Saturday, July 9, 2011

Sniffing Passwords Over a Wifi Connection [Linux/Backtrack5]

Now here's where some fun stuff starts!
I hope many of you have followed my installing Backtrack 5 guide and read up on what ARP is as well as basic Linux commands so you can follow along easily; if not, go read those now!

What you'll need for this tutorial:
If you don't have any of these, follow the links and set up your system before continuing.

Notice: This is purely for educational value, do not attempt this on a network you do not PERSONALLY own. If you do this on a public or private network that you do not have authorization to do so on, it is illegal and you will probably get caught.

Okay, so what we're doing today is using a few programs to sniff passwords over a network and redirect secure HTTPS connections to non-secure HTTP connections to help us get even more passwords.
I've successfully gotten passwords and user names from Gmail, Facebook, Ureddit, Reddit, and Youtube; but all sites should work.

Lets begin:
  • First, we need to figure out the IP address of the user we want to sniff, and the gateway IP (usually or 192.168.x.1 depending on the network)
    • You should have SOME experience with finding users on a network, but if you don't, you can use a program that comes on Backtrack 5 called "Kismet" to identify users, or use the program "Nmap" (short for network mapper).
    • The most simple Nmap command to run would be: nmap -sn depending on what your IP range and subnet is.
      • the "-sn" option tells nmap not to port scan, and only do host discovery. This option is called the Ping Scan option since it essentially is just performing a large ping scan over the subnet.
    • The first one (lowest number at the end, such as is the gateway, so remember what number that is.
    • You can figure out what yours is by doing our good old friend "ifconfig" and looking at your IP address. You can then figure out which ones are other computers and choose which one you wish to directly sniff.
  • What we have to do is flip our computer into "forwarding" mode which allows us to forward packets along to other computers. Issue the command: "echo 1 > /proc/sys/net/ipv4/ip_forward" which places "1" (true or allow in computer language) into the file "ip_forward" with the ">" operator.

  • Next, we have to set up our "iptables" to redirect HTTP (normal) traffic to our program sslstrip.
      Issue the command "iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 666"

    I'm using the port 666 because it's easy to remember, but you can use any port that isn't already being used. You probably already know that port 80 is for HTTP traffic, so you can understand why the "destination port" is that. I'll explain the rest later, so don't worry if it doesn't make sense, just check back later!

    Important note here: run the command "cat /etc/etter.conf |grep iptables" and if your output is:

    # if you use iptables:
       #redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
       #redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

    You need to edit the "/etc/etter.conf" file and delete the two "#" before the "redir_command_on" and "redir_command_off" lines. Open this file by typing "nano /etc/etter.conf" and find those lines, then delete the hashes (#).

  • Now we have to run SSLStrip to strip any HTTPS connections and redirect them to HTTP (unsecure) connections. The name SSLStrip is quite perfect, eh?

     To start SSLStrip on my computer, I have to navigate to the SSLStrip folder with the command "cd /pentest/web/sslstrip" first, then issue the command "python -l 666" to run the program.
    This runs the python script file that starts the program. Python is a scripting language like Perl or Ruby and we will learn about it more in the future. If you're interested in Netsec and want to learn a programming language on your own, definitely check out Python and Perl to start.

    Don't close this terminal.

  • We have to ARP spoof or ARP poison our target computer. We learned about ARP here, and if you haven't read it already, go do so before continuing.
    Open a new terminal now for our ARP spoofing, and run the command:
    "arpspoof -i [your interface] -t [target computer ip address such as] [gateway ip address such as]

     When I'm arp-spoofing my computer from my laptop, my command is "arpspoof -i wlan0 -t"

    If you want to arp-spoof the ENTIRE network, issue the command "arpspoof -i [interface] [gateway IP].
    Thanks to Volvox for the above hint, but watch out, because if your computer cant handle all the redirecting the network requires, it will DoS (denial of service) the network and your computer resources.

    Don't close this terminal.

  •  Now open another terminal and lets start Ettercap! We will be using it in text mode today because I personally like it better (it feels less script-kiddie like and easier to navigate/issue commands).

    Run the command "ettercap -m [any_file_name.txt] -Tq -i [interface]" and a text interface will come up telling you a bunch of information (I'll post what mine looks like soon).

    I forgot to mention, to enable on the Ettercap terminal interface, you have to push the space-bar to show the packets coming in... do this and then if there's any navigation on the target computer, you should see the packets start appearing rapidly across your screen.
    Hopefully you're doing this legally on your own network so you can test this out... Open up a browser in your target computer and go to and try to log in. It should redirect you to the HTTP version (but to a normal person, this wont be noticable). Log in with your credentials and you should see something pop up on your Ettercap that looks like a packet from gmail. If it's scrolling too fast (which happens), then don't worry, I'll show you how to open up your file.

  • Open a new terminal while Ettercap is running (don't close it!) and issue the command "cat [your_file_name.txt]"
     Now you can see all the information that was printed at first, and at the bottom there should be some sniffed data if all went well (I'll post a screen-shot later).
    Lets clean this up a bit. Issue the command "cat [your_file_name.txt] |grep USER |cut -d" " -f3-12"
    The quotation marks after the d should be normal, but of course the ones surrounding the entire command are not.
    You should see your data cleaned up quite a bit. I'll run through what that command did later, but I hope you understand some of this for now.
Last updated 3/15/2013