Hello everyone,
Today i would like to share a simple / old / educational method of sniffing passwords on a LAN ( Local Area Network).
There are quite a few ways and tools out there designed to do this but to keep things simple and basic, we will be using ettercap from Backtrack 5.
Below i will show you a basic method to use ettercap and perform an arp poisoning/Mitm attack on a LAN. This will allow you to sniff HTTP, FTP, TELNET, POP usernames and passwords.
Updating Ettercap :
1) Open terminal and type “sudo apt-get update” and wait for it to finish loading.
2) Next type “apt-get install ettercap”
3) Lastly, type “apt-get install ettercap-gtk
Preparation :
1) On a terminal and type “locate etter.conf” and you will be presented with a similar screen as shown below.
2) Next type, “nano /etc/etter.conf”.
3) Ok so now to give ettercap root privileges we will have to change the ec_uid & ec_gid to a value of 0. So the final outcome would be :
ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default
4) Scroll right down to the Linux column. And unhash the two lines shown below.
#--------------- # Linux Before Mdofication #--------------- # if you use ipchains: #redir_command_on = "ipchains -A input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport" #redir_command_off = "ipchains -D input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport" # if you use iptables: #redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" #redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" #--------------- # Linux after Modification #--------------- # if you use ipchains: #redir_command_on = "ipchains -A input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport" #redir_command_off = "ipchains -D input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport" # if you use iptables: redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
5) Once you have completed and checked your modifications. CLick Ctrl-X (to exit), then press Y (Yes to save) and lastly press the Enter key.
6) Type in “Clear” to clear up your messy terminal. Cleanliness is next to Godliness. Congratulations, we are done with the boring stuff.
Lets Begin :
1) Open up a terminal and type ettercap -G.
2) On the new GUI that appears, click Sniff –> Unified Sniffing.
3) Now go to “Hosts” and click on “Scan for hosts”.
4) Next you will be prompted for your Network Interface. Choose your interface and press the Enter key.
5) You will ettercap scans the whole netmask for 255 hosts and present you with a little message like this :
Randomizing 255 hosts for scanning…
Scanning the whole netmask for 255 hosts…
1 hosts added to the hosts list…
6) Now on the ettercap GUI click on Start –> Start Sniffing.
7) Click on MitM –> Arp Poisoning.
8) When the prompt screen appears, tick on Sniff Remote Connections and click OK.
9) Now lets sit back and wait for activity in the server!
2.5 mins later…………..Voila! It shows we have username and password of hotmail.com, twoo.com, eurospot.com.
10) When you are done, click Start –>Stop Sniffing & stop MITM attack. You will notice the command ‘Re-Arping’ on the bottom of your GUI. This means it is fixing up the network to make it like it was before.
Authors Note :
1) Ettercap takes a little tweaking on different systems to get it going smoothly, so if this method does not work for you. Just mess around with it, through mistakes you will learn more 
2) This tutorial was intended to explain mass network sniffing as i had no victims at hand.
3) This is for educational purposes, please do not harm the innocent.
At the center of your being you have the answer; you know who you are and you know what you want. – Lao Tzu
Contributed By
James
<-Network Sniffers : Sniffing image/mpeg files with driftnet
<-SSL Analysis : Sniffing passwords from HTTPS/SSL secured sites
Thanks for this, it would be nice if you joined us at totseans.com. We would love to have someone capable as you with us. Sort of need people that love tickering with new tools.
Thank you for the invite Richard, will try to drop by when i get the time
[...] couple of days ago, I posted a tutorial on how to sniff passwords from your LAN, which showed us how to sniff HTTP, FTP, POP, TELNET [...]
[...] The steps to the following procedures are pretty much the same as the password sniffing tutorial here but we will add a few more tiny additional steps in this [...]
Great post! I have messed with Cain to do some arp poisoning, but I’m going to use your instructions to play with Ettercap, thanks!
Thanks Mate! The video should be up in an hour or two. A brief demonstration, hope that helps you out further!
hi james, i would say a beautiful explanation, really appreciate that , but i dont know why my victim loses the internet connection after arp poisioning (or it goes really slow), hence i cant sniff anything. any help would be appreciated.
Hello Manny
, Nice to meet you!
Well it seems many people have come across similiar problems as you and the conclusion we have come too is that ……..
How it works :
ettercap needs root privileges to open the Link Layer sockets. After opening the sockets the root privleges are not needed anymore, so ettercap drops them to UID = 65535 (This isnt you!).
But since ettercap has to write (create) log files, it must be executed in a directory with the right permissions(e.g. /tmp/). So you have to provide your id instead of the above mention random id 65535. Your id so you will have permissions to the log files.
Locate your ID.
To locate your id,, open a terminal and type “id”. (eg : 1000, 1332, 1223 etc etc)…somewhere along that line.
So change the etter.conf EC_UID = 1000 or whatever your id is..
That might work, no promises
Rothschild
thanks for the quick reply james, ive actually already tried that out, changing the EC_UID to 0, still no success. I am Wondering if running backtrack on VMWare Could be an issue??
Oh manny, yes vmware has caused many problem with arpspoofing. It definetly the problem with vmware 99.9%.
Thank goodness i dont use vmware.
Here are some methods that might help :
1) In VM you can set you network card as host, Bridge and NAT.. try setting it to Bridge, done that?
2) Disable ubuntu firewall @ http://www.cyberciti.biz/faq/ubuntu-server-disable-firewall/
Finally this strange method that has worked for few.
2) We need to change arpspoofing to read the physical mac so a secondary method that works for some is by spoofng the mac on the virtual machine.
ipconfig /all
Find your interface and the MAC address will be formated like:
Physical Address …………… xx-xx-xx-xx-xx-xx
Make note of this and then in Backtrack open up a Konsole and type:
macchanger [Your_Interface] -m [Physical_MAC_Address]
What we’re doing here is spoofing our vm interface to it’s real MAC address.
hmmm tried everything, u know what james, i shall quit using vmware. appreciate the help though cheers !!
Good choice
hi, i have tryed your method. but i have this problem:
SSL dissection needs a valid ‘redir_command_on’ script in the etter.conf file Privileges dropped to UID 65534 GID 65534…
i know i have to modify the ettercap.conf file, and i did it, but even with that i still have that problem. Im using backtrack 5 on vmware fusion. Thanks for your help.
Hi buddy, sorry for the late response.
Yes ettercap doesnt work well with vmware as i mention in the post above this to manny. Here is why and what you can try and do. I personally am not using vmware.
How it works :
ettercap needs root privileges to open the Link Layer sockets. After opening the sockets the root privleges are not needed anymore, so ettercap drops them to UID = 65535 (This isnt you!).
But since ettercap has to write (create) log files, it must be executed in a directory with the right permissions(e.g. /tmp/). So you have to provide your id instead of the above mention random id 65535. Your id so you will have permissions to the log files.
Locate your ID.
To locate your id,, open a terminal and type “id”. (eg : 1000, 1332, 1223 etc etc)…somewhere along that line.
So change the etter.conf EC_UID = 1000 to whatever your id is..
That might work, no promises
Hey james, i checked my id and is “0″ for everything. I also tryed to sudo ethercap, but still not change. I will check with the native ethercap version for OSX and see how is working, i’ll report any good progress. Thanks anyway.
hey please help , i follow the steps accordingly right but when i launch ettercap, i recieve this error when i start the sniifing
“SSL dissection needs a valid ‘redir_command_on’ script in the etter.conf file
Privileges dropped to UID 65534 GID 65534…”
when the sniffing eventually starts, it ony ends up trying to acknowledge dhcp from the gateway and subnet
” [10.35.0.1] ACK : 0.0.0.0 255.255.252.0 GW 10.35.0.1 DNS 10.105.40.254 ”
again and again
i also get this error on my terminal
(:28797): GLib-GObject-WARNING **: /build/buildd/glib2.0-2.24.1/gobject/gsignal.c:3079: signal name `depressed’ is invalid for instance `0x9dce200′
please advice on any trouble shooting tips moreso, would it matter if all ports on my router are being filtered because i think that might mess up arp spoofing
Error : SSL dissection needs a valid ‘redir_command_on’
1. Open a terminal, then enter the command:
root@revolution:/# nano /usr/local/etc/etter.conf
2. Changing parameters and ec_gid ec_uid
Note the line
ec_uid = 65 534 and ec_gid = 65 534
Change these two lines to be
[privs]
ec_uid = 0
ec_gid = 0
Press ctrl + x, then press y to save. And enter to confirm.
Run back ettercap with command.
root@revolution:/# ettercap -T -q -i wlan0
This can solve the ssl dissection error.
Thanks for your response and i did as you suggested but it doesnt seem to work, see log below:
root@bt:~# ettercap -T -q -i wlan0
ettercap 0.7.4.1 copyright 2001-2011 ALoR & NaGA
Listening on wlan0… (Ethernet)
wlan0 -> 00:21:5D:DA:02:D6 10.35.0.232 255.255.252.0
SSL dissection needs a valid ‘redir_command_on’ script in the etter.conf file
Privileges dropped to UID 0 GID 0…
28 plugins
40 protocol dissectors
55 ports monitored
7587 mac vendor fingerprint
1766 tcp OS fingerprint
2183 known services
Starting Unified sniffing…
Text only Interface activated…
Hit ‘h’ for inline help
DHCP: [10.35.0.1] ACK : 0.0.0.0 255.255.252.0 GW 10.35.0.1 DNS 10.105.40.254
Is your backtrack on a vm machine?
no! its instaled sepatately on a different partition but i am dualbooting with windows 7
could you paste your ipconfig here?
Type : ipconfig on your terminal.
The reason i am asking is because there can only be two diagnosis here. One is a problem with etter.conf and the other is that your ip is not in the target subnet. I have the same set up as you so it should work.
http://www.backtrack-linux.org/forums/archive/index.php/t-43843.html
here: can you find anything?
root@bt:~/Desktop/src# ipconfig
No command ‘ipconfig’ found, did you mean:
Command ‘tpconfig’ from package ‘tpconfig’ (universe)
Command ‘iwconfig’ from package ‘wireless-tools’ (main)
Command ‘ifconfig’ from package ‘net-tools’ (main)
ipconfig: command not found
sorry my bad heres the ifconfig outpit
root@bt:~/Desktop/src# ifconfig
eth0 Link encap:Ethernet HWaddr 00:1d:ba:23:cd:16
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:16
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1029 errors:0 dropped:0 overruns:0 frame:0
TX packets:1029 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:160719 (160.7 KB) TX bytes:160719 (160.7 KB)
wlan0 Link encap:Ethernet HWaddr 00:21:5d:da:02:d6
inet addr:10.35.0.232 Bcast:10.35.3.255 Mask:255.255.252.0
inet6 addr: fe80::221:5dff:feda:2d6/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:1527821 errors:0 dropped:0 overruns:0 frame:0
TX packets:568891 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1586214826 (1.5 GB) TX bytes:175770405 (175.7 MB)
wlan0mon Link encap:UNSPEC HWaddr 00-21-5D-DA-02-D6-64-61-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:6463166 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2252988346 (2.2 GB) TX bytes:0 (0.0 B)
wlan0mon Link encap:UNSPEC HWaddr 00-21-5D-DA-02-D6-64-61-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:6463166 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
This might be the problem.
THis is my ifconfig with monitor mode turned on.
root@KGB:~# ifconfig
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:43 Base address:0×4000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:12317 errors:0 dropped:0 overruns:0 frame:0
TX packets:12317 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6958798 (6.9 MB) TX bytes:6958798 (6.9 MB)
mon0 Link encap:UNSPEC HWaddr D0-DF-9A-17-A1-59-30-30-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:610 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:143339 (143.3 KB) TX bytes:0 (0.0 B)
wlan0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet addr:192.168.10.1 Bcast:192.168.10.255 Mask:255.255.255.0
inet6 addr: fe80::vrndotrf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9387 errors:0 dropped:0 overruns:0 frame:0
TX packets:12309 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3895334 (3.8 MB) TX bytes:1451422 (1.4 MB)
IWCONFIG
root@KGB:~# iwconfig
lo no wireless extensions.
mon0 IEEE 802.11bgn Mode:Monitor Frequency:2.437 GHz Tx-Power=16 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Power Management:on
wlan0 IEEE 802.11bgn ESSID:”fbi”
Mode:Managed Frequency:2.437 GHz Access Point:
Bit Rate=1 Mb/s Tx-Power=16 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:CCCCCCCCC Power Management:on
Link Quality=31/70 Signal level=-79 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:164 Invalid misc:1292 Missed beacon:0
eth0 no wireless extensions.
and iwconfig thanks!
root@bt:~/Desktop/src# iwconfig
lo no wireless extensions.
wlan0mon IEEE 802.11abgn Mode:Monitor Frequency:2.412 GHz Tx-Power=15 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Power Management:off
wlan0 IEEE 802.11abgn ESSID:”ARTS”
Mode:Managed Frequency:2.412 GHz Access Point: 00:C0:CA:28:26:AD
Bit Rate=36 Mb/s Tx-Power=15 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=60/70 Signal level=-50 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:868 Invalid misc:204487 Missed beacon:0
eth0 no wireless extensions.
Thanks ill check and get back to you shortly. Will try my best.
I used BT 64 , Gnome
when i type # ettercap -G
I got this error …
Dissector “dns” not supported (etter.conf line 70)
How to fix them ? please help me
This is a very common problem and you can easily find the solution on google. I will not explain things that people can find by themselves on google.
Learning to use a search engine is part of hacking.
yay bro , I notice about that
i googled the whole day , in BT 32 bits , that problem doesnot occur , Only 64 bits occurs .
I searched for 10 or 15 pages and found solutions but They didnot work for me .
as a result ,. default ettercap in BT is out of date . so i delete it and I re-download from lauchpad and move to /usr/local/bin and .install that deb as sudo dpkg -i ettercap-new-version.deb
this version doesnot need to edit like nano /etter.conf .
An then I command as ettercap -G
Shocked for me , I got still that error >>>>
Dissector “dns” not supported (etter.conf line 70)
How to fix them ? please help me
ps . When I got error , firstly I searched and solved myself . At last when I cannot effort , I asked to the origianl author . I respect the author and valuable time’s of the author .
I have not ever asked easily .
If you concern my problems and my effort . please test with 64 bits for me
Thanks James
Hello friend,
ettercap has stop upgrading for over 4 yrs now but they have provided some.deb file for 64bit users.
https://launchpad.net/~timothy-redaelli/+archive/ppa
Uninstall your current ettercap version and download and install the recompiled .debs from above. Next try to run it as ettercap -G and also on your terminal as sudo ettercap -i wlan0 -T -q -M ARP:remote // //.
If this too does not work, i am sorry to say that you might have to change to a backtrack 32bit
Hope that helps!!
James
thanks for that reply and for your value time
Cheers with Beers
My pleasure! Hope you get your 32bit soon!
hi this is going to sound noob but i have to ask sudo asks for password for root i type in my password then it says Authentication realm: Google Code Subversion Repository then asks for my user name i type in root then password then does it again and again then i get rror processing wpscan (–configure):
subprocess installed post-installation script returned error exit status 1
Setting up ettercap (7.4.1-bt0) …
Errors were encountered while processing:
wpscan
E: Sub-process /usr/bin/dpkg returned an error code (1)
i dont know what to do how do i add a user or make this work
Hi there,
The problem is most likely with your dkpg
`Try this :
1) sudo dpkg –configure -a
2) sudo apt-get install -f
If the problem still exist after this. Then follow steps below.
3) sudo gedit /var/lib/dpkg/status
4) Locate the corrupt package, and remove the whole block of information about it and save the file.
It took me less then 4 mins to find these links. All one has to do is paste the error code on google.
http://www.iasptk.com/ubuntu-fix-broken-package-best-solution
http://askubuntu.com/questions/195950/package-system-broken-e-sub-process-usr-bin-dpkg-returned-an-error-code-1
If you plan to hack, learn to use google.
when i try to checkk from the chk poison plugin, it says no poisoning at all. i have configured the etter.conf file but still it is not working..someone please help me
You need to make sure your gateway server ip is in the host list.
That is who you are poisoning.
Hi there,
i am having some trouble here, when i type the command ” apt-get install ettercap-gtk” i get this message
root@bt:~# apt-get install ettercap-gtk
Reading package lists… Done
Building dependency tree
Reading state information… Done
Package ettercap-gtk is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Package ettercap-gtk has no installation candidate
I am using bt5 from a live dvd
Any ideas why is that??? I am also having some trouble but i d like to know that is not related to the fact of getting the message above.
Thanks in advance, you ve done a good job.
Out of curiosity, please try type : locate ettercap on your terminal.
Or type cd /usr/local/share/ettercap.
Check if you have it by default.
Secondly what you error means is : Click here
Hi, first of all thank you for replying me!! Well i typed locate ettercap on a terminal and it seems that ettercap is installed, i am using the latest version of bt5 which i downloaded about a month ago.
Now, the issue is this, when i start ettercap, after of course i ve changed the values u mention to 0 and the # from ip tables, and click unified sniffing, appears prompt that asks me to choose my interface, the moment i click to change my interface to wlan0 which is the one i use i get this message
(:4567): GLib-GObject-WARNING **: /build/buildd/glib2.0-2.24.1/gobject/gsignal.c:3079: signal name `depressed’ is invalid for instance `0x8eed9f0′
on the terminal that ettercap is running.
I continue the steps as you describe and what i get on the ettercap gui is this
Listening on wlan0… (Ethernet)
wlan0 -> 00:C0:CA:6C:C8:C6 192.168.1.19 255.255.255.0
SSL dissection needs a valid ‘redir_command_on’ script in the etter.conf file
Privileges dropped to UID 65534 GID 65534…
28 plugins
40 protocol dissectors
55 ports monitored
7587 mac vendor fingerprint
1766 tcp OS fingerprint
2183 known services
Randomizing 255 hosts for scanning…
Scanning the whole netmask for 255 hosts…
7 hosts added to the hosts list…
Starting Unified sniffing…
ARP poisoning victims:
GROUP 1 : ANY (all the hosts in the list)
GROUP 2 : ANY (all the hosts in the list)
so i go back to the file and change the values again to 0 and remove the # from the ip tables and start running ettercap again. What i see now in the gui of ettercap is this
Listening on wlan0… (Ethernet)
wlan0 -> 00:C0:CA:6C:C8:C6 192.168.1.19 255.255.255.0
Privileges dropped to UID 0 GID 0…
28 plugins
40 protocol dissectors
55 ports monitored
7587 mac vendor fingerprint
1766 tcp OS fingerprint
2183 known services
Randomizing 255 hosts for scanning…
Scanning the whole netmask for 255 hosts…
6 hosts added to the hosts list…
ARP poisoning victims:
GROUP 1 : ANY (all the hosts in the list)
GROUP 2 : ANY (all the hosts in the list)
Starting Unified sniffing…
When i try from an other computer which is in my network to log in my mail i dont see nothing coming out at the ettercap and of course at the terminal where ettercap is running i see again the same message
(:5683): GLib-GObject-WARNING **: /build/buildd/glib2.0-2.24.1/gobject/gsignal.c:3079: signal name `depressed’ is invalid for instance `0x8fb59f0′.
Thank you, i appreciate your help on this.
Hello,
It all looks good but let me ask you something. What email did you check with? I ask this because ettercap will not sniff past https sites. It only works with HTTP sites.So if you were trying to sniff your gmail or hotmail account, it wont work. If you want to sniff https, you will need sslstrip.
James
also i get the dhcps as
DHCP: [00:22:41:F8:D1:48] REQUEST 192.168.1.13
DHCP: [192.168.1.1] ACK : 192.168.1.13 255.255.255.0 GW 192.168.1.1 DNS 192.168.1.1
DHCP: [192.168.1.1] OFFER : 192.168.1.19 255.255.255.0 GW 192.168.1.1 DNS 192.168.1.1
DHCP: [192.168.1.1] ACK : 192.168.1.19 255.255.255.0 GW 192.168.1.1 DNS 192.168.1.1
when i loge a device in my network but as i said i dont see any other info
Hi, once again thank you. Well i tried it with all three e mail accounts i have, hotmail, gmail, and yahoo.
In the tutorial above it shows that you re sniffing both g mail and hotmail so i was thinking if i was doing something wrong. MInd that like i said even after doing the changes in the values and ip tables i still get this message in the terminal running ettercap ” (:5683): GLib-GObject-WARNING **: /build/buildd/glib2.0-2.24.1/gobject/gsignal.c:3079: signal name `depressed’ is invalid for instance `0x8fb59f0′. ” the moment i choose my interface. Is this normal?
Anyhow, i ve also tried with the tutorial with sslstrip you have uploaded. In that method i do get the passwords but there is an other problem. When i log in my e mail account from my mac book i get the passwords, and i can continue using the mail account normally, by viewing my mails or sending a new one. When i try to login my email account from a pc i have, then i still get the user name and password in the machine running bt5, but in the pc i cannot really login and view my mails as i get back to the login page every time i click the login button.
Any ideas why is that????
Any other tutorials maybe where i can sniff the info i want without any of the above problems?? I am really willing to sort this out, and hope you could help.
Thank you.
Ettercap project has closed down and has not been updated for a long time. The initial error you are facing is alright if the sniffing still works. They are not fixing any bugs anymore. But the primary thing to notice is if the sniffing works.
ettercap will work work with any site as long as it is merely “HTTP”. if you see in my example output, the target logged in via HTTP which is why i managed to sniff his hotmail password.
Regarding sslstrip, this tool use to work great but these days all big giant email companies have protection against sslstrip. So even when you strip the https from your victim, the email website will bypass that and log them in with https.
Regarding the log in problem, that is not a computer issue that i can help with it unless i am at ur computer. It could be anything from a user problem, to set up problem. i dont know.
Other sniffing tools are : dsniff, wireshark / ethereal
All in all you need to comprehend that all these tools will not work identically with each user. Each user has a different system and targeting a different target, so the results may vary.
Figure out how each tool works in a positive manner for you personally, and then use make use of their pros and avoid the cons.
After I opent ettercap I receive in terminal the follow:
(:2190): GLib-GObject-WARNING **: /build/buildd/glib2.0-2.24.1/gobject/gsignal.c:3079: signal name `depressed’ is invalid for instance `0x97139f0′
(:2190): Gtk-CRITICAL **: gtk_text_layout_real_invalidate: assertion `layout->wrap_loop_count == 0′ failed
Please help me
Read below comments.
Goo Article, Written well and Informative
Hiya, your articles are very well written and the methods have worked for me almost seamlessly.
It is noted that the described methods along with sslstrip no longer works for https servers which have been configured to bypass sslstrip and force https login.
I have also read up on ssl session sidejacking which again no longer works against most major servers as the entire sessions are conducted in ssl and not just the login. Cookies and Certificate data are also being transmitted in SSL.
I have also explored and attempted using the MITM SSH downgrade methods but again major operators such as hotmail and gmail refuse connections using anything less than SSH 2 Protocol.
are you aware of any more recent methods of decrypting or acessing SSL data over a wireless network that I could head off and read about?
P.S this is my own private network so physically accessing computers, router etc not an issue.
Thanks in advance,
Tony
Hmmm i replied this yesterday but it seems it did not go through. Apologies.
Hello
Are you telling me that you are trying to strip the ssl security off a major company server (hotmail, gmail) or are you telling me that your own private network is so secure that you need to find better ways to penetrate your own system.
See the confusion came about when u said “P.S this is my own private network so physically accessing computers, router etc not an issue.”
Well anyway currently there is no “apply and strip” kinda tool that works all the time as sslstrip did in the past. But here is the thing, when i am sniffing the private network of a company and when the worker logs on to hotmail through his browser…i am still able to gain the credentials through mitm and sslstrip. But this is just an occasional thing.
Currently there are methods that can assist a hacker in attempting to strip a ssl security but it varies greatly with different scenarios, so its hard to write a tutorial.
Hope that helps clear some doubt
James