Results 1 to 7 of 7

Thread: clear cookies or something whit ettercap

  1. #1
    Just burned his ISO
    Join Date
    Jun 2010
    Posts
    1

    Default clear cookies or something whit ettercap

    Hello, im new with backtrack and ettercap.
    i have sucess to arp-poison and enable ssl sniff in etter.conf.
    But my question now is...
    When i sniff the victim, for example hotmail login password it works great, but in the most case the victim is alredy logged in when i start to sniff and that resault in no password is sniffed. i tried to isolate the host from lan for a while but that dosent work, i wonder if it is possible to clear the cash or cookies to force the host to relogin on hotmail with password, or if it is some other way to do this?

    thanks
    squashen

    ps: excuse my VERY VERY bad english

  2. #2
    Junior Member
    Join Date
    Jun 2010
    Posts
    35

    Default Re: clear cookies or something whit ettercap

    +1 !

    It is possible to see the cookie with the encrypted password, however it would take too long too crack the hash of that captured cookie.

    So, I think this is a good question.

  3. #3
    Just burned his ISO
    Join Date
    May 2010
    Location
    Somewhere...
    Posts
    12

    Default Re: clear cookies or something whit ettercap

    Hi,
    Try using Sslstrip by Moxie Marlinspike, Moxie Marlinspike >> software >> sslstrip, along with Ettercap-ng. Using the -k flag will kill all active ssl sessions of the victim machine. aka you will be logged out of say, Facebook on your victim computer (you are doing this in a test enviroment on your own network aren't you?...). There are many tutorials on this site and others on using Sslstrip so I wont go into any details.
    But, that said, please do NOT use this against actual victims (i.e. in your local coffee shop), it is illegal and unethical to decrypt or otherwise manipulate other people's packets as they go through the air. Just don't do it. You may not get caught, but its still wrong, not to mention greatly discouraged on this site. But, assuming you are trying to learn this for legitimate purposes, if you have any questions, I'm here to help.

  4. #4
    Junior Member
    Join Date
    Jun 2010
    Posts
    35

    Default Re: clear cookies or something whit ettercap

    Thanks BobaFett, that worked indeed!

    However, it did not work with for example Windows Live Mail.. Any knowledge on that part?

    ps: of course it is in my own LAN

  5. #5
    Just burned his ISO
    Join Date
    May 2010
    Location
    Somewhere...
    Posts
    12

    Default

    hmm, thats strange. Its ssl encrypted to it "should" work. I personally haven't tried logging into a Windows Live account while running a MITM with sslstrip, but if I have a chance I will try that later and post how it works. Sorry for the slow responses, but I'm busy sometimes and can't always respond quickly.

    What site logins have you had success in sniffing? I have personally tested Facebook, Myspace, Ebay, Gmail (and other Google logins) and some other random sites I can't remember.

    You might wanna try posting the commands you are using in your attack. Maybe myself or someone else can help figure out why it wont sniff certain logins.

    By the way, sorry for the rant about the legality of such attacks on a LAN other than your own. Glad to hear you are doing the right thing.

    Well, sslstrip was able to sniff Hotmail (login.live.com) fine for me... If you can't get it working then check out my script

    Hope this helps
    Last edited by Archangel-Amael; 06-17-2010 at 08:19 PM.

  6. #6
    Junior Member
    Join Date
    Jun 2010
    Posts
    35

    Default Re: clear cookies or something whit ettercap

    Well, I will check out that script when the code is placed directly in the forum.

    However I can give you a summary of my code:

    -iptables -t nat A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
    -sslstrip -f -k -a
    -start ettercap in GUI mode, start MITM attack (arp spoof, remote connections, unified sniffing on eth0)

    It indeed works perfectly with facebook and telenet (my isp provider). However when I try to sniff windows Live Mail, I get the username, but for the password I just get an empty space ( ). I think it has something to do with 1. the login assistant (wlloginproxy) or 2. cookie is not well cleared.

    Also, Windows Live acts very strange when using sslstrip, for example when I want to create a mail and send it, I have to login again. This also happens with facebook momentarily. Is it perhaps better to run "sslstrip -k" only in the beginning, and then start sslstrip in normal mode, or won't this clear all cookies? Basically my question is: does "sslstrip -k" clear all cookies from the moment you start it, or does "sslstrip -k" clear cookies only from visited sites?

  7. #7
    Just burned his ISO
    Join Date
    May 2010
    Location
    Somewhere...
    Posts
    12

    Default

    Hmm, that is a good question. I'm not totally sure, but I would love to know the answer if anyone has any insight on this. They way I understood it, sslstrip "kills" (basically just doesn't forward) all ssl connections that pass THROUGH it encrypted. aka since if someone was already logged in securely before sslstrip is started there is already a secure ssl connection both ways between the client and the server, we can't sniff that connecction in clear text. Thus, the -k argument kills all ssl connections that run all the way from the server to the client, forcing them to start a new ssl connection by logging back in. And of course, when they log in with a MITM with sslstrip running on the LAN, sslstrip accepts the server's ssl certificate and uses it to decrypt and log the packets in "clear text", and forwards the now decrypted and thus not ssl (https) connection to the client. It sounds like you understand the principle of how sslstrip works so I wont go into any more detail on that. Assuming that I am on the right track here, sslstrip shouldn't randomly kill a ssl connection that was created AFTER sslstrip/MITM was started, like it appears it is doing in your case. So, is it doing this (killing ssl connection when it shouldn't) on any other sites other than Hotmail? I do not have a Hotmail account so I can only test this using a fake password, and thus I can't test the -k feature on hotmail.
    I would suggest verifying that you can't sniff the password, by using wireshark and searching for the password. If that brings up nothing, then I will make a Hotmail account and try this out myself. Its (remotely) possible that Microsoft has figured out some way to thwart this kind of attack, so I am extremely interested in hearing for about your results, and maybe I'll make an account and experiment myself.

    About my script, I first tried to post it (in code tags) in my thread, but, it was way too long so I asked the Admin's if it would be ok for me to split it up over multiple posts (no comment yet...). Is posting a script in multiple posts frowned upon? I just want to make sure. Also, although I can understand (somewhat) why you would be leary to download my script off hotfile, what are you "worried" about? Just don't execute whatever you download until you have thoroughly inspected the code. Or am I missing something here? Thanks

    Ok, I made a Hotmail email address and tested this out. Surprisingly, if I logged into Hotmail, started MITM/Sslstrip with -k argument, it logged me out like it was supposed to. But, Gmail, which had previously worked the same way for me, continued on as if nothing had happened (aka no logging out). Weird...
    I will continue to experiment on this and see if I can figure this out (also, maybe you should post a thread on this so we can stop hijacking this one)

    By the way, my script is now on pastebin (Bash | #!/bin/bash #CAG-Script v0.4 - Boba Fett - EAWqCebR - Pastebin.com)
    Last edited by balding_parrot; 06-19-2010 at 01:41 AM.

Similar Threads

  1. Clear Mobile Broadband
    By imported_Crash_Override in forum OLD BackTrack 4 (pre) Final
    Replies: 1
    Last Post: 03-07-2010, 12:24 PM
  2. How to clear the password in /etc/shadow
    By gizmo_the_great in forum OLD Newbie Area
    Replies: 3
    Last Post: 12-07-2009, 11:25 PM
  3. BackTrack 4 whit gnome-desktop
    By k0zintheshell in forum OLD BackTrack 4 General Support
    Replies: 5
    Last Post: 10-19-2009, 11:06 AM
  4. playing whit ettercap remote_brower
    By Jon3s in forum OLD Tutorials and Guides
    Replies: 0
    Last Post: 03-23-2008, 11:22 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •