Sniffing Tutorial:

**yeehaw** · 02-05-2006, 08:42 PM

Simple Sniffing Tutorial

Tools:

Ettercap
nano

1. For SSL Dissection support (hotmail,gmail), you need to do this:
Open a shell, type: "nano /usr/local/etc/etter.conf", use the down arrow until you reach "redir_command_on/off", look at the linux part, your gonna need to uncomment:

Code:

# if you use iptables:
#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
#redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

to:

Code:

# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

after your done, press F2, Y, Return.

Now boot Ettercap: Menu --> Backtrack --> Spoofing --> Ettercap
Go to: Sniff --> Unified Sniffing -->ethX(what interface you want to sniff).
Then Press: Ctrl+S to scan hosts.
Then Go to: Mitm --> ARP poisoning, select sniff remote connections, and press ok.
Then Go to: Start --> Start Sniffing.

For an Example, Walk to another pc, go to your internet email account (Hotmail, Gmail), and log in, you will be asked to trust the certificate, Trust it, and watch your sniffing computer, the username and password should appear.

When your done, go to Start --> Stop Sniffing, And go to Mitm --> Stop mitm attack(s)

Yeehaw

**Ikaru** · 02-05-2006, 11:38 PM

Thanks for the nice tutorial!

I have another question to webmitm. I once was reading in the old forum that there is a other tool which fills the certificate automatically !?

**_hap_** · 02-06-2006, 12:18 AM

your gonna need to uncomment: # if you use iptables:

Can you please explain this part. I found

Code:

# if you use iptables:
#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
#redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

but what do you mean "uncomment"? Sorry for the n00b question...

Just need a little more explanation on what to do here???

Thx

**hobbes** · 02-06-2006, 01:18 AM

Remove the hash marks ( # ) at the beginning of the two lines following "# if you use iptables:".

**_hap_** · 02-06-2006, 02:02 AM

Originally Posted by hobbes

Remove the hash marks ( # ) at the beginning of the two lines following "# if you use iptables:".

Worked and thanks... But I noticed the certificate keeps popping up and I was never able to log into hotmail using both ie & ff... Is there a fix or work around for this? Plus if you click "view cetificate" it says "This certificate cannot be verified up to a trusted certification authority.". How can I make the certificate look like its a trusted source?

**yeehaw** · 02-06-2006, 06:39 AM

Originally Posted by FreshFish

Worked and thanks... But I noticed the certificate keeps popping up and I was never able to log into hotmail using both ie & ff... Is there a fix or work around for this? Plus if you click "view cetificate" it says "This certificate cannot be verified up to a trusted certification authority.". How can I make the certificate look like its a trusted source?

you can't, you need to press yes multiple times...

Yeehaw

**TheGreatVirus** · 03-15-2006, 10:16 PM

Very well done. Thanks alot for using Ettercap! Hahaha

**yeehaw** · 03-21-2006, 08:25 AM

TheGreatVirus, are you the author?

**fifo_thekid** · 03-21-2006, 08:54 AM

what about a small video tutorial hosted by rapidshare?

**yeehaw** · 03-22-2006, 12:38 PM

dunno wich tools for linux and windows i should use, enlighten me

BackTrack Linux - Penetration Testing Distribution

Thread: Sniffing Tutorial:

Thread Tools

Search Thread

Display

Sniffing Tutorial:

Posting Permissions