Ettercap Securty Certificate

[SudoGeek]

Hi, I'm new to linux and penetration testing technologies / methods, etc

So far I have set up an Apache server, cracked my own WEP and WPA networks, and sniffed SSL traffic using ettercap...which brings me onto my question.

Before posting this I have searched these forums and the internet to no avail.

When using ettercap modern browsers display a security warning regarding the certificate (which is a good thing). As I understand it ettercap substitutes the genuine certificate for its certificate, this is built from the information contained on the genuine certificate but does not change the issuer which triggers the warning.

Within the ettercap directory there is 'etter.ssl.crt' which I am presuming is the template ettercap uses to create the fake certificate.

Within this post > hxxp://forums.remote-exploit.org/pentesting/24713-what-least-noisy-mitm-attack-take-control-box.html#post142968

It is mentioned that it is possible to "deploy a root cert out to my XP machines in the domain so that I can ettercap them at will without getting the giant "OMG IZ BAD!" alerts, but what happens after that can be more problematic."

Questions:
1.Where can I find information explaining how I can create a 'root cert' for use with ettercap;

2.Would I need to create a single root cert for ettercap or a cert for each SSL site I wish to sniff without the warnings (i.e. hotmail, googlemail, etc, etc)

In the long term I plan to have a go at Evilgrade > Metasploit to remotely install the cert onto the target machine, however I feel there-in lies a steep learning curve

[Gitsnik]

Considering I was the one who said it, I'm quite pleased to see you following up.

You will first want to look into generating ssl certificates with OpenSSL (specifically, generating root certificates), and then how to install them in a domain or directly into a windows XP box (I've yet to do it to my girlfriends vista box so I can't comment on that)

If you follow the steps you find (and I'm not providing that much information) you can run up a test with a simple apache server - giving it an SSL certificate (most of them show you how to generate your own webserver certificates from a root certificate - stay away from self signed web certificates). If you can get your browser to connect to the apache server with no SSL errors (that relate to the root certificate in the chain), then you are on the right track.

From there it is a relativly simple task of figuring out what files ettercap reads from and making sure you have your root certificate (or an intermediate signing authority) in the same format, then place it there. Ettercap will generate the rest for you (especially if you run it off BT).

It would be worth your time to hit up (at least) wikipedia to figure out how SSL security chains work and why what we are doing is working.

In terms of metasploiting the certificate on, I've only ever done it once and it was an absolute bitch to do - though recently I uncovered the command line kung fu courses for windows (wmic.exe is now my new favourite tool) so I guess it will become a lot easier.

Good luck!

[lupin]

Hi, I'm new to linux and penetration testing technologies / methods, etc

So far I have set up an Apache server, cracked my own WEP and WPA networks, and sniffed SSL traffic using ettercap...which brings me onto my question.

Before posting this I have searched these forums and the internet to no avail.

When using ettercap modern browsers display a security warning regarding the certificate (which is a good thing). As I understand it ettercap substitutes the genuine certificate for its certificate, this is built from the information contained on the genuine certificate but does not change the issuer which triggers the warning.

Within the ettercap directory there is 'etter.ssl.crt' which I am presuming is the template ettercap uses to create the fake certificate.

Within this post > hxxp://forums.remote-exploit.org/pentesting/24713-what-least-noisy-mitm-attack-take-control-box.html#post142968

It is mentioned that it is possible to "deploy a root cert out to my XP machines in the domain so that I can ettercap them at will without getting the giant "OMG IZ BAD!" alerts, but what happens after that can be more problematic."

Questions:
1.Where can I find information explaining how I can create a 'root cert' for use with ettercap;

2.Would I need to create a single root cert for ettercap or a cert for each SSL site I wish to sniff without the warnings (i.e. hotmail, googlemail, etc, etc)

In the long term I plan to have a go at Evilgrade > Metasploit to remotely install the cert onto the target machine, however I feel there-in lies a steep learning curve

Wow, a new poster who has actually done some research and is asking intelligent questions. Thats new! Other posters take note - this is how you should post in order to get good responses.

Anyway, Id agree with Gitsnik in that you may want to do a bit of research on how SSL works in a browser. This will give you some ideas on how to proceed.

Heres a bit of a hint for you to get you started - when setting up an SSL session between a browser and a remote website, the browser performs some checks on the site's certificate. If any of the the checks fail then the warning message is shown. Some of the more relevant checks that relate to what you are doing are:

• A check to confirm that the site's certificate is signed by a Certificate Authority trusted by your browser, and
• A check to confirm that the name of the site matches the name on the certificate presented by the site (and how is the name of a site translated into the address of the system again? *cough* DNS *cough*)

You also may want to look at working around the problem of SSL encryption, using something like sslstrip.

[SudoGeek]

Thanks for the responses / encouragement, I needed pointing in the right direction...I will read up and report back once I have some success.