Skip to main content

Sniffing SSL traffic using MITM attack / ettercap, fragrouter, webmitm and dnsspoof.

Before reading on this guide is for educational purposes only. I take no responsibility from what people do with this info.

First thing is to get fragrouter. I don't know if you can use other tools provided with the backtrack, there are 100 ways to skin a cat and this is just my way.

http://packetstormsecurity.nl/UNIX/IDS/nidsbench/fragrouter.html


There are lots of things that you can do with fragrouter but we are going to use fragrouter to setup IP forwarding.

We do this with this command :


Code:
fragrouter -B1Squash that window and put it to one side. Now open another shell and we will start dnsspoof with this command


Code:
dnsspoof -i ath0 (or whatever network interface you are using)Again put that window to one side and lets load up webmitm. Webmitm will issue our ssl cert to the victim so we can decrypt the traffic we capture.

Start webmitm by typing


Code:
webmitm -dNow we can start the arp spoof. To start ettercap type


Code:
ettercap -T -M arp:remote /router addy/ /victim addy/Ok now we are rolling next thing is to sniff the traffic. There are a few things you can do know like using ettercap filters and adding urls from metasploit, (Maybe next tut ) and lots of other things. But we are intrested in the ssl traffic so I use wireshark to save the data into a .cap file.

You can find wireshark in Backtrack >>> Privilege Escalation >>> Sniffers.

Now we have loaded wireshark lets start capturing packets. Go to Capture >>> Options and setup what network card you are using and then hit start.

Ok you should now be capturing packets addressed to your victims addy. Once you have captured enough, stop wireshark and save the data to your root directory.

Now to decrypt the SSL data.

You should first download ssldump:

http://www.rtfm.com/ssldump/

ssldump is going to decrypt our sniffed ssl data using our fake ssl cert we issued to the victim. We do this by opening up a shell and typing:


Code:
ssldump -r your.cap -w webmitm.crt -d > outAnd you are done, all the ssl data will be saved to a file called out in your root dir. Use what you like to search it for passwords etc.
by Dr_GrEeN

Comments

Popular posts from this blog

Test New ALFA-AWUS036H v.2 (1.000mW) VS ALFA-AWUS036H v.1 (500mW)

- Recently emerged the New ALFA-AWUS036H v.2 (1.000mW), and these are the tests. TEST WITH NETSTUMBLER 1) usb da 100mW chipset railink 2) usb da 200mW chipset railink rt73 3) intel 2200 b/g con connettore esterno rp-sma 4) Alfa-AWUS036H 500mW 5) New Alfa-AWUS036H V2 da 1.000mW

Creating A Cheap Bluetooth Sniffer

Many papers and posts on internet forums have commented on the success of turning normal everyday bluetooth USB dongles ($10), into their more powerful counterparts that allow the capturing of packets from the airwaves. These more powerful USB dongles are usually sold at a much higher price ($10,000) together with the software to drive and control these devices. The problems associated with BlueTooth sniffing You cant simply just purchase the dongle with the alternate firmware. There is next to no real opensource packet capture program for the bluetooth protocol. Hardware & Limitations Chipsets: Whats the difference? The chipset of the Bluetooth USB Dongles are very important. Broadcom chipsets are cheap hardware and are deemed unsuitable devices for this paper. But unfortunalty nowadays, every manufacturer seems to prefer putting these chips in their products compared to the more reliable Cambridge Silicon Radio (CSR) chipset. If your lucky enough to find a dongle with a CSR chips...

ALFA-­AWUS036H & ALFA-­AWUS050NH INSTALLING/UPDATING DRIVERS RTL8187, r8187, RT2800usb on UBUNTU

NOTE: For surfing Internet with ALFA-AWUS050NH on Ubuntu Jaunty with rt2870sta driver, you must use the Kernel "2.6.28-11-generic #42-Ubuntu", without change or updates the drivers modules. NOTE: The tutorial is not related to Ubuntu karmic. Driver RTL8187/Stacks-­mac80211 (ref. ALFA-­AWUS036h) ­- These drivers, for surfing Internet, are more stable than r8187, and fully compatible with Network-Manager 0.7 installed by default on Ubuntu 9.04. Network-Manager 0.7 installed by default on Ubuntu 9.04. ­- Supports all encryption without problems. (OPEN, WEP and WPA/WPA2) ­- With Compat-Wireless, the "injection" working, but for support “Fragmentation attack” (opt. -5) you need to install one patch. - The RX sensitivity and packets injection is less, related to drivers r8187. Driver r8187/Stacks-ieee80211 (ref. ALFA-AWUS036h) - This driver is recommended for use with the Suite of Aircrack-ng, but not particularly suitable for Internet connections, as less stable and disc...