Results 1 to 8 of 8

Thread: Getting passwords to display in Ettercap

  1. #1
    Just burned his ISO
    Join Date
    Jul 2010
    Posts
    9

    Default Getting passwords to display in Ettercap

    Hello,

    I am trying to understand why ettercap does not display the user name and password from a log if it has the following:

    "email=EMAIL%40gmail.com&userpass=PASSWORD%21""

    When I altered the log to the following it did pull out and display the password:

    email=EMAIL%40gmail.com&pass=PASSWORD%21"

    I am using "ettercap -Tqr etter.text"

    Could someone explain to me why it fails unless the page uses "pass"?

    Ettercap version .7.4.1
    Last edited by dennis00; 05-07-2012 at 01:37 PM.

  2. #2
    Senior Member
    Join Date
    Jul 2009
    Posts
    135

    Default Re: Getting passwords to display in Ettercap

    In backtrack, look for the file "etter.fields" at /usr/local/share/ettercap/ . This file contains a list of the the form fields (username and password) that ettercap would recognize by its HTTP dissector and you can also add your own fields to this file. By default, the form field "userpass" is not an entry in the etter.fields file. Simply adding this to the list should do the trick. The field "pass" is already listed by default and is the reason why ettercap is able to extract the password.
    Last edited by aerokid240; 05-08-2012 at 08:30 AM.

  3. #3
    Just burned his ISO
    Join Date
    Jul 2010
    Posts
    9

    Default Re: Getting passwords to display in Ettercap

    That addresses my issue exactly, thank you.

    I had been looking at the http dissector and it looked like it was parsing out the usernames and passwords. Do you know when that is used?

  4. #4
    Senior Member
    Join Date
    Jul 2009
    Posts
    135

    Default Re: Getting passwords to display in Ettercap

    Sorry, I'm not quite sure i understand what you are asking.

  5. #5
    Just burned his ISO
    Join Date
    Jul 2010
    Posts
    9

    Default Re: Getting passwords to display in Ettercap

    It was my understanding that ettercap used dissectors to pick user names and passwords from packets. In /etc/etter.conf dissectors are mapped to ports with 80 mapped to the http dissector. Looking through ec_http.c (the dissector I thought was being used) it appeared that ettercap was parsing the file and would return any variant of user name and password.

    I am wondering when ettercap uses the dissectors because I am lazy and would prefer it to just parse the the traffic for all sites automatically.

  6. #6
    Senior Member
    Join Date
    Jul 2009
    Posts
    135

    Default Re: Getting passwords to display in Ettercap

    I'm still not 100% sure if i understand what you are saying but maybe the problem is that you are lazy ? Are you sure you understand what the dissectors do?

  7. #7
    Just burned his ISO
    Join Date
    Jul 2010
    Posts
    9

    Default Re: Getting passwords to display in Ettercap

    Looking through the code of ec_http.c I thought it was determining if it was a username or password. Now I see the dissector picks out possible user id and pass fields and looks through etter_fields.

    For those curious / confused like myself this function at the bottom of ec_http.c shows whats happening

    Code:
    int http_fields_init(void)
    {
       FILE *f;
       struct http_field_entry *d;
       char line[128];
       char *ptr;
       int pass_flag = USER;
    
       /* open the file */
       f = open_data("share", ETTER_FIELDS, FOPEN_READ_TEXT);
       if (f == NULL) {
          USER_MSG("Cannot open %s", ETTER_FIELDS);
          return -EINVALID;
       }

  8. #8
    Senior Member
    Join Date
    Jul 2009
    Posts
    135

    Default Re: Getting passwords to display in Ettercap

    The code that you copied only shows variable declarations and what happens if a particular file cannot be opened/read. Nothing more. Perhaps you didn't copy the entire code branch that you intended to?

Similar Threads

  1. Ettercap script that workt in BT4 is not getting passwords in BT5
    By MadMax0 in forum BackTrack 5 General Topics
    Replies: 13
    Last Post: 08-16-2011, 04:21 PM
  2. Viewing passwords for websites on ettercap-gtk
    By mk131 in forum Beginners Forum
    Replies: 3
    Last Post: 01-03-2011, 04:31 AM
  3. ettercap sniff hashed passwords, how to use them?
    By 0biwan in forum Beginners Forum
    Replies: 7
    Last Post: 07-18-2010, 03:30 AM
  4. Is it possible to capture HTTP passwords (Ettercap)
    By OldGregg in forum OLD Newbie Area
    Replies: 8
    Last Post: 07-11-2009, 12:39 PM
  5. ettercap - sniffing works, but I can't see passwords
    By Trick17 in forum OLD BackTrack v2.0 Final
    Replies: 6
    Last Post: 08-29-2007, 09:09 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •