Results 1 to 9 of 9

Thread: ettercap, https

  1. #1
    Junior Member
    Join Date
    Sep 2008
    Posts
    30

    Default

    hey all,

    Been using ettercap on my network fr couple of days

    wanted to test what id learned so far and ran into a big problem

    using arp poisoning with target computer as target 1, i cannot access hotmail, gmail, paypal etc.

    when i tested the other day, a fake certificate would pop up on the victim computer which i would accept and everything would work fine.

    now, the certificate 'accept' screen isnt even poping up and i am unable to log into hotmail.

    ive tryed several different set ups (checked the etter.conf) and nothing seem to bring up the certificate accept screen.

    if it helps, i started wireshark and the 'accept' screen for the fake certificate came up. went to hotmail, favebook, paypal etc, sill not coming up when i access those pages

    so, i turn on my comp, connect to wep network, run terrcap in graphic mode, shift +u, ctrl +s to scan network, select victim ip as target one, start the arp attack.

    can sniff normal traffic and see websites, but as i said, fake cert box not coming up on victim comp, when i try and log into hotmail it times out.

    Help?

  2. #2
    Junior Member
    Join Date
    Sep 2008
    Posts
    30

    Default

    BEEN SURFIN WHILE IM AT WORK 2DAY AND THINK COME ACCROSS THE SOULITION WHICH I WILL TRY WHEN I GET CHANCE

    NEW KONSOLE, TYOE
    echo 1 > /proc/sys/net/ipv4/ip_forward

    NEXT, TYPE

    cat ip_forward
    WHICH SHOULD RETURN THE VALUE AS 1

    MAYBE THATS WHY IT WORKED BEFORE BUT AS SOON AS I REBOOTED, THE VALUE WAS SET TO ZERO AGAIN.

  3. #3
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    You are correct. You must set up IP forwarding in the kernel for it to work.

  4. #4
    Member
    Join Date
    Jun 2007
    Posts
    218

    Default

    Originally Posted by pureh@te
    You are correct. You must set up IP forwarding in the kernel for it to work.
    I don't see why you would want to stop ettercap from forwarding packets.

  5. #5
    Junior Member
    Join Date
    Sep 2008
    Posts
    30

    Default

    Level,

    i think that when i rebooted, it automatically resets it. I now know theres a way to have it perminatly turned on which i will look into

    ive just got to experiment, some fourms saying type echo1 . /proc etc before opening ettercap, some saying after opening ettercap because ettercap automaticly turns off ip_forwarding

    some fourms saying that the code to type in terminal is

    echo 1 > /proc/sys/net/ipv4/ip_forward

    others say

    echo "1" > /proc/sys/net/ipv4/ip_forward

    just gona trial and error with it unless anybody can point me in the right direction ?

  6. #6
    Member
    Join Date
    Jun 2007
    Posts
    218

    Default

    Check that you enabled the redir_command in etter.conf and also arp:remote when you did the arp poisoning.

    If you listed the commands you used it would be easier to help you.

  7. #7
    Junior Member
    Join Date
    Sep 2008
    Posts
    30

    Default

    level,

    yes, have changed etter.conf

    what i was doing (still at work) was connecting to my wep network.

    would then enter ettercap in graphic mode
    scan, host list
    select victim computer as target 1
    start arp (without checking remote only)
    sniff

    so, do i need to do remote only sniff?
    do i need to enter echo 1 /proc/sys/net/ipv4/ip_forward and if so, before or after i start ettercap

    many thx

  8. #8
    Member
    Join Date
    Jun 2007
    Posts
    218

    Default

    I would suggest some further reading to get a better understanding of what you're trying to do and what ettercap does. As to ip_forwarding, I would let ettercap forward the packets. You need to enable arp:remote and also include your gateway in the target list.

    This is a brief summary of how the attack works:

    1. Attacker connects to the network
    2. Attacker sends specific ARP replies to the gateway and victim so that packets are routed through him
    3. Victim requests an website using SSL
    4. Attacker relays this request to the actual Server
    5. Server replies with a certificate
    6. Attacker swaps his own certificate for the Server's
    7. Victim accepts the fake certificate and submits his credentials
    8. Attacker decrypts the message, logs it, and then re-encrypts it with the Servers certificate
    9. Further messages are relayed in a similar manner and the entire SSL session is captured transparently

  9. #9
    Junior Member
    Join Date
    Sep 2008
    Posts
    30

    Default

    hey level, thx for posting

    ive got a basic understanding of whats happening, im guessin ive either knocked a setting out or inervertadly change the etter.conf file somewhere without realising.

    whats annoying me is that when i used etter.cap for the first time, it sniffed the password no problem, i then got remote browser working, but then password sniff stopped working, then remote browser, 1 step forward, two steps back.

    ive created a new thread explaining what happend, what im doing etc (probley fresh installing backtrack 3 and starting a fresh)

    you know when u mentioned aboutnot setting the kernal to forward packets, from what i understand, thats why ettercap wasnt sniffing the hotmail password???

    the0

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •