I dusted off Ettercap the other day and started playing with it again. With Ettercap, you can very easily perform Man-in-the-Middle attacks with ARP poisoning. In layman’s terms, ARP poisoning is simply placing your machine between the target machine and the internet, so you can view all the traffic of the target.
This is done by altering the ARP cache so the target PC thinks you are the router, and the router thinks you are the target PC. Several programs offer ARP poisoning, but Ettercap offers some interesting modules and filters that you can use that do different functions.
Today, I want to look at the “Remote Browser Attack” feature of Ettercap. This basically allows you to remotely spy on a target PC and a copy of the website they are visiting will be displayed on your computer.
To do this attack there are just a couple of settings to change in the Ettercap config file.
Ettercap Instructions in Backtrack 4:
Edit the “/etc/etter.conf” file.
Under the [privs] section,
Change:
EC_uid =65534
EC_gid = 65534
to:
EC_uid = 0 #65534
EC_gid = 0 #65534
And, scroll down to the [Strings] section.
If the target is using Firefox, change:
remote_browser = “Mozilla -remote openurl(http://%host%url)”
to:
remote_browser = “firefox -remote openurl(http://%host%url)”
Now start up Ettercap-GTK.
When it starts up, pick “Sniff” and then “Unified Sniffing” and then pick your network card.
Now, just select “Hosts” and scan the network for hosts. Next, click “Hosts” and “Host list”. A list of the available host’s IP addresses will appear.
Click on the target PC, then click on “Add to Target 1”, then click on the router, then click “Add to Target 2”.
Click on the “Plugins” menu. Select “Manage the plugins”. Scroll down the list and Double click on “Remote_browser”. An asterisk will appear in front of it when it is selected. Next click the “Mitm” menu tab and select “ARP Poisoning”.
Then just hit “Start” and “Start Sniffing”
Finally, make sure you open the Firefox browser on your Backtrack attacker machine. The webpage for every website your target visits will show up in your Firefox browser.
That’s it, just go to the target machine and surf the web. On the attacker machine, you can see that Ettercap is capturing the target’s surfing:
As the target surfs to different webpages, the Firefox on the attacking machine will also auto-update with the page they are on:
Notice the tabs in Firefox on the attacking machine. These are a history of all the pages that the target has visited since the attack began.
For targets, I used an updated version of Windows 7 and Windows XP SP 3 in this test. Ettercap is an older program, and has not been updated in a while. This attack used to work very well against older versions of Windows XP. On XP Service Pack 3, normal pages show up fine, but encrypted webpages would not show up on the attacker machine. So, for example, you could go to and login to Gmail on the target machine, but only the login page would show up on the attacker browser.
Also, many of Ettercap’s older password sniffing functions no longer work on updated machines and websites.
Windows 7 fared the best against the Ettercap attack. With just using the ARP poisoning attack, Windows 7 would not allow you to open SSL encrypted sites at all. It sensed something was wrong and gave this error:
If you tried to continue, the web address would turn red and a message came up saying due to security issues the page would not be displayed.
Also, when trying to run the remote browser module attack against the Windows 7 machine, as soon as you tried to surf to any webpage, standard or encrypted, the internet connection would drop completely.
Okay, how to defend against these types of attacks. Man-in-the-Middle attacks are possible because of Arp Poisoning, if your ARP cache could not be modified, this attack would not be possible. Unfortunately, it appears that changing your ARP cache to static is not feasible or practical on many networks.
Some internet security programs protect the ARP cache from being changed. Also many IDS systems will detect when a program tries to change the ARP cache. If you a network manager and are not familiar with these types of attacks, check into it to see what is the best solution for your system. For home users, a quick solution is do not share your wireless router with your neighbors, lock it down!
Windows 7 with its more advanced security features held up better against these attacks than Windows XP SP3 did. It just may be time to consider upgrading from XP to Windows 7.
CYBER ARMS - Computer Security 
Hi I followed your steps carefully but although I can see ettercap is capturing traffic from my target firefox doesn’t show anything of it. Trying this on a ubuntu 10.10 desktop
Regards
Mark
Hi Mark, thanks for visiting my blog!
Just to clarify, you are running BT4 on your attacking machine and your target is an Ubuntu 10.10 with firefox?
No, I’m using ubuntu 10.10 on the attacking pc with firefox and tried attacking a windows XP machine with firefox and an ubuntu 10.10 with firefox. Should I use BT4 as attack machine?
Regards
Mark
It should still work, not sure Mark.
You could try BT4, it seemed to work pretty good with that. Let me know if that doesn’t work.
Dan
Hey… i tried all of the steps you told me.
I am using BT 4 R2 Vmware image running on a Windows 7 Ultimate 32bit machine.
Attacker: BT4 R2 Vmware image running on Windows 7
Victim: Windows 7 Ultimate 32 bit
I’ve followed all steps… but only the url comes up in the ettercap GUI, the url doesn’t open in firefox of backtrack. So what can be the solution?
This tutorial is a little bit tricky, I recommand going to thoughtcrime.org, there click software and click sslstrip, from there it’ll show the requiremants you’ll be using and command line for you all ready, just need to copy and paste them.
I would like to demenstrate you my self if this help you any better.
(Make sure either wireless or cable is hooked up and ready to use)
1. Before you start backtrack find your targets ip address, Find your host ip address wich is probably 192.168.0.1 I don’t garantee it, so to check simply go in cmd prompt and type ipconfig
and there you’ll find your ipv4 Address and your Default Gate way, which is your host. (take notes on this if you tend to forget things fast. 2. Once you got both your targets ip address and your host ipaddress, you can now start backtrack, Once it loads up and you are connected to the network, click and open up your terminal or root, make sure to open up 3 terminals, it gets easier to work with later on. 3. On one of the terminal type in
root@bt:~#echo “1” > /proc/sys/net/ipv4/ip_forward enter
about:Tabsiptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 10000
wait for a while and before typing the next one you’ll need to find out if you use wifi or ethenet. if it is wifi then you type in (wlan0) if it is ethernet cable type in (eth0) one more thing, DO NOT TYPE (root@bt:~#) that should already be there when you start your terminal. before we move on remember this
(-i= interface, which is either wlan0 for wifi or eth0 for ethernet. -t= targets ip address) Now haha type in
root@bt:~#arpspoof -i wlan0 or eth0 -t (your targets ip address) (your host/gateway ipaddress)
Here is an example for the top incase you didn’t understand what was going on.
root@bt:~#arpspoof -i wlan0 -t 192.168.0.8 (your host ip address)
root@bt:~#arpspoof -i eth0 -t 192.168.0.8 192.168.0.1
and we are done with arpspoofing, you are now the man in the middle, BUT!! how do I get the packets?? Easy click on your other terminal you have opened previously, there should been three. So once your there type in
root@bt:~#sslstrip
and now it should say
sslstrip 0.6 by Moxie Marlinspike running…
congrats that just took the S out of the http so when your friend logs in to his facebook account he is no longer secure, so then to check the user and the pass package that was sent to, you’ll need to open up a different terminal, your las opened terminal and type in
root@bt:~#more sslstrip.log
and wah lah!! User name mike777 Password nicetry:)
well actually it’s not that simple you’ve got to wait till he logs in to the facebook and while he goes on a different website like google.com, that packets are sent to you and so as every site he’s been to will send it to you so you’ve got to look for (gmail.com) (facebook.com) or any other site that has log in’s .. so ya good luck and don’t ever use this to hack your friends facebook or any other login site. This is an educational purpososes only and one more, to become a ethical hacker you’ll need to remember all the keywords on terminal like -t which could either stand for tables or target. By the time you learn all these you should be able to tell weather looking at the command that you type in, for example (iptables -t) That -t stand for tables. 😛 too easy right.. haha right.
this one has error writings on it so read the second one… sorry
This tutorial is a little bit tricky, I recommand going to thoughtcrime.org, there click software and click sslstrip, from there it’ll show the requiremants you’ll be using and command line for you all ready, just need to copy and paste them.
I would like to demenstrate you my self if this help you any better.
(Make sure either wireless or cable is hooked up and ready to use)
1. Before you start backtrack find your targets ip address, Find your host ip address wich is probably 192.168.0.1 I don’t garantee it, so to check simply go in cmd prompt and type ipconfig
and there you’ll find your ipv4 Address and your Default Gate way, which is your host. (take notes on this if you tend to forget things fast. 2. Once you got both your targets ip address and your host ipaddress, you can now start backtrack, Once it loads up and you are connected to the network, click and open up your terminal or root, make sure to open up 3 terminals, it gets easier to work with later on. 3. On one of the terminal type in
root@bt:~#echo “1″ > /proc/sys/net/ipv4/ip_forward
root@bt:~#iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 10000
wait for a while and before typing the next one you’ll need to find out if you use wifi or ethenet. if it is wifi then you type in (wlan0) if it is ethernet cable type in (eth0) one more thing, DO NOT TYPE (root@bt:~#) that should already be there when you start your terminal. before we move on remember this
(-i= interface, which is either wlan0 for wifi or eth0 for ethernet. -t= targets ip address) Now haha type in
root@bt:~#arpspoof -i wlan0 or eth0 -t (your targets ip address) (your host/gateway ipaddress)
Here is an example for the top incase you didn’t understand what was going on.
root@bt:~#arpspoof -i wlan0 -t 192.168.0.8 (your host ip address)
root@bt:~#arpspoof -i eth0 -t 192.168.0.8 192.168.0.1
and we are done with arpspoofing, you are now the man in the middle, BUT!! how do I get the packets?? Easy click on your other terminal you have opened previously, there should been three. So once your there type in
root@bt:~#sslstrip
and now it should say
sslstrip 0.6 by Moxie Marlinspike running…
congrats that just took the S out of the http so when your friend logs in to his facebook account he is no longer secure, so then to check the user and the pass package that was sent to, you’ll need to open up a different terminal, your las opened terminal and type in
root@bt:~#more sslstrip.log
and wah lah!! User name mike777 Password nicetry:)
well actually it’s not that simple you’ve got to wait till he logs in to the facebook and while he goes on a different website like google.com, that packets are sent to you and so as every site he’s been to will send it to you so you’ve got to look for (gmail.com) (facebook.com) or any other site that has log in’s .. so ya good luck and don’t ever use this to hack your friends facebook or any other login site. This is an educational purpososes only and one more, to become a ethical hacker you’ll need to remember all the keywords on terminal like -t which could either stand for tables or target. By the time you learn all these you should be able to tell weather looking at the command that you type in, for example (iptables -t) That -t stand for tables. too easy right.. haha right.