Results 1 to 4 of 4

Thread: Ettercap Securty Certificate

  1. #1
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    2

    Default Ettercap Securty Certificate

    Hi, I'm new to linux and penetration testing technologies / methods, etc

    So far I have set up an Apache server, cracked my own WEP and WPA networks, and sniffed SSL traffic using ettercap...which brings me onto my question.

    Before posting this I have searched these forums and the internet to no avail.

    When using ettercap modern browsers display a security warning regarding the certificate (which is a good thing). As I understand it ettercap substitutes the genuine certificate for its certificate, this is built from the information contained on the genuine certificate but does not change the issuer which triggers the warning.

    Within the ettercap directory there is 'etter.ssl.crt' which I am presuming is the template ettercap uses to create the fake certificate.

    Within this post > hxxp://forums.remote-exploit.org/pentesting/24713-what-least-noisy-mitm-attack-take-control-box.html#post142968

    It is mentioned that it is possible to "deploy a root cert out to my XP machines in the domain so that I can ettercap them at will without getting the giant "OMG IZ BAD!" alerts, but what happens after that can be more problematic."

    Questions:
    1.Where can I find information explaining how I can create a 'root cert' for use with ettercap;

    2.Would I need to create a single root cert for ettercap or a cert for each SSL site I wish to sniff without the warnings (i.e. hotmail, googlemail, etc, etc)

    In the long term I plan to have a go at Evilgrade > Metasploit to remotely install the cert onto the target machine, however I feel there-in lies a steep learning curve

  2. #2
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Considering I was the one who said it, I'm quite pleased to see you following up.

    You will first want to look into generating ssl certificates with OpenSSL (specifically, generating root certificates), and then how to install them in a domain or directly into a windows XP box (I've yet to do it to my girlfriends vista box so I can't comment on that)

    If you follow the steps you find (and I'm not providing that much information) you can run up a test with a simple apache server - giving it an SSL certificate (most of them show you how to generate your own webserver certificates from a root certificate - stay away from self signed web certificates). If you can get your browser to connect to the apache server with no SSL errors (that relate to the root certificate in the chain), then you are on the right track.

    From there it is a relativly simple task of figuring out what files ettercap reads from and making sure you have your root certificate (or an intermediate signing authority) in the same format, then place it there. Ettercap will generate the rest for you (especially if you run it off BT).

    It would be worth your time to hit up (at least) wikipedia to figure out how SSL security chains work and why what we are doing is working.

    In terms of metasploiting the certificate on, I've only ever done it once and it was an absolute bitch to do - though recently I uncovered the command line kung fu courses for windows (wmic.exe is now my new favourite tool) so I guess it will become a lot easier.

    Good luck!
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  3. #3
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by SudoGeek View Post
    Hi, I'm new to linux and penetration testing technologies / methods, etc

    So far I have set up an Apache server, cracked my own WEP and WPA networks, and sniffed SSL traffic using ettercap...which brings me onto my question.

    Before posting this I have searched these forums and the internet to no avail.

    When using ettercap modern browsers display a security warning regarding the certificate (which is a good thing). As I understand it ettercap substitutes the genuine certificate for its certificate, this is built from the information contained on the genuine certificate but does not change the issuer which triggers the warning.

    Within the ettercap directory there is 'etter.ssl.crt' which I am presuming is the template ettercap uses to create the fake certificate.

    Within this post > hxxp://forums.remote-exploit.org/pentesting/24713-what-least-noisy-mitm-attack-take-control-box.html#post142968

    It is mentioned that it is possible to "deploy a root cert out to my XP machines in the domain so that I can ettercap them at will without getting the giant "OMG IZ BAD!" alerts, but what happens after that can be more problematic."

    Questions:
    1.Where can I find information explaining how I can create a 'root cert' for use with ettercap;

    2.Would I need to create a single root cert for ettercap or a cert for each SSL site I wish to sniff without the warnings (i.e. hotmail, googlemail, etc, etc)

    In the long term I plan to have a go at Evilgrade > Metasploit to remotely install the cert onto the target machine, however I feel there-in lies a steep learning curve
    Wow, a new poster who has actually done some research and is asking intelligent questions. Thats new! Other posters take note - this is how you should post in order to get good responses.

    Anyway, Id agree with Gitsnik in that you may want to do a bit of research on how SSL works in a browser. This will give you some ideas on how to proceed.

    Heres a bit of a hint for you to get you started - when setting up an SSL session between a browser and a remote website, the browser performs some checks on the site's certificate. If any of the the checks fail then the warning message is shown. Some of the more relevant checks that relate to what you are doing are:
    • A check to confirm that the site's certificate is signed by a Certificate Authority trusted by your browser, and
    • A check to confirm that the name of the site matches the name on the certificate presented by the site (and how is the name of a site translated into the address of the system again? *cough* DNS *cough*)


    You also may want to look at working around the problem of SSL encryption, using something like sslstrip.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  4. #4
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    2

    Default

    Thanks for the responses / encouragement, I needed pointing in the right direction...I will read up and report back once I have some success.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •