Getting passwords to display in Ettercap

[dennis00]

Hello,

I am trying to understand why ettercap does not display the user name and password from a log if it has the following:

"email=EMAIL%40gmail.com&userpass=PASSWORD%21""

When I altered the log to the following it did pull out and display the password:

email=EMAIL%40gmail.com&pass=PASSWORD%21"

I am using "ettercap -Tqr etter.text"

Could someone explain to me why it fails unless the page uses "pass"?

Ettercap version .7.4.1

[aerokid240]

In backtrack, look for the file "etter.fields" at /usr/local/share/ettercap/ . This file contains a list of the the form fields (username and password) that ettercap would recognize by its HTTP dissector and you can also add your own fields to this file. By default, the form field "userpass" is not an entry in the etter.fields file. Simply adding this to the list should do the trick. The field "pass" is already listed by default and is the reason why ettercap is able to extract the password.

[dennis00]

That addresses my issue exactly, thank you.

I had been looking at the http dissector and it looked like it was parsing out the usernames and passwords. Do you know when that is used?

[aerokid240]

Sorry, I'm not quite sure i understand what you are asking.

[dennis00]

It was my understanding that ettercap used dissectors to pick user names and passwords from packets. In /etc/etter.conf dissectors are mapped to ports with 80 mapped to the http dissector. Looking through ec_http.c (the dissector I thought was being used) it appeared that ettercap was parsing the file and would return any variant of user name and password.

I am wondering when ettercap uses the dissectors because I am lazy and would prefer it to just parse the the traffic for all sites automatically.

[aerokid240]

I'm still not 100% sure if i understand what you are saying but maybe the problem is that you are lazy ? Are you sure you understand what the dissectors do?

[dennis00]

Looking through the code of ec_http.c I thought it was determining if it was a username or password. Now I see the dissector picks out possible user id and pass fields and looks through etter_fields.

For those curious / confused like myself this function at the bottom of ec_http.c shows whats happening

Code:

int http_fields_init(void)
{
   FILE *f;
   struct http_field_entry *d;
   char line[128];
   char *ptr;
   int pass_flag = USER;

   /* open the file */
   f = open_data("share", ETTER_FIELDS, FOPEN_READ_TEXT);
   if (f == NULL) {
      USER_MSG("Cannot open %s", ETTER_FIELDS);
      return -EINVALID;
   }

[aerokid240]

The code that you copied only shows variable declarations and what happens if a particular file cannot be opened/read. Nothing more. Perhaps you didn't copy the entire code branch that you intended to?