Ettercap Part I
TUTORIAL BY JAYMILL230 FOR THETAZZONE/TAZFORUM
Ettercap Part II is out as well, check the forums or this link;
Ettercap is an open source program that combines a packet sniffer with pop/http/https/sftp and many other password crackers. But it has several other abilities, including the near unlimited ability to use custom filters and plug-ins. Last but most certainly not least is the ability to steal SSL/SSH logins, such as the logins to Gmail, Yahoo, and many other ‘secure’ connections.
With such a resume, it is easy to see why ettercap is so popular, and it is difficult to decide where to begin, but I will start with the easy stuff, the built in abilities of ettercap without any modding or any plugins. I will try to cover both the windows version, and the Linux Version, but I will probably lean more to windows for now, due to the fact that my linux box has been down for so long. Lets start with a screen shot of nothing interesting, just the open program. Note that I will be using the newer GUI instead of the old GUI or the command line, all are viable options, but I didn’t notice any lack of functionality with the GUI, so I went with it.
Screen Shot #1
After we go to to sniff–>unified sniffing we see all of our options, and we can delve into the program.
The Basic Program
Now we can get into the basic features of the program, which is basically everything the program does automatically without having to change any configuration files or write anything. So, we go first into sniff-> unified sniffing and we select the network card we want to use, the program works with every card I’ve ever used, and I’m assuming it will work with yours too. We are going to start on the wireless network connected to the internet. So I select that card and we get a whole bunch of new options at the top of our GUI.
Screen Shot #2
Now we need to scan for hosts, this is the easiest step, but may take awhile, depending on how your network is set up. Go to the top bar, and go to hosts–> scan for hosts. It will go through its automatic steps, and show you its progress. Now Press H (or go to hosts –> hosts) and see who is on the network. Pick your targets using the ‘add to target 1’/’add to target 2’ buttons. Try to keep it under 3 or 4 targets.
Screen Shot #3
Screen Shot #4
Our next step is to pick our type of attack, so we go to the Mitm on the top bar, and we are given the choices: ARP poisoning, ICMP redirect, Port Stealing, and DHCP spoofing. We are going to pick ARP poisoning, and we are going to sniff remote connections as well(don’t poison one way). You can find a good example of what ARP poisoning is here . Now just go to Start–> Start sniffing (ctrl-W). You can view the connections by your targets by going to view–> connections, but this isn’t neccisary. All captured passwords will be displayed in the info-box at the bottom of the screen.
Screen Shot #5
**LINUX USERS ONLY**- You guys (you lucky devils), can capture SSL passwords by following these simple steps. In your ettercap directory, you will find a file named etter.conf. Scroll down until you see a section that looks similair to this;
# if you use ipchains:
#redir_command_on = “ipchains -A input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport”
#redir_command_off = “ipchains -D input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport”
# if you use iptables:
#redir_command_on = “iptables -t nat -A PREROUTING -i %iface -p tcp –dport %port -j REDIRECT –to-port %rport”
#redir_command_off = “iptables -t nat -D PREROUTING -i %iface -p tcp –dport %port -j REDIRECT –to-port %rport”
You are probably using iptables, so go ahead and uncomment the two lines AFTER #if you use iptables. And poof, you are now attempting to get SSL passwords as well, which will be displayed in the same area as the pop3, http, and other unprotected passwords. Now, an important thing to mention is the fact that I said attempt, this is because while attacking this way, ettercap acts as a proxy server and renegotiated the SSL connection, basically it sends a different certificate. It will look exactly like the other one (or should), but it will ask people if they want to accept it. Most people in my experience will accept it, but just be careful, and don’t do this while attacking at say, the black hat conference.
**Edit** I just noticed something while using the backtrack liveCD, while using SSL decryption, you can only use target 1 listings, i.e., every computer your attacking, goes under the target 1 listing. If you use both, neither will work.
Screen Shot #6 (sample stolen passwords)
THIS IS PART 1; Part 2 next week.
part 2 will include the more advanced ettercap options, from filters, to plugins, to (hopefully) a video demonstrating many of the features of ettercap.
Last Updated ( Saturday, 13 January 2007 )