Hey guys

This is my method of sniffing and decrypting ssl traffic on a network.

Before reading on this guide is for educational purposes only. I take no responsibility from what people do with this info.

First thing is to get fragrouter. I don't know if you can use other tools provided with the backtrack, there are 100 ways to skin a cat and this is just my way.

http://packetstormsecurity.nl/UNIX/IDS/nidsbench/fragrouter.html


There are lots of things that you can do with fragrouter but we are going to use fragrouter to setup IP forwarding.

We do this with this command :

fragrouter -B1

Squash that window and put it to one side. Now open another shell and we will start dnsspoof with this command

dnsspoof -i ath0 (or whatever network interface you are using)

Again put that window to one side and lets load up webmitm. Webmitm will issue our ssl cert to the victim so we can decrypt the traffic we capture.

Start webmitm by typing

webmitm -d

Now we can start the arp spoof. To start ettercap type

ettercap -T -M arp:remote /router addy/ /victim addy/

Ok now we are rolling :D next thing is to sniff the traffic. There are a few things you can do know like using ettercap filters and adding urls from metasploit, (Maybe next tut :D) and lots of other things. But we are intrested in the ssl traffic so I use wireshark to save the data into a .cap file.

You can find wireshark in Backtrack >>> Privilege Escalation >>> Sniffers.

Now we have loaded wireshark lets start capturing packets. Go to Capture >>> Options and setup what network card you are using and then hit start.

Ok you should now be capturing packets addressed to your victims addy. Once you have captured enough, stop wireshark and save the data to your root directory.

Now to decrypt the SSL data.

You should first download ssldump:

http://www.rtfm.com/ssldump/

ssldump is going to decrypt our sniffed ssl data using our fake ssl cert we issued to the victim. We do this by opening up a shell and typing:

ssldump -r your.cap -w webmitm.crt -d > out

And you are done, all the ssl data will be saved to a file called out in your root dir. Use what you like to search it for passwords etc.

There we go! nice and simple for everybody to understand. :D

Interesting tutorial, I usually just use ettercap's SSL capabilities.

Quick question.. trying to sniff https traffic on my own network.. it looks like the websites are being sent compressed. I know ettercap can change that with filtering but when it passes through ettercap it is still encrypted with SSL. Is there a better way to do this?

Also, is there an SSL decrypted out there that dumps the traffic back into a pcap capture format? I looked around on google and can't find one.

I have been working on this for some time now. This morning in finally got ssl mitm working to the point that every site i tested dumped the user credentials. Unfortunately I have been unsuccessful in replicating this attack. Below are the commands I used for my successful attack. I have tried so many different combinations of this attack that I’m starting to get frustrated.


echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp –dport 443 -j REDIRECT
iptables -A FORWARD -j ACCEPT
webmitm -d

ettercap –G
unified
ath0
arp poision
start sniffing


What am I missing? Any help on this would be greatly appreciated.

Note: my ettercap config has the iptables uncommented

NM ill do my homework before i ask already asked questions...

HUmm interesting... Does it work in offline mode? If it is not possible. do you knoww a way to make it off line?

Just a note: You don't have to use fragrouter, just

echo 1 > /proc/sys/net/ipv4/ip_forward


In addition Ettercap disables ip_forward anyways and just uses its own. So if you use ettercap you don't need to setup ip_forwad.

First thing is to get fragrouter. I don't know if you can use other tools provided with the backtrack, there are 100 ways to skin a cat and this is just my way.


There are lots of things that you can do with fragrouter but we are going to use fragrouter to setup IP forwarding.

We do this with this command :

fragrouter -B1

apparently you can use ettercap to sniff and mitm two seperate subnets.
I had a Wireless AP honeypot -> ath0 -> laptop -> eth0 -> internet setup for demo-ing to our employees how unsafe cafes are and to never just click "Accept" (though i doubt it did any good...) and i would always enable the forwarding AFTER starting ettercap:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

This works intermittently but worked for Gmail which was good enough, they got the message (those that werent napping).

Do not enabling packet forwarding via the kernal, i.e. /proc/sys/net/ipv4/ip_forward. Ettercap does this for you if you enable it in the kernel you will flood the network with duplicate packets. If you want to use the kernel than disable packet forwarding in ettercap. If you run both you'll cause havoc with duplicate, unnecessary packets.


apparently you can use ettercap to sniff and mitm two seperate subnets.
I had a Wireless AP honeypot -> ath0 -> laptop -> eth0 -> internet setup for demo-ing to our employees how unsafe cafes are and to never just click "Accept" (though i doubt it did any good...) and i would always enable the forwarding AFTER starting ettercap:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

This works intermittently but worked for Gmail which was good enough, they got the message (those that werent napping).

When used on a gateway, you have no choice.
from man ettercap:
"The kernel ip_forwarding is always disabled by ettercap. This is done to prevent to forward a packet twice (one by ettercap and one by the kernel). This is an invasive behaviour on gateways. So we recommend you to use ettercap on the gateways ONLY with the UNOFFENSIVE MODE ENABLED. Since ettercap listens only on one network interface, launching it on the gateway in offensive mode will not allow packets to be rerouted back from the second interface. "

So if used on two separate subnets (see my previous post), ie gateway, and you need it to be offensive, then you need the kernel to forward, am i wrong?



Do not enabling packet forwarding via the kernal, i.e. /proc/sys/net/ipv4/ip_forward. Ettercap does this for you if you enable it in the kernel you will flood the network with duplicate packets. If you want to use the kernel than disable packet forwarding in ettercap. If you run both you'll cause havoc with duplicate, unnecessary packets.

Sorry, I completely missed the gateway connection. Late Night post. So yes you are right; you don't have a choice on Gateways. I read that in ettercap's man just the other day. LOL.

Edit: Well wait. If you need it to be offensive, then I think just use ettercap. Ettercap doesn't detect if you're on a gateway, so you have to tell it not to forward. This is unoffensive. I'm not a pro at ettercap, but I think this is true. Does this sound right?

Sorry, I completely missed the gateway connection. Late Night post. So yes you are right; you don't have a choice on Gateways. I read that in ettercap's man just the other day. LOL.

Edit: Well wait. If you need it to be offensive, then I think just use ettercap. Ettercap doesn't detect if you're on a gateway, so you have to tell it not to forward. This is unoffensive. I'm not a pro at ettercap, but I think this is true. Does this sound right?

True, if you use it in unoffensive mode, it's okay. But for unoffensive mode, might as well just use wireshark...

Anyone know where I can get a version of fragrouter that will work on BT3

This worked fine yeah, i capped myself signing into googlemail and hotmail just for fun i saved all the ssl data as a cap file in wireshark and following the instructions made a file called through ssldump called out.....it didnt literatlly decrypt it, my password or mail address never showed up at all....is it sposed to or am i missing somthing here ?

I don't think this is supposed to show you the mail address and the password.

In that case it worked perfectly and it was decrypted in plain text......:)

In that case it worked perfectly and it was decrypted in plain text......:)

If you didn't get the password or login, what was the point? Just use ettercap, in fact I did it just today for fun (ah, how nerdy).

Off of memory:

edit etter.conf (use locate)
set UID and GID to 0
look for iptables under "Linux" and uncomment both lines
ettercap -T -q -i whateverinterface -M arp:remote // //

Use ettercap -I to find out what interface you can use.
This will print any passwords that are captured to stout.

Read a tutorial on ettercap, you can do some crazy things.
Try here http://www.iljya.com/projects/SSLVideo/

P.S. Some one correct me if I'm wrong above.

Off of memory:

edit etter.conf (use locate)
set UID and GID to 0
look for iptables under "Linux" and uncomment both lines.No need for these steps in BT3 Final.

No need for these steps in BT3 Final.

Oh, beautiful. I had lost my BT3 cd, so I was using BT2. Thanks for the heads up.