Script for sniffing traffic.

[ericmilam]

Doh! I totally missed that one. Thanks for the heads up. Can fix it like this: wget -q http://www.thoughtcrime.org/software/sslstrip/sslstrip-$latestver.tar.gz

Hopefully he always saves it as a .tar.gz file...

Thanks
JB

[comaX]

I think he does, since at least 0.6 if I remember correctly !

[Taurin]

Hi comaX,

I'm using BT5 (KDE32, installed) and have tried several things to get MITM Scripts running. Without using SSLstrip ettercap works fine for me, but my attempts to capture HTTPS traffic mainly failed. I've tested yamas and must say, that it seems to work properly. Thanks for your great work.

But I've discovered some problems, too. While surfing on social networks (like fb) the pass window keeps on repeating website, login (the id-nr.) and wrong captured entries as passwords. When I tried to select one, or two victims, the whole network was still logged. While three machines where running, yamas crashed often around ~30 minutes of usage. I've got colored stripes on the screen and couldn't see anything till hard-reboot. E-Mail clients where not logged, also several pages (like this board) where not detected properly. "Location: ht" seems to be a kind of ssltrip-bug, which sucks while surfing. ettercap worked fine for showing up captured details, maybe you could integrate an option to choose ettercap instead.

What I liked the most about yamas, is the cleaning function at the beginning and out of that it's always running (stable) the same way and these security alerts never showed up, because sslstrip seems to run correctly.

Kind regards

[comaX]

Hi ! Thanks for the feedback (nice avatar btw =D )! I never experiences anything like you say unfortunately, so I don't really know what to do there...
Location: ht is indeed an sslstrip error, nothing I can do about that ! Did you use yamas -e or just yamas ?

By the way, I did a little "article" about how to mitigate that kind of attack. Nothing too fancy or too savvy, but it's a good start I think. You can check it out at http://comax.fr/yamas.php?frame=protect.php and then click the "how to protect yourself" link !

Cheers !

[ericmilam]

@Taurin - You have to remember that if SSLStrip intercepts the traffic, it is no longer 443 traffic, so you will not see it in ettercap. In addition, all port 80 traffic forwards to 10000 in SSLStrip, so again ettercap won't see it. So it is working as expected, you WON'T see it in ettercap and will have to go through the SSLStrip Logs.

One thing you may be able to do is to add port 10000 to the etter.conf file as http traffic. Then you may begin seeing the traffic in ettercap. I believe that would work, but haven't tested it.

Happy hunting...

[snafu777]

comaX,

Okay, here is the edit I told you about. Anywhere you see a *** will indiciate changes and such

---

comaX,
Hello there... I've some ideas for your script that ye might include. Some of the ideas are from my own current scripts that I use for day to day testing and some of them are based off things I've seen in your 'bashing'. I must say, I like some of what you've done with your 'bashing' (So many different ways to do the same thing, whatever is more efficient is the way to go, so I've been taught and believe and teach back) so I'll be incorporating that style into my own script. Now, that is of course if its okay with you Sir. I shall give credit where it's due if you would allow me.

Let's tear into this thing shall we?

---

Tabbing...It's what makes a script really readable to the end user. As well, it's incorporated into python (<3 the snake)....
Take for instance this part of your fast_cleanup function:

Code:

if [[ "$1" = "-e" || "$1" = "--etter" ]]; then
killall ettercap
else
killall arpspoof
fi

We can make it more readable via this (As well, if you ever choose to port it to python or another "tab" required language, some of the work is already done for ya):

Code:

if [[ "$1" = "-e" || "$1" = "--etter" ]]; then
  killall ettercap
else
  killall arpspoof
fi

I used a standard two spaces with the indent....I can't use tab here without editing in a word doc....Use whatever method suits ya =)

---

Every character counts

Code:

if [[ "$1" = "-p" || "$1" = "--parse" ]]; then #parse a given filename

You could change that up a bit and have less characters via:

Code:

if [ $1 = "-p" -o $1 = "--parse" ]; then #parse a given filename

since $1 would only be -p or --parse, there is no need to quote it (i.e. There are no spaces within the value of $1; preventing any need for quotations)
My rhyme and reasoning aside from the conservation of total characters within the script ---> To Double Bracket, or Not to Double Bracket. That is the Question We Must Ask Ourselves


***Mistake 1*** I was writing some script just two days ago, and I came across an issue, something about unary operator expected. So I did the right thing, I researched.... Turns out the quotes aren't a bad idea after all. I can't explain it nearly as well as the webpage does so here is the link explaining why I was wrong, and you were right regarding quote usage http://linuxcommand.org/wss0100.php As well, your use of double brackets might not be too bad of an idea either....while my script example I don't have with me, I know that to implore a quick fix, I did the double bracket around the test (figured maybe you had the right idea with the double brackets....and yep........it prevented the unary error. I am wondering though if by doing quotes I could have prevented it....That might be confusing....and since I can't write script and test right now (windows box)...Here is my example to test the [[ and "" thing

Code:

#!/bin/bash

number=

if [[ $number = "1" ]]; then
    echo "Number equals 1"
else
    echo "Number does not equal 1"
fi

Their solution was to enclose $number within quotes...."$number" ....My guess was to enclose it in brackets like I did in the above example. I will test this as soon as I get home and report back. I'm betting that by running the above script, you don't get any errors....We shall see..

---

Outside of the LAN Issues
This one is a stretch....but...I cannot stress this enough......Any PenTester worth his salt must "Think Outside the Box"

Code:

### Message of the day ! <= ****ing useless, but who knows, I might
want to warn about something directly, or tell a joke...
wget -q http://comax.fr/yamas/bt5/message -O /tmp/message
message=$(cat /tmp/message) #store it to variable
rm /tmp/message #remove temp message file

If I used your script in a corporate environment, it would draw unneeded attention (i.e. You're doing a PenTest on a big corporation and they see that some user is connecting <or trying to connect> to a "non-whitelisted" IP/HTTP/Whatever connection, it might get logged, and then alert them to your presence.) IMHO, remove any unneeded connections to the outside world from your script comaX. As far as the lines of script that "MUST" communicate with the outside world, i.e. grepcred.txt.....throw in an option that allows the user to choose whether or not they wish to send packets outside of the LAN, don't do it for them. At a minimum, throw in the option that if they don't specify for instance $2 regarding the grepcred --parse option....Or AutoUpdating...That type of thing....that there will be a pause prior to the grabbing of the file (thereby allowing them to stop the script, lest it connect)....

---

Menu Options

Code:

rtparse() {
echo -e "\n\nIn this menu, you can pause, resume, kill, or launch
realtime parsing (RTP).
1. Pause RTP (keep xterm open for you to read, copypasta, etc.)
2. Resume RTP.
3. Kill RTP (stop and close xterm)
4. Re-launch RTP
5. Previous menu."
read rtp
if [ "$rtp" = "1" ] ; then
echo -e "\033[33m[+]Pausing...\033[m"
kill -19 ${looparseid}
echo -e "\033[33m[-]Paused.\033[m"
rtparse
elif [ "$rtp" = "2" ] ; then
echo -e "\033[33m[+]Resuming...\033[m"
kill -18 ${looparseid}
echo -e "\033[33m[-]Resumed.\033[m"
rtparse
elif [ "$rtp" = "3" ] ; then
echo -e "\033[31m[+]Killing...\033[m"
kill ${looparseid}
echo -e "\033[33m[-]Killed.\033[m"
rtparse
elif [ "$rtp" = "4" ] ; then
echo -e "\033[32m[+]Launching...\033[m"
xterm -hold -geometry 90x20-1-100 -T Passwords -e /tmp/looparse.sh &
looparseid=$!
sleep 2
echo -e "\033[33m[-]Launched.\033[m"
rtparse
elif [ "$rtp" = "5" ] ; then
echo "Previous"
final
else echo -e "\033[31mBad choice bro !\033[m\n" #was
"mother****er" during my tests.
rtparse
fi
}

Let's clean this up via case:

***I changed this to actually work...My statements were incorrect in the previous version of this post***

Code:

rtparse() {
echo -e "\n\nIn this menu, you can pause, resume, kill, or launch
realtime parsing (RTP).
1. Pause RTP (keep xterm open for you to read, copypasta, etc.)
2. Resume RTP.
3. Kill RTP (stop and close xterm)
4. Re-launch RTP
5. Previous menu."
read rtp
case $rtp in # not sure if this should be quote enclosed...anyone want to help out?  It's singular options without a space, so I think the need for quotes is NOT needed??
1) echo -e "\033[33m[+]Pausing...\033[m"
    kill -19 ${looparseid}
    echo -e "\033[33m[-]Paused.\033[m"
    rtparse;;
2) echo -e "\033[33m[+]Resuming...\033[m"
    kill -18 ${looparseid}
    echo -e "\033[33m[-]Resumed.\033[m"
    rtparse;;
3) echo -e "\033[31m[+]Killing...\033[m"
    kill ${looparseid}
    echo -e "\033[33m[-]Killed.\033[m"
    rtparse;;
4) echo -e "\033[32m[+]Launching...\033[m"
    xterm -hold -geometry 90x20-1-100 -T Passwords -e /tmp/looparse.sh &
    looparseid=$!
    sleep 2
    echo -e "\033[33m[-]Launched.\033[m"
    rtparse;;
5) echo "Previous"
    final
    else echo -e "\033[31mBad choice bro !\033[m\n" #Professional Language =)
    rtparse;;
esac
}

***Mistake 2***
Change from 5) down to read

5) echo "Previous"
    final;; ## must have the ;; to go to the next statement, not sure if statement is the word, but u know what i mean......
*) echo -e "\033[31mBad choice bro !\033[m\n" #Professional Language =)  ## the * indicates your else part of the if statement..ie...choices are 1-5...anything that is not equal to 1 - 5....invokes the else
    rtparse;;
esac
}

---

Learning Curve
As I stated above, I have seem some neat things in your script that I want to incorporate into my own.

1) I am posting from a windows box right now, so I can't experiment and figure it out on my own (yes google...but...Believe it or not, there are a lot of websites I'm blocked from where I am currently at..The websites where I could learn certain syntax usage specifically....Amazingly enuf...this website isn't blocked....blows my mind, but whatever....It allows me to contribute and learn just by being here....)

2) I think I know what they do by looking at them, and would like you to clarify for me, Please... =)
I took these snippets from the original code for the topic directly above this one, for ease of use, I will not use my modified case here....Leaving your original code in tact...

Code:

if [ "$rtp" = "1" ] ; then
echo -e "\033[33m[+]Pausing...\033[m"
kill -19 ${looparseid}
echo -e "\033[33m[-]Paused.\033[m"
rtparse
elif [ "$rtp" = "2" ] ; then
echo -e "\033[33m[+]Resuming...\033[m"
kill -18 ${looparseid}

Question 1) Why enclose $loopparseid inside curly braces? What function, if any does that serve?
Question 2) kill -19 and kill -18. Does that pause and resume ANY program?? If so, wow...Just learned something EXTREMLY useful....

---

Alright, welp...That about wraps that. There are some other things I noticed, but I will see if I get any response to my above ideas. Take a look at it, and if you like what I did and are hungry for more, let me know. Always happy to help.


V/r,
Snafu
Pffbt..

I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me.. Or thinks I'm a smart ass..

[comaX]

Yay ! Thank you very much !

So, I'll try not to forget anything, tell me if I do

Tabbing. You sir are very right. I try to do that, but sometimes I just get lost and give that up as long as it does what I want. I should really take the time to clean it up though.

Chars count : again, you're right, but since there are comments everywhere and all, I didn't pay much attention to that. As for the double brackets, I used to use only one but it gave me some bugs at some places, so I decided every if statement would have double brackets and quotes. That's not very serious, but I learnt scripting as I scripted so I didn't bother much as long as it worked. Now that I know a bit more, I should include that in a clean up, sure.

Outside of the lan. I updated the script two days ago with a new -s switch (for silent) to prevent the script from requestiong anything. Too bad I didn't see your post earlier ! By the way, one should have the needed files before launching the script then. And, it makes me think I might have forgotten something. Damn. Edit : I did forgot something. It's now fixed !

Menu options. I used case but for some reason removed them? I can't remember why. If the posted version works, I'll cook a good copypasta though ! Thanks Edit : works with that, but you forgot to put *) for the last case.

Code:

rtparse() {
echo -e "\n\nIn this menu, you can pause, resume, kill, or launch
realtime parsing (RTP).
1. Pause RTP (keep xterm open for you to read, copypasta, etc.)
2. Resume RTP.
3. Kill RTP (stop and close xterm)
4. Re-launch RTP
5. Previous menu."
read rtp
case $rtp in # not sure if this should be quote enclosed...anyone want to help out?  It's singular options without a space, so I think the need for quotes is NOT needed??
1) echo -e "\033[33m[+]Pausing...\033[m"
    kill -19 ${looparseid}
    echo -e "\033[33m[-]Paused.\033[m"
    rtparse;;
2) echo -e "\033[33m[+]Resuming...\033[m"
    kill -18 ${looparseid}
    echo -e "\033[33m[-]Resumed.\033[m"
    rtparse;;
3) echo -e "\033[31m[+]Killing...\033[m"
    kill ${looparseid}
    echo -e "\033[33m[-]Killed.\033[m"
    rtparse;;
4) echo -e "\033[32m[+]Launching...\033[m"
    xterm -hold -geometry 90x20-1-100 -T Passwords -e /tmp/looparse.sh &
    looparseid=$!
    sleep 2
    echo -e "\033[33m[-]Launched.\033[m"
    rtparse;;
5) echo "Previous"
    final ;;
*) echo -e "\033[31mBad choice bro !\033[m\n" #Professional Language =)
    rtparse;;
esac
}

/Edit

"Stealing" my work ? Please do as you please good sir ! You're even welcomed to do so, it's an honour !

Regarding question 1 : this was something I found in someone else's script when I didn't know anything about that. I now feel very dumb for not asking myself this question... Best way to get an answer is to try it ! So that's what I'll do ! Edit : just tried, they were useless.

Question 2 : I believe it does. If I remember the man pages for kill, it stated that it suspended a process execution. I'll edit with the relevant part of the man when I find it.

Thank you very much for such a feedback, that's exactly what I need, want and like ! If you have more, please do report !

[th3hate]

Is it possible to run this script in bt5 vmware? To my information vmware doesn't recognize wlan0 unless using an external wifi card.

Using bridged mode only captures stuff from the pc you're working on.

[2WIRE057]

Is it possible to run this script in bt5 vmware? To my information vmware doesn't recognize wlan0 unless using an external wifi card.

Using bridged mode only captures stuff from the pc you're working on.

Yes. You must be using a USB wifi adapter.

[comaX]

That sounds about right ! So just plug an USB adapter, connect it to the VMware, and I think it will be ok !