Script for sniffing traffic.

Hello comaX,

First of all, thanks for sharing your script... I was testing it and noticed the victims can't play youtube while the script is running. I tested with Chrome and Safari with the same results. The videos seems to be loading but doesn't load and so, doesn't play. The script works great, but the stealth factor starts to fail when the victims guess something is weird. Is there a fix for it? Thanks in advanced.

Nice script. It works in my BT5R1 KDE 32 like a charm. I have some problems in ssl, cause I can't get passwords from SSL sites.
Maybe it's my problem I don't know. The settings seems to be ok

@JUUJUU: If you want to see what sites the clients visit try: urlsnarf -i wlan0 (In wlan0 enter your interface, e.g. eth0, wlan0, wlan1 etc)

Quote:

---

Originally Posted by khaos

Nice script. It works in my BT5R1 KDE 32 like a charm. I have some problems in ssl, cause I can't get passwords from SSL sites.
Maybe it's my problem I don't know. The settings seems to be ok

---

Are you sure you're not logging on in the test case in https://... If you are then being the MiTM won't help, because all traffic is encrypted anyway. You need to make sure SSlStrip is taking away the HTTPS and making it HTTP only. If it's not, then try using the ettercap option and spoofing the ssl connection. Although that might take some social engineering to work in the wild... If the options that I suggested to ComaX (Allowing user input for the decision of either fake ssl, sslstrip, padlock icon, fake certificate etc...) get put in place, then it'll be easier. But until then good luck.

Quote:

---

If the options that I suggested to ComaX (Allowing user input for the decision of either fake ssl, sslstrip, padlock icon, fake certificate etc...) get put in place

---

Damn, I forgot about those. Sorry.
It's been a while I didn't write anything new.
About the padlock icon, don't you think it's better to leave it the way it is ? Do you think some people might not want it ? If so, I will make that an option.
I'll try to work on the other stuff you mentioned to, if I have the time.

Cheers !

I think that the initiation of the script should look like this
./yamas
(a)rpspoof or (e)ttercap?
if a then keep all the defaults the way they are

if e then
do you want to (s)trip the ssl connection or to s(p)oof it?
if s then keep defaults and do you want to add the (p)adlock icon in the users browser?

if p then
do you want to use a fake certificate or not?Y/n?

the flow of this will allow the user to define all his own options and still provide the functionality of the other options to those who want them. Let me know. Thanks. Still looking forward to the update. :D

AHH double post sorry!! Screwed up browser on a slow computer....

Quote:

---

(a)rpspoof or (e)ttercap?
if a then keep all the defaults the way they are

if e then
do you want to (s)trip the ssl connection or to s(p)oof it?
if s then keep defaults and do you want to add the (p)adlock icon in the users browser?

if p then
do you want to use a fake certificate or not?Y/n?

the flow of this will allow the user to define all his own options and still provide the functionality of the other options to those who want them. Let me know. Thanks. Still looking forward to the update.

---

I'll leave the ettercap option as a parameter passed to the script, but I think I'll use this kind of menu, it's a good idea ! By the way, if you have an idea of how to script this, you can submit it to me and you'll get the proper credits ;)

My main problem is that I never much used ettercap for the ssl stuff because I think it's bad SE, but surely I understand why someone would want that, so it makes sense to add it.

Cheers

Btw, is it me or is the site going really slow those last couple of weeks ?

Quote:

---

Originally Posted by comaX

I'll leave the ettercap option as a parameter passed to the script, but I think I'll use this kind of menu, it's a good idea ! By the way, if you have an idea of how to script this, you can submit it to me and you'll get the proper credits ;)

My main problem is that I never much used ettercap for the ssl stuff because I think it's bad SE, but surely I understand why someone would want that, so it makes sense to add it.

Cheers

Btw, is it me or is the site going really slow those last couple of weeks ?

---

It might be just the two of us, its been sluggish for me as well. :p

So. The "new" flow looks like this.
./yamas - same old, same old.
./yamas -e
Do you want.... (all the previous menu options.)

BTW, I'm not sure what you mean Bad SE?
Any way, I've never really scripted anything in bash, but I've got years of experience with c and .net, so it might be ported. That being said, if I knew what I was doing in bash, I would write it like so:
All vars would be booleans

var=(strip or spoof?)
if strip then var1=(padlock?)
if var1 then
run command w/ padlock, exit function/loop
if not var1 then
run command w/o padlock, exit function/loop

if spoof then var1=(add cert?)
if var1 then
run command w/ cert, exit function/loop
if not var1 then
run command w/o cert, exit function/loop


This psuedocode could be ported to bash fairly easily, I just don't know how... But I leave that to the experts like you.:D
Let me know. Thanks.

I wouldn't call myself an expert at all, but thanks ! I guess I'll have to do some reading on ettercap's functionnalities.
By "bad SE", I mean that any decent browser these days would say "bad cert, don't go there", I can't imagine someone thinking "You know what browser ? F*ck you, imma going' there !"

I guess I still want to believe in humanity after all :p

EDIT :
I came across a MAJOR problem while working on this... Unless I understood something the wrong way, you either spoof ssl connection with ettercap's fakessl (which includes fakecert), and you WILL have https etc or you use sslstrip to get rid of the ssl.

But you can't do both at the same time.

So including fakessl would mean disable sslstrip, which will mean that the password parsing won't work, which pretty much defeats the whole goal of the script.

Correct me if I'm wrong !

Meanwhile, I'll keep digging.

EDIT :
@AnimusDomini

Quote:

---

Hello comaX,

First of all, thanks for sharing your script... I was testing it and noticed the victims can't play youtube while the script is running. I tested with Chrome and Safari with the same results. The videos seems to be loading but doesn't load and so, doesn't play. The script works great, but the stealth factor starts to fail when the victims guess something is weird. Is there a fix for it? Thanks in advanced.

---

I believe, it was posted retroactively... So, as I told you, I never experienced such a thing, but it would make sense if the videos were slow to load. I'll ask people to provide feedback in the "message of the day" in the script, hoping people actually read it ^^

Quote:

---

Originally Posted by ShadowMaster

Are you sure you're not logging on in the test case in https://... If you are then being the MiTM won't help, because all traffic is encrypted anyway. You need to make sure SSlStrip is taking away the HTTPS and making it HTTP only. If it's not, then try using the ettercap option and spoofing the ssl connection. Although that might take some social engineering to work in the wild... If the options that I suggested to ComaX (Allowing user input for the decision of either fake ssl, sslstrip, padlock icon, fake certificate etc...) get put in place, then it'll be easier. But until then good luck.

---

thanks for your reply but I didnt understand what you mean. I have run yamas and when I tried to login in my test pc ("victim") in gmail via: https://gmail.com doens't strip the ssl.

Maybe I have not understand how sslstrip works. I think that sslstrip removes the ssl and the site will be http://gmail.com and not givint a fake ssl certificate to the victim (as cain and abel). So what I have wrong?