Saturday, July 9, 2011

Sniffing Passwords Over a Wifi Connection [Linux/Backtrack5]

Now here's where some fun stuff starts!
I hope many of you have followed my installing Backtrack 5 guide and read up on what ARP is as well as basic Linux commands so you can follow along easily; if not, go read those now!

What you'll need for this tutorial:
If you don't have any of these, follow the links and set up your system before continuing.

Notice: This is purely for educational value, do not attempt this on a network you do not PERSONALLY own. If you do this on a public or private network that you do not have authorization to do so on, it is illegal and you will probably get caught.

Okay, so what we're doing today is using a few programs to sniff passwords over a network and redirect secure HTTPS connections to non-secure HTTP connections to help us get even more passwords.
I've successfully gotten passwords and user names from Gmail, Facebook, Ureddit, Reddit, and Youtube; but all sites should work.

Lets begin:
  • First, we need to figure out the IP address of the user we want to sniff, and the gateway IP (usually 192.168.0.1 or 192.168.x.1 depending on the network)
    • You should have SOME experience with finding users on a network, but if you don't, you can use a program that comes on Backtrack 5 called "Kismet" to identify users, or use the program "Nmap" (short for network mapper).
    • The most simple Nmap command to run would be: nmap -sn 192.168.0.0/24 depending on what your IP range and subnet is.
      • the "-sn" option tells nmap not to port scan, and only do host discovery. This option is called the Ping Scan option since it essentially is just performing a large ping scan over the subnet.
    • The first one (lowest number at the end, such as 192.168.0.1) is the gateway, so remember what number that is.
    • You can figure out what yours is by doing our good old friend "ifconfig" and looking at your IP address. You can then figure out which ones are other computers and choose which one you wish to directly sniff.
  • What we have to do is flip our computer into "forwarding" mode which allows us to forward packets along to other computers. Issue the command: "echo 1 > /proc/sys/net/ipv4/ip_forward" which places "1" (true or allow in computer language) into the file "ip_forward" with the ">" operator.

  • Next, we have to set up our "iptables" to redirect HTTP (normal) traffic to our program sslstrip.
      Issue the command "iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 666"

    I'm using the port 666 because it's easy to remember, but you can use any port that isn't already being used. You probably already know that port 80 is for HTTP traffic, so you can understand why the "destination port" is that. I'll explain the rest later, so don't worry if it doesn't make sense, just check back later!

    Important note here: run the command "cat /etc/etter.conf |grep iptables" and if your output is:

    # if you use iptables:
       #redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
       #redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

    You need to edit the "/etc/etter.conf" file and delete the two "#" before the "redir_command_on" and "redir_command_off" lines. Open this file by typing "nano /etc/etter.conf" and find those lines, then delete the hashes (#).

  • Now we have to run SSLStrip to strip any HTTPS connections and redirect them to HTTP (unsecure) connections. The name SSLStrip is quite perfect, eh?

     To start SSLStrip on my computer, I have to navigate to the SSLStrip folder with the command "cd /pentest/web/sslstrip" first, then issue the command "python sslstrip.py -l 666" to run the program.
    This runs the python script file that starts the program. Python is a scripting language like Perl or Ruby and we will learn about it more in the future. If you're interested in Netsec and want to learn a programming language on your own, definitely check out Python and Perl to start.

    Don't close this terminal.

  • We have to ARP spoof or ARP poison our target computer. We learned about ARP here, and if you haven't read it already, go do so before continuing.
    Open a new terminal now for our ARP spoofing, and run the command:
    "arpspoof -i [your interface] -t [target computer ip address such as 192.168.0.111] [gateway ip address such as 192.168.0.1]

     When I'm arp-spoofing my computer from my laptop, my command is "arpspoof -i wlan0 -t 192.168.0.111 192.168.0.1"

    If you want to arp-spoof the ENTIRE network, issue the command "arpspoof -i [interface] [gateway IP].
    Thanks to Volvox for the above hint, but watch out, because if your computer cant handle all the redirecting the network requires, it will DoS (denial of service) the network and your computer resources.

    Don't close this terminal.

  •  Now open another terminal and lets start Ettercap! We will be using it in text mode today because I personally like it better (it feels less script-kiddie like and easier to navigate/issue commands).

    Run the command "ettercap -m [any_file_name.txt] -Tq -i [interface]" and a text interface will come up telling you a bunch of information (I'll post what mine looks like soon).

    I forgot to mention, to enable on the Ettercap terminal interface, you have to push the space-bar to show the packets coming in... do this and then if there's any navigation on the target computer, you should see the packets start appearing rapidly across your screen.
    Hopefully you're doing this legally on your own network so you can test this out... Open up a browser in your target computer and go to mail.google.com and try to log in. It should redirect you to the HTTP version (but to a normal person, this wont be noticable). Log in with your credentials and you should see something pop up on your Ettercap that looks like a packet from gmail. If it's scrolling too fast (which happens), then don't worry, I'll show you how to open up your file.

  • Open a new terminal while Ettercap is running (don't close it!) and issue the command "cat [your_file_name.txt]"
     Now you can see all the information that was printed at first, and at the bottom there should be some sniffed data if all went well (I'll post a screen-shot later).
    Lets clean this up a bit. Issue the command "cat [your_file_name.txt] |grep USER |cut -d" " -f3-12"
    The quotation marks after the d should be normal, but of course the ones surrounding the entire command are not.
    You should see your data cleaned up quite a bit. I'll run through what that command did later, but I hope you understand some of this for now.
Last updated 3/15/2013

103 comments:

  1. Nice. It was just the other week I successfully arp-spoofed someone. Looking forward to some more tutorials.

    ReplyDelete
  2. I've seen this before and tried it for a few hours in my house. Free internet! LOL

    ReplyDelete
  3. I wouldn't try this on AT&T or Verizon hotspots, they catch onto them real quick and will ban your hardware

    ReplyDelete
  4. @Anon, I'll definitely be updating more
    @DIY, good to know you've done it!
    @NeverPool, good info, thanks man.
    @Electric, hell yeah it does ;D

    ReplyDelete
  5. @NeverPool:

    Do you mean ban using MAC address? Backtrack comes with a little tool called macchanger. If you're cracking wireless or anything it should probably be used just to stop routers from getting your real mac too.

    Put your interface down: ifconfig wlan0 down
    Change your mac: macchanger -r wlan0
    Put your interface up: ifconfig wlan0 up

    And when you check with ifconfig your mac address should have changed.

    ReplyDelete
  6. Nice, follow+, i got full CEH seminar(6 dvds) if u need!

    ReplyDelete
  7. @Serviser, that would be amazing, how big is it? Have a mediafire link?

    ReplyDelete
  8. Thanks,im sure it will come in handy.

    ReplyDelete
  9. Wow, great information. I'm actually looking into majoring in Computer Science / Computer Security next semester, so I'm hoping that all your information is gonna help me better understand the subject!!! Keep up the good work!!! :D

    ReplyDelete
  10. Haha i like how it says "11 nerds commented" LOL. Great info!! keep up the good work!

    +1 follower

    ReplyDelete
  11. Awesome. Insanely awesome and a terrific level of not entirely jargon based detail, fantastic work, very impressive.

    ReplyDelete
  12. As soon as I invest in a harddrive with 300gb, i gotta partition and setup linux on it. Been wanting to do this for a while

    ReplyDelete
  13. This sure looks complicated. Like in those movies where hackers think in binary lol

    ReplyDelete
  14. Are you one of those matrix guys seeing pictures in green numbers running along the screen? ;)
    +followed

    ReplyDelete
  15. Meaning to start my hacking adventures, but get discouraged when ever I see lines of connected text and having no idea what it represents... having limited linux experience doesn't help either :|

    ReplyDelete
  16. Some good info here, m'man! I personally don't run Linux, but I AM savin' yer posts...at some point in time, I'll have a rig of my own built that I can dual-OS with.

    Reckon this'll help a lot then, y'knowwhatImean?

    Don't ask why I don't dual-OS if not flat-out use Linux now...it's a long, personal kinda thing.

    ReplyDelete
  17. @Inverse, check out my "learning linux" post, it might help make linux an easier experience.
    @TBFB, thanks man, dual-booting is almost always better since it allows you to have access to more options than other people (for instance, Cain&Abel is Windows only).

    ReplyDelete
  18. Thats great info, its good to know all this stuff. You never know when you gonna need it :)

    ReplyDelete
  19. I used mandriva in 2010, but not really good
    follow

    ReplyDelete
  20. @Alex, never heard of that before, is that like a WarDriving program?

    ReplyDelete
  21. Great info, i will definitely try this out with the wifi connection of mi school

    ReplyDelete
  22. Sometimes when it rains my connection stops working. I thought it would be a good idea to use my neighbor's connection when that happened. So, I broke into his connection, only to discover he has the same ISP and his connection stops working whenever my connection stops working, haha.

    ReplyDelete
  23. Been doing this for a little while now on my home network.
    Something else that works for arpspoof is to just hit the entire network!
    arpspoof -i
    This will target anyone on the network but note that if your machine cannot handle all the traffic, it will shut down the entire network. People will notice because the route needs to re arp the network topology and does not do it immediately! Good luck!

    ReplyDelete
  24. Edit: arpspoof -i "interface" "gateway ip"

    ReplyDelete
    Replies
    1. this doesnt work... arpspoofing a specific ip works fine for me... as soon as i remove the victim IP and leave only the default gateway, i get no data...

      Delete
  25. Good info Volvox, I'll update my original post with that tip and warning, too. Thanks!

    ReplyDelete
  26. Been there, done that, but this is a much easier way.

    ReplyDelete
  27. very cool blog, and very good tips in this post, definitely following you

    ReplyDelete
  28. I'm a cyber security student. This blog is very interesting to me. I really look forward to reading more.

    Check out my blog as well! Cheers.

    ReplyDelete
  29. Ohh. Good stuff here, thank you. Love the informative blogs.

    ReplyDelete
  30. I wish I could understand this. I'm still learning the basics, I'm going to read everything and maybe I will learn something. Thanks

    ReplyDelete
  31. This is what I'm looking for! I share a wifi network with other students living here. Most of them are chicks, really hot chicks. Wil try this out! thnx +following

    ReplyDelete
  32. thanks man, I'll sure try this one out.. on myself though :)

    ReplyDelete
  33. ettercap -m only logs what is going on in the interface. To get the good stuff you need ettercap -L or ettercap -l

    ReplyDelete
  34. Yeah good tutorial. Keep teaching people this stuff. I say the more people know about security the better the world will be.

    Did follow.

    ReplyDelete
  35. Dude, this is awesome info. Thanks for sharing. This is the kinda of thing I'm interested in.

    Check me out at:
    http://brassdragons.blogspot.com/

    ReplyDelete
  36. @Anon, this way logs the usernames with passwords, DHCP connects, the IPs they're from, and the websites of interest.

    @Criswell, why disappoint eyes? piping cat with grep is an effective way of doing it.

    ReplyDelete
  37. You could also use nmap to find all the hosts on the network.

    Also, cat file | grep ... can be replaced with just grep ... file -- hence his disappointed eyes.

    ReplyDelete
  38. How is this "sniffing passwords over wifi connection"? This article seems to assume you already have access to the local network. Ie. if it's a wpa2 secured network you wouldn't be able to do any of the above without the pw.

    ReplyDelete
  39. @Karate I'm writing up an nmap post now about its uses!

    Why I did cat | grep is because I needed to place it into a file and since I'm just starting that was the way I knew it; my BASH scripting post will be updated ;D

    @Anon, how else could you sniff packets unless you're connected to the network? It makes no sense to not assume you're already connected.
    Wpa2 can still be cracked, it just requires a dictionary attack.

    ReplyDelete
  40. Great. More Skiddies. Just what the world needs.

    ReplyDelete
  41. Get high range wifi connections for your laptops by using long range USB wifi Adapter available at wifi decoder. It also includes wifi signals, hi power antenna, wifi decoder wholesale and many more to make your connection accessible in long distances.

    ReplyDelete
  42. Get high range wifi connections for your laptops by using long range USB wifi Adapter available at wifi decoder. It also includes wifi signals, hi power antenna, wifi decoder wholesale and many more to make your connection accessible in long distances.

    ReplyDelete
  43. WEP makes everything so much easier..

    ReplyDelete
  44. Get high range wifi connections for your laptops by using long range USB wifi Adapter available at wifi decoder. It also includes wifi signals, hi power antenna, wifi decoder wholesale and many more to make your connection accessible in long distances.

    ReplyDelete
  45. @Marshal - Question. I run Ettercap on my laptop, "attacking" my desktop, I was able to see all of the packet information and such on the terminal screen. But when I saved it to a file, here is all I got out of it: http://chigstuff.com/uploads/this.txt

    The command I was using was "ettercap -m this.txt -Tq -i eth0"

    ReplyDelete
  46. @Chris, you have to follow one of the first command that's flipping your computer into forwarding mode by using the echo command to set forwarding on using the ">" linux command. If you didn't do this you will receive that error. Try doing this then get back to me on if it works. Hope this helps!

    ReplyDelete
  47. @Marshall - I ran the commands you posted just like they're typed, basically copy pasta with my own interface and IP's put in. I messaged you on Reddit, check your inbox.

    ReplyDelete
  48. @Chris, alright, we'll talk elsewhere and more in depth.

    ReplyDelete
  49. A little more light reading that I found on this subject.

    http://forum.intern0t.net/offensive-guides-information/2769-stealing-credentials-via-mitm-attacks-arpspoof-sslstrip-iptables.html

    ReplyDelete
  50. Hi.
    Thanks for the helpful post. I did exactly what you did and was able to retrieve some passwords. However, after a while the terminal running ettercap just stops and shows an error that the iptable must be upgraded. After this I tried to do the steps again but no more passwords seem to come up, only lines that have DHCP then some numbers. I am using backtrack 4 with netbootin from my USB stick.

    ReplyDelete
  51. Thank you I am using Ubuntu 11.04 currently will definitely be using this.

    ReplyDelete
  52. I successfully tried the ettercap for sniffing passwords on LAN and on WiFi network which don't have a security key.
    But when I'm in university, here network has WPA/WPA-2 key, although I know the key and i'm connected to the network, ARP Poisoning causes the victims not to be able to open webpages. What I've sorted out using my own routter by enabling and disabling WPA/WPA-2 key is that this sniffing has something to do with WPA/WPA-2 key. What I feel is that on a security enabled WiFi network, even though we're connected to it, MITM attacks are not successfull.
    If it is otherwise, please explain...

    ReplyDelete
  53. @Anon, how big is your uni network? I'm assuming it's quite large, so your computer cannot handle all the traffic. Also, I would suggest NOT doing this on a public network, especially your university's, because it's not only against their TOS but illegal and can get you arrested or kicked out of school. My school has very strict policies with MITM attacks and packet sniffing (it's NOT allowed and strictly enforced), so I guess yours would too.

    ReplyDelete
  54. good info, thanks!

    ReplyDelete
  55. do you have a post on using Kismet?

    ReplyDelete
  56. @Anon (Feb 20) Not yet since it's pretty easy to use, but I'll make one soon!

    ReplyDelete
  57. i'm having a problem... when i enter the command to start ettercap theres a message displayed that says 'ssl dissection needs a valid redir_command_on script in the etter.conf file' but i've already removed the "#" from the code. any help is much appreciated

    ReplyDelete
    Replies
    1. You said "the '#'", which makes me think you only deleted one of them. You need to delete TWO #s from the conf file for it to work.

      Delete
    2. thanks for the reply but still no luck...any other suggestions ?

      Delete
  58. i did delete both "#" in front of the the lines redir_command_on and redir_command_off...i don't understand it

    ReplyDelete
    Replies
    1. Did you save the config file? We've all done the old :q without :w first or forgot :wq ;]

      Delete
  59. could this problem be caused from running BT5 off cd ? how are you running it ?

    ReplyDelete
  60. Great article. One issue i have is that once i start spoofing, my victim machine can go to HTTP sites just fine. But when i try to go to an SSL site, the browser times out. I double checked that it ip forwarding is on, any ideas what i can checknext?

    ReplyDelete
    Replies
    1. This is what has happened to me as well; it's either really slow or times out.

      It may be your computer NIC/hardware not being good enough to forward packets that quickly or something else I'm unaware of.

      Delete
    2. thanks again

      Delete
  61. And you never even mentioned what type of wireless NIC you used. Shame on you. Wasting everyone's time. Very few wifi nics are capable of arpspoofing. Maybe help out the community by listing the hardware used.

    ReplyDelete
    Replies
    1. Sorry about that, I wasn't aware most technology could not handle this-- the technology I originally used was QUITE old.

      Delete
  62. Hi i just want to ask are IP hackers can sniff what you do on YouTube? Even if u use https? What about if ur'e using tor?

    ReplyDelete
    Replies
    1. I don't really understand this question. Your IP can be found many different ways.

      Delete
  63. my ettercap show this error :SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
    Privileges dropped to UID 65534 GID 65534...

    why?

    ReplyDelete
  64. When I try to run the pingscan.sh script, I get: Syntax error "done" unexpected

    When I remove "done," I get: Syntax error: end of file unexpected (expecting "done")

    anyone know what's going on here?

    ReplyDelete
    Replies
    1. I removed the pingscan script as Nmap does it quite a bit more effectively :]
      I wrote that script a few years ago when I was quite ignorant of general usage, so I would definitely use Nmap in any situation now.

      Delete
  65. "my ettercap show this error :SSL dissection needs a valid 'redir_command_on' script in the etter.conf file Privileges dropped to UID 65534 GID 65534..."
    for this i would recommend the same step of "cat /etc/etter.conf |grep uid " and nano it to change the UID and GID to 0, which mean you will get the root privilege.

    ReplyDelete
  66. Great tutorial, thanks :)

    ReplyDelete
  67. I'm having some problem, 95% of the times, the target computer (Windows 7) does not load the page. I can see some information in the terminal, but not so much :s

    Can somebody help me see what is going on? Thanks!

    ReplyDelete
    Replies
    1. It might be that the computer you are sniffing from does not have the capabilities to forward fast enough and thus the page times out.

      Delete
  68. HELP!! My ex-boyfriend is in Afghanistan a UK contractor that does secured comms for NATO. No matter what I do he can still get into my accounts and I can't figure out how he is doing it.. I have done everything password resets, imaging my laptop, replacing hardware, changed all my security questions.. This has all been done on my computer at work on a secured network. How is he getting my IP? I desperately want to find out how he is doing this more out of curiousity than anything else. I am beyond pissed off this has been going on for 2 + years.. Any suggestions? I am not as computer savy as I use to be...

    ReplyDelete
    Replies
    1. You should try to change all your passwords and security questions through a different location. For example an internet cafe.

      Afterwards, do not log in to your accounts from any of your machines before you make sure they are secure and free of malicious code.
      The easiest way is to format everything but I guess you have stuff you want to keep so let's review another option. (Not to mention he may just be poisoning your network from a nearby remote location)

      Remove your HDD and take them to a friend's house. Insert the HDD there and perform an AV scan ( preferably something reputable that has high %% detection rate, including rootkits and other fun stuff like that ) on the whole drive.
      Presumably, this will ensure that your own machine is secure. If he's an expert, there is a possibility he's using some serious FUD stuff but let's hope he's not.

      Lastly, you need to ensure there is no unauthorized device connected to your network which may be poisoning your LAN. Easiest way to find out is through the DHCP tables in your router. Routers vary and it may be under a different name so you'll have to play around with the options until you find a list of connected devices.
      If that fails, you could try and scan your networks for unknown clients ( e.g. not you ) with nmap or an equivalent tool. But, if he does secured comms, that may be fruitless as he may be able to mask his host as a dead one. In which case, I have no solution.

      Good luck.

      Delete
    2. More options I should mention.

      He might have infected your phone in which case I suggest you stop using the installed apps ( uninstall facebook etc ).

      Disable wireless connectivity on your router and connect your laptop through a wired connection if you suspect poisoning but cannot find him. ( there are routers which provide safeguards against such attacks but I don't think that's necessary )
      Moreover, just to be on the safe side, turn off your laptop wifi ( either a hardware button or in adapter settings, right click -> disable ).

      Delete
    3. What Anonymous said are good suggestions, but if has been harassment for over two years I would really consider going to the authorities.

      Delete
  69. SSLStrip is no longer enough for Google's HTTPS. I'm wondering how much of a hassle it would be to delve into the script and try to mend it. The talk of the next Defcon or a few sleepless nights ?

    ReplyDelete
    Replies
    1. That would be very interesting-- I haven't used SSLStrip in a while and wasn't aware of the Google change. I'm definitely waiting for a fix from someone about this but I'm not sure how often SSLStrip is updated.

      Delete
  70. Hi. I'm a newbie in the world of Hacking. May i know what should I put on [interface]? I'm a totally noob so please help me and elaborate as much as possible. Thank YOU!

    --KERV

    ReplyDelete
    Replies
    1. Run the command "ifconfig" which will display your network interfaces. For [interface] you would enter the name of the interface (normally eth0 for ethernet or wlan0 for wireless).

      Delete
  71. Anyone knows if this should work with Microsoft Exchange Outlook Web App ? Bests and thanks in advance

    ReplyDelete
    Replies
    1. I'm not sure, but I think it forces SSL so it wouldn't work over normal HTTP, but I could be wrong.

      Delete
  72. This is a nice tutorial man, it's clear and tidy

    ReplyDelete
  73. Does any one know of a newer or better way of doing this?

    I don't seem to be having much luck & I've followed everything step by step.
    The network connection for the target machine comes to a near stop making it practically impossible to use.
    sslstrip does not seem to be doing anything as the URL is not changing for https sites.

    The etercap text file only captures the below information although I can clearly see far more than this when looking at the packets coming in.

    -----------------------------
    Listening on:
    wlan0 -> 00:21:6B:46:4E:DA
    192.168.0.20/255.255.255.0
    fe80::221:6bff:fe46:4eda/64

    Privileges dropped to UID 65534 GID 65534...

    31 plugins
    43 protocol dissectors
    59 ports monitored
    16074 mac vendor fingerprint
    1766 tcp OS fingerprint
    2183 known services

    Randomizing 255 hosts for scanning...
    Scanning the whole netmask for 255 hosts...
    1 hosts added to the hosts list...
    Starting Unified sniffing...


    Text only Interface activated...
    Hit 'h' for inline help


    Terminating ettercap...
    ----------------------------------
    am i doing something wrong here?

    ReplyDelete
    Replies
    1. The connection on your target machine is becoming very slow because your attacking computer probably cant handle all the traffic it is receiving. What websites have you tried? Some websites only offer HTTPS for certain pages, so that could be your problem.

      Delete
  74. I've done sniffing over any WiFi connection ever because I don't really know how to do it actually. Really enjoyed learning how to actually accomplish such tricky works through reading such enormous allocation!! Thanks for helpful contribution.

    ReplyDelete