 8:43 am, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

LT72884

User avatar

Jr. Member
Jr. Member

Posts: 99

Joined: Thu Oct 15, 2009 3:11 pm

Location: Utah

Post Thu Feb 25, 2010 7:57 pm

Re: ettercap with backtrack 4

Hope you dont mind me hi-jackin the thread real fast, but i wanna try this with virtual box. So i need a lab. I just bought Toms book and it should be here within the week. The lab that he instructs us to build in the book, will that work with these ettercap attacks and tutorials?? Or do i need to add some other hosts and devices to it for it to work?

thanx

Matt
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu Feb 25, 2010 11:30 pm

Re: ettercap with backtrack 4

While I never actually setup Tom's lab, 'specifically' per the book (in virtualbox, or otherwise,) assuming you can put the box on a physical (or logical / virtual) network segment which allows ARP injection (which I'm guessing it should,) then this should be perfectly doable in the lab.  I've honestly never used virtualbox, but rather VMWare.  However, from anything I've read quickly tonight, arp spoofing should be perfectly workable with virtualbox.

Case in point, an ARP spoofing tutorial (non-ssl specific) at:

http://hack2live.blogspot.com/2008/07/i ... rping.html

So assumption is that it's perfectly doable in virtualbox.
Last edited by hayabusa on Thu Feb 25, 2010 11:32 pm, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu Feb 25, 2010 11:39 pm

Re: ettercap with backtrack 4

Also, if you're looking to do more proactive monitoring / warning for this type of ARP spoofing activity, you can use tools like arpmon and arpwatch to keep an eye on things, and be notified if the arp table entries on the network are changing for the machines on the network.

Additionally, SANS has a good read about ARP and monitoring ARP, at:

http://www.sans.org/reading_room/whitep ... =protocols
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

LT72884

User avatar

Jr. Member
Jr. Member

Posts: 99

Joined: Thu Oct 15, 2009 3:11 pm

Location: Utah

Post Thu Feb 25, 2010 11:50 pm

Re: ettercap with backtrack 4

hayabusa wrote:Also, if you're looking to do more proactive monitoring / warning for this type of ARP spoofing activity, you can use tools like arpmon and arpwatch to keep an eye on things, and be notified if the arp table entries on the network are changing for the machines on the network.

Additionally, SANS has a good read about ARP and monitoring ARP, at:

http://www.sans.org/reading_room/whitep ... =protocols



I appreciate your concern and time. Since i am new to the security world, i lack the experience for it. Hence why i am here. haha. Im looking forward to toms book. At least with that i will have a foot in the door. From there i will use the backtrack labs/tutorials i got from my professor.  Im glad that virtual box will do what i need it to do and thank you for researching that for me. I didnt know where to start. The only issue i have is i cant really use VB to do security with routers and switches or firewalls. But luckily for me i have a CCNP cisco lab in my dang room. haha.
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Mon Mar 01, 2010 7:12 am

Re: ettercap with backtrack 4

Generally there is no problem in simulating ARP spoofing and similar attacks within a virtual lab. You might have to play around with the network settings though, but usually there is no need to further mess around. ;)
<<

johnnekar

Newbie
Newbie

Posts: 11

Joined: Fri Feb 12, 2010 2:25 am

Post Tue Mar 02, 2010 2:21 am

Re: ettercap with backtrack 4

hey, first you'll have turn ssl dissection on. Does your ettercap window say valid redir command need for ssl dissection. Browse to the file /etc/etter.conf..
Get it into editing mode and find iptables.. There are two lines of code below iptables, uncomment those lines.. i.e. remove the '#' from front of those lines.
Your edited code should look like this as in the image below. Save and exit.
Your tomorrow should be better than your today.. j0hnn3k4r
<<

johnnekar

Newbie
Newbie

Posts: 11

Joined: Fri Feb 12, 2010 2:25 am

Post Tue Mar 02, 2010 8:22 am

Re: ettercap with backtrack 4

Your tomorrow should be better than your today.. j0hnn3k4r

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software