SSLStrip & Ettercap not playing nicely together in BT5R1

[ericmilam]

I recently upgrade to BT5R1 and ran my easy-creds script. Immediately, ettercap gave the old L3 error of not forwarding packets. My first thought was that Ettercap, being so old, was to blame. So I ran the command I had scripted by hand without issue, then I ran urlsnarf & dsniff, no issues.

As soon as I added SSLStrip, the errors started flyign again like crazy. I stopped SSLStrip, they went away. I then fired it back up and went to my victim and attempted to browse to yahoo.com. Again, it was obvious that the packets were not forwarding.

I can confirm I have checked all the "basics" involved in using ettercap & sslstrip. (easy-creds had no problems with BT5 or BT4R2)

That being said, I am not sure if its a kernel issue or SSLStrip. I know that the only thing that has changed is the Kernel. That being said, purehate confirmed the IPTables are not something they mess with.

Anyone have the same experience? Have any ideas?

Best Regards
JB

[Cains]

Hi, I experienced the same on my scripts, i figured out the solution for me was to reinstall booth. not sure this is the fix for you but its worth a try

[ericmilam]

Thanks for the suggestion...but no dice. It still give the old L3 Error.

I did the following:

apt-get purge ettercap
apt-get purge sslstrip

apt-get install ettercap
apt-get install sslstrip

Everything went just fine. Ran easy-creds...nothing but a flood of L3 errors.

Was there something you did differently? If you could provide a bit more detail, perhaps I can see if I missed something.

Thanks,
JB

[Cains]

Stupid suggestion, but have you tried the latest version of the script, i provoked the same error on a older version

[ericmilam]

Yep. I've tried .8 and .9. Wondering is half duplex is causing issues.

[ThrashingLikeAManiac]

Same problem. Both deleted and installed again (ettercap was crashing after scanning hosts anyway) & still L3 Error.

BT5 R1 KDE running in Virtual Box

[ericmilam]

I still haven't found a solutions, but I did find this which is interesting:

>Hi,
>libnet_write_raw_ipv4 is an official function in the old libnet API
0.x.x.x
>not in 1.x.x.x. But if you look carefully in the code you can see that it
>is
>used. I used this libnet_adv_write_raw with libnet 1.1.2 and it worked
>without problems.
>
>Regards,
>Mustaffa Abu Sedira

Wondering if I replace the original ettercap code with this, if it'll work... Only thing to do is to try...

[ericmilam]

OK found this in ec_send.c in the ettercap source

/* open the socket at layer 3 */
l3 = libnet_init(LIBNET_RAW4_ADV, GBL_OPTIONS->iface, lnet_errbuf);
ON_ERROR(l3, NULL, "libnet_init(LIBNET_RAW4_ADV) failed: %s", lnet_errbuf);

Getting closer, maybe....

[ericmilam]

OK found this in ec_send.c in the ettercap source

/* open the socket at layer 3 */
l3 = libnet_init(LIBNET_RAW4_ADV, GBL_OPTIONS->iface, lnet_errbuf);
ON_ERROR(l3, NULL, "libnet_init(LIBNET_RAW4_ADV) failed: %s", lnet_errbuf);

Getting closer, maybe....

OK...found this:

/*
* send the packet at layer 3
* the eth header will be handled by the kernel
*/
...snip...
libnet_geterror(GBL_LNET->lnet_L3));
if (c == -1)
USER_MSG("SEND L3 ERROR: %d byte packet (%04x:%02x) destined to %s was not forwarded (%s)\n",
po->fwd_len, ntohs(po->L3.proto), po->L4.proto,

So, since the kernel changed from BT5 to BT5r1 and that was really the only thing changed...I believe something is up there.

Walking through the ec_send.c code and looking at ettercap, everything looks cool as far as using libnet to open link layer and layer 3.

Still trying to find out more about LIBNET_ADV_WRITE_RAW...anyone who may know...post here please

[DeserTEagLe]

I also [COLOR="#B22222"]HAD[COLOR="#000000"]that problem with ettercap ,on both BT5 and BT5r1 kde 32-bit versions,plugins also do not work and does not pickup http pass words ,anyway it does not work The ettercap package installed need to be removed and ettercap package 0.7.4-bt7 need to be installed.That can be done with the package manager or apt-get.

Code:

        apt-get remove ettercap-desktop
         apt-get remove ettercap-gtk
         apt-get remove ettercap-common
         apt-get install ettercap

Now your go to go