Ettercap Ncurses Bug? or I missed the point.

[Pandoxie]

Have been playing with MITM softwares for a while. After toying with MITMPROXY, the author suggested me to ettercap to know more about multi-protocol sniffing. It is really awesome and handy. But I just found some issues with the Ncurses GUI. My platform is OSx 10.9.1 Mavericks, I uses homebrew to build the sources.

Symptom:

After I select MITM items eg, ARP poisoning, A parameter input box comes up and I think this is the place to type in command line parameters like arp ([remote],[oneway]). So I just typed in remote, oneway inside the box and ARP poisoning is turned on.

I believed that worked since no error was generated, but It turned out something was wrong. I know this because when I tried to turn on ICMP redirecting, I typed naturally (MAC/IP) into the box. But the error came up.

The parameters I typed in did not actually get in the system somehow, as if NOTHING was inputed! I confirmed this by looking into the router's ARP table ( I am using DDWRT) and the router was also spoofed although I specified oneway!

So, please tell me what to do the next and Thanks a ton!

BTW, the ettercap instruction about turning on https MITM was outdated. The IPFW commanded is deprecated and pfctl is the new lover. I am new to shell programming but after some observation, I came up with the following script and it worked well.

redir_command_on = "sh /usr/local/etc/ettercap/pf.sh %iface %port %rport" redir_command_off = "sh /usr/local/etc/ettercap/pfunload.sh"

pf.sh--->

!/bin/sh

cd /usr/local/etc/ettercap/ touch EtterPF.conf touch Ettertoken.txt isOldItem=cat EtterPF.conf | grep "rdr pass on $1 inet proto tcp from any to any port $2 -> localhost port $3" if [ -z "$isOldItem" ]; then printf "rdr pass on $1 inet proto tcp from any to any port $2 -> localhost port $3\n" >>EtterPF.conf else printf "Old Item Found, Just Reload\n" >> EtterLog.log 2>&1 fi

Token=cat Ettertoken.txt | grep 'Token' | awk '{ print $3 }' if [ -n "$Token" ]; then printf "Revoke Old Token: $Token\n" >> EtterLog.log 2>&1 pfctl -a sslsniff -Fa -X $Token >> EtterLog.log 2>&1 fi pfctl -a sslsniff -E -f "EtterPF.conf" &> Ettertoken.txt Token=cat Ettertoken.txt | grep 'Token' | awk '{ print $3 }' printf "\n\nNewly Add Token: $Token\n" >> EtterLog.log 2>&1

pfunload.sh

!/bin/sh

cd /usr/local/etc/ettercap/ Token=cat Ettertoken.txt | grep 'Token' | awk '{ print $3 }' if [ -n "$Token" ]; then printf "Revoke Old Token: $Token\n" >> EtterLog.log 2>&1 pfctl -a sslsniff -Fa -X $Token >> EtterLog.log 2>&1 printf "Flushed\n" &> Ettertoken.txt fi

I am doing the stupid if because I found redir_command_on was executed several times at program launch. In order not to mess up with the OSx's pf load, I just did it the stupid way... Enjoy.

[LocutusOfBorg]

Two things: 1) please try with the latest git, compile with Debug set and send here your ettercap log (you can run it by ./src/ettercap and you will have a log file inside. 2) for the redir_command si glad to hear the new version, I'll push it on the configuration file, but without any script.

The redir_command_on should be executed once, if it isn't we should fix it. Period :)

I don't see any good point in doing things twice!

For the curses stuff I'll wait for some other developers :)

[Pandoxie]

Yeah, I noticed that brew formula was not the newest build. I will try to compile the latest one and report back:) As to redir_command, I should clarify that it indeed was executed multiple times, and should be that way in your program( so , it is not a bug, but maybe not very suited for ipctl if I am seeing things right). You guys must be using the sniff to redirect all the unencrypted packages directly and redirect the encrypted protocols like https using the redir_command. Like this on my log.

rdr pass on en1 inet proto tcp from any to any port 992 -> localhost port 59263
rdr pass on en1 inet proto tcp from any to any port 465 -> localhost port 59264
rdr pass on en1 inet proto tcp from any to any port 995 -> localhost port 59265
rdr pass on en1 inet proto tcp from any to any port 563 -> localhost port 59266
rdr pass on en1 inet proto tcp from any to any port 636 -> localhost port 59267
rdr pass on en1 inet proto tcp from any to any port 994 -> localhost port 59268
rdr pass on en1 inet proto tcp from any to any port 993 -> localhost port 59269
rdr pass on en1 inet proto tcp from any to any port 8080 -> localhost port 59270
rdr pass on en1 inet proto tcp from any to any port 443 -> localhost port 59271

But in order not to mess up with the OSx pf rules, I called ettercap rules with pfctl -a sslsniff -E -f "EtterPF.conf" , in a anchor( Learned from Internet, maybe I am right:) I am not sure the pfctl -e should do the trick or not, and I have not idea how to dynamically add the rdr rules( really newbie), So I put all the rules in the conf file and load it with -f. It works well by keeping the token in mind, but just now, I realized the localhost port changes occasionally. Oops ,I should change my script a bit....if anyone wanna take a peek:

pf.sh -->

#!/bin/sh
cd /usr/local/etc/ettercap/
touch EtterPF.conf
touch Ettertoken.txt
isOldItem=`cat EtterPF.conf | grep "rdr pass on $1 inet proto tcp from any to any port $2"`
if [ -z "$isOldItem" ]; then
    printf "rdr pass on $1 inet proto tcp from any to any port $2 -> localhost port $3\n" >>EtterPF.conf
else
    cat EtterPF.conf | grep -v "rdr pass on $1 inet proto tcp from any to any port $2" > EtterPF.conf
    printf "rdr pass on $1 inet proto tcp from any to any port $2 -> localhost port $3\n" >>EtterPF.conf
    printf "Old Item Found, Just Refresh & Reload\n" >> EtterLog.log 2>&1
fi

Token=`cat Ettertoken.txt | grep 'Token' | awk '{ print $3 }'`
if [ -n "$Token" ]; then
    printf "Revoke Old Token: $Token\n" >> EtterLog.log 2>&1
    pfctl -a sslsniff -Fa -X $Token >> EtterLog.log 2>&1
fi
pfctl -a sslsniff -E -f "EtterPF.conf" &> Ettertoken.txt
Token=`cat Ettertoken.txt | grep 'Token' | awk '{ print $3 }'`
printf "\n\nNewly Add Token: $Token\n" >> EtterLog.log 2>&1

I hope in the next version, maybe you guys could give users a more convenient way, if possible.

Merry Christmas!!!

[LocutusOfBorg]

This is why I appreciate a lot your work and I'm trying to understand better the problem and find a solution for making all of this automatic!

Merry XMas to you!

[Pandoxie]

I pulled from Github and compiled the latest version. The Ncurses bug persists. And FYI, release versions cannot pass the compilation test. But the latest git commit works. Maybe I shall try my luck with the GTK compilation after supper...

I indeed found a weird thing on the log: -- Looking for iconv -- Looking for iconv - not found

but no error generated

[Pandoxie]

After some trial <<< I cannot get a successful compilation with GTK enabled...

firstly, the -- Looking for iconv - not found issue. I know libiconv is shipped with OSx. But the compiler cannot locate it somehow. I tried to brew install libiconv again into my local library. Still, this guy cannot be found. I guess maybe something is wrong in your source code?

But I can get a successful build although iconv cannot be found. Of course, in condtion GTK no enabled.

Here is the log. https://gist.github.com/Pandoxie/8082248

[LocutusOfBorg]

I asked for help, I don't know how to deal with iconv problem

[ryandesign]

With ettercap 0.8.0 in MacPorts on OS X 10.9.1 Mavericks, I also get:

-- Looking for iconv
-- Looking for iconv - not found

Despite this, $prefix/bin/etterlog and $prefix/lib/libettercap.dylib do end up linked to $prefix/lib/libiconv.2.dylib, perhaps due to other dependencies.

CMakeFiles/CMakeError.log has the following to say about this:

Determining if the function iconv exists failed with the following output:
Change Dir: /opt/local/var/macports/build/_Users_rschmidt_macports_dports_net_ettercap/ettercap/work/build/CMakeFiles/CMakeTmp

Run Build Command:/opt/local/bin/gmake "cmTryCompileExec1180930652/fast"
/opt/local/bin/gmake -f CMakeFiles/cmTryCompileExec1180930652.dir/build.make CMakeFiles/cmTryCompileExec1180930652.dir/build
gmake[1]: Entering directory `/opt/local/var/macports/build/_Users_rschmidt_macports_dports_net_ettercap/ettercap/work/build/CMakeFiles/CMakeTmp'
/opt/local/bin/cmake -E cmake_progress_report /opt/local/var/macports/build/_Users_rschmidt_macports_dports_net_ettercap/ettercap/work/build/CMakeFiles/CMakeTmp/CMakeFiles 1
Building C object CMakeFiles/cmTryCompileExec1180930652.dir/CheckFunctionExists.c.o
/usr/bin/clang   -pipe -Os -isystem/opt/local/include -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.9.sdk -arch x86_64  -DCHECK_FUNCTION_EXISTS=iconv -arch x86_64 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.9.sdk -mmacosx-version-min=10.9   -o CMakeFiles/cmTryCompileExec1180930652.dir/CheckFunctionExists.c.o   -c /opt/local/share/cmake-2.8/Modules/CheckFunctionExists.c
Linking C executable cmTryCompileExec1180930652
/opt/local/bin/cmake -E cmake_link_script CMakeFiles/cmTryCompileExec1180930652.dir/link.txt --verbose=1
/usr/bin/clang  -pipe -Os -isystem/opt/local/include -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.9.sdk -arch x86_64  -DCHECK_FUNCTION_EXISTS=iconv -arch x86_64 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.9.sdk -mmacosx-version-min=10.9 -Wl,-search_paths_first -Wl,-headerpad_max_install_names  -L/opt/local/lib -Wl,-headerpad_max_install_names -Wl,-syslibroot,/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.9.sdk -arch x86_64 CMakeFiles/cmTryCompileExec1180930652.dir/CheckFunctionExists.c.o  -o cmTryCompileExec1180930652  
Undefined symbols for architecture x86_64:
  "_iconv", referenced from:
      _main in CheckFunctionExists.c.o
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
gmake[1]: *** [cmTryCompileExec1180930652] Error 1
gmake[1]: Leaving directory `/opt/local/var/macports/build/_Users_rschmidt_macports_dports_net_ettercap/ettercap/work/build/CMakeFiles/CMakeTmp'
gmake: *** [cmTryCompileExec1180930652/fast] Error 2

The most natural explanation I can think of for why the symbol _iconv was not found is that the flag -liconv was not passed to the compiler. cmake baffles me so I cannot suggest how to modify cmake/Modules/EttercapLibCheck.cmake to cause that to happen.

[Pandoxie]

@LocutusOfBorg I believe I found the real reason for the compile failure. It seems like ettercap GTK needs Polkit support? Sadly, OSx does not support this natively (Linux does), nor Brew have the way of installing it. Is there a way to circumvent this?

Cmake wanted to install the following files to my library, but polkit directory is not there... usr/share/polkit-1/ usr/share/polkit-1/actions/ usr/share/polkit-1/actions/org.pkexec.ettercap.policy

Brew ( I believe MacPort has the same issue?) denies cmake the privilege to install directly to /usr/share dir (to the protected dir which HomeBrew runs itself). Hence the failure came.

[ryandesign]

Yes, MacPorts has safeguards against ports that try to write outside of their sandbox. But in the MacPorts port of ettercap at least, ettercap is not making any attempts to write outside the sandbox. It successfully installs $prefix/share/polkit-1/actions/org.pkexec.ettercap.policy within the sandbox. MacPorts has a port for polkit (called policykit) but ettercap doesn't declare a dependency on it, and this doesn't seem to matter; ettercap installs the file successfully anyway.

[Pandoxie]

That is weird for HomeBrew. I will look into it. But a quick search for policykit give no answer:( Thanks for the info.

[Pandoxie]

Atlas! I found what's wrong.,. @ryandesign @LocutusOfBorg

Somehow, I use search files and found traces of PolKit

Searching 505 files for "polkit"

/Users/Pandoxie/Desktop/ettercap-0.8.0/CMakeLists.txt: 112 set(INSTALL_BINDIR ${INSTALL_PREFIX}/bin CACHE PATH "Binary files installation directory") 113 set(INSTALL_EXEDIR ${INSTALL_PREFIX}/bin CACHE PATH "Ettercap binary installation directory") 114: #polkit dir couldn't be /usr/local/share, but should be /usr/share 115: set(POLKIT_DIR /usr/share/polkit-1/actions/ CACHE PATH "Polkit installation directory") 116: #set(POLKIT_DIR ${INSTALL_PREFIX}/share/polkit-1/actions/ CACHE PATH "Polkit installation directory") 117 set(PKEXEC_INSTALL_WRAPPER org.pkexec.ettercap CACHE PATH "Name of the pkexec action file") 118 set(DESKTOP_DIR ${INSTALL_PREFIX}/share/applications/ CACHE PATH "Desktop file installation directory")

/Users/Pandoxie/Desktop/ettercap-0.8.0/desktop/CMakeLists.txt: 2 configure_file(org.pkexec.ettercap.policy.in 3 ${PKEXEC_INSTALL_WRAPPER}.policy @ONLY) 4: install(FILES ${CMAKE_CURRENT_BINARY_DIR}/${PKEXEC_INSTALL_WRAPPER}.policy DESTINATION ${POLKIT_DIR}) 5 install(FILES ettercap.svg DESTINATION ${ICON_DIR}) 6 install(FILES ettercap.desktop DESTINATION ${DESKTOP_DIR})

/Users/Pandoxie/Desktop/ettercap-0.8.0/man/ettercap-pkexec.8.in: 27 ettercap binary command 28 .br 29: with a pkexec action script usually defined on @POLKIT_DIR@/org.pkexec.ettercap.policy, 30 .br 31 allowing users to directly call ettercap from the desktop or menu launcher with root privileges.

9 matches across 3 files

I immediately noticed the CMakeLists.txt:

114: #polkit dir couldn't be /usr/local/share, but should be /usr/share 115: set(POLKIT_DIR /usr/share/polkit-1/actions/ CACHE PATH "Polkit installation directory") 116: #set(POLKIT_DIR ${INSTALL_PREFIX}/share/polkit-1/actions/ CACHE PATH "Polkit installation directory")

This is reason why ettercap installation breaks Sandbox and cause the failure.

I think the builders added this in order to let the ettercap-pkexec mode work. But Macports and Brew makes it hard to let it happen, right?

Anyway, Milestone for the success compilation. I hope the next version of Ettercap can address the Ncurese Issue. @ryandesign , did you noticed the Ncurse bug? or it is just me.

[ryandesign]

I thought you were using ettercap 0.8.0 which was released September 11 but the change in POLKIT_DIR was committed on December 6 in f37e9bdcec13c4d44177ae74d75864f18c096a94 (I don't know why; it looks wrong to me).

I don't know what ettercap-pkexec mode is.

I have not tried using ettercap in ncurses mode.

[Pandoxie]

From the Man page: ettercap-pkexec - graphical pkexec-based launcher for ettercap

Maybe it is a some kind of desktop launcher for Linux users.

[LocutusOfBorg]

I personally wrote ettercap-pkexec, after taking some examples from other programs and ettercap from arch linux (IIRC), the main goal is to launch ettercap with sudo privileges from the "menu" directly, without any console anymore (if gtk of course), it launches a window asking for sudo privileges, and with the configuration file we can set the number of privileges to pass to the program.

The problem fixed in https://github.com/Ettercap/ettercap/commit/f37e9bdcec13c4d44177ae74d75864f18c096a94 that looks really wrong (for me too) is that on ubuntu (my machine) leaving this ${INSTALL_PREFIX}/share/polkit-1/actions was installing the configuration file in /usr/local/share/...

and it WASN'T working. For some reasons on linux the directory should always be /usr/share, I think for security pourposes, otherwise any user might be allowed to run a program with sudo privileges.

So I thought it was better to hard code it, but you can change it by passing -DPOLKIT_DIR=something else to your cmake program.

Do you know some better approach for mac users? just disable it? I can do something line IF MAC set(POLKIT_DIR ${INSTALL_PREFIX}/share/polkit-1/actions/ CACHE PATH "Polkit installation directory") else set(POLKIT_DIR /usr/share/polkit-1/actions/ CACHE PATH "Polkit installation directory")

[Pandoxie]

I just tried to execute directly the ettercap-pkexec, but since OSx doesnot have PolicyKit, it won't run:

/usr/local/Cellar/ettercap/0.8.0/bin/ettercap-pkexec: line 2: pkexec: command not found

And, AFAIK, there is no such thing as quick menu - I never used one:( So, I think you can either disable it or leave it to ${INSTALL_PREFIX}/share/polkit-1/actions, in case someone want to study it:)

[Pandoxie]

@ryandesign I forget to tell... I cannot get a success compilation unless pull from the latest Git source. ettercap 0.8.0 Sept version won't work. I tried to apply some patches according to error I get from compiler log, but the error list was quite a long one. Anyway, the HEAD works~

[LocutusOfBorg]

Can you please retry the latest HEAD?

[Pandoxie]

It works~ Great Job

[LocutusOfBorg]

Wonderful :) thanks to you! Now move on the Ncurses bug!

[Pandoxie]

Anytime~

[Pandoxie]

I just played with GTK for a while. Found one little hiccup.

I cannot click the items on this list and add them to target. They won't get focus.

And sometimes, Ettercap eats chunks of CPU even not sniffing, and there are chances that it won't quit... Anyway, we have got our current victory. Waiting for Ettercap to get even better.

[LocutusOfBorg]

sorry but we need the Exact procedure for making it be unresponsive and the focus problem, and the ettercap/cmake debug log (please build in debug mode)

[eaescob]

Yes please, I'll look into the ncurses issue.

[Pandoxie]

I tried to gather some information about the ettercap debug. This is about the "GTK no focus and cannot quit MITM ARP" problem. I took a peek into the log but cannot find anything abnormal myself:) Hope you guys could get something out of it. BTW, I cannot get anything out of gdb, no core found(I tried to cd to /bin, no good). I also don't know what this ' (gdb) r your_parameters_here' means, so I did not do the gdb stuff...

Here is the link to debug log: https://docs.google.com/file/d/0B8jnfUilQZAFajh5dGJPMEJGOTQ/edit?pli=1

[LocutusOfBorg]

you get the core only in crash situations I think, not when the program gets stuck.

I see two problems, the gtkui refresh host lists is getting too much NOISE in the log, @koeppea what do you think? Second, you are running DNS reverse stuff, this isn't threaded right now, so you are not stuck, but simply the code needs LOT of time for getting the host name from the IP address, can you try again after disabling it? the option should be something like "reverse host names" or so

[koeppea]

I'll have a look at the verbosity. Maybe we can think about different verbosity levels.

Regarding the exzessive delay: is it also delayed if host name resolution is not enabled?

[Pandoxie]

https://drive.google.com/file/d/0B8jnfUilQZAFRU93WGFHMGRQbEk/edit?usp=sharing

Actually, I never use the -d parameter, nor did I turn on the Resolve IP address option on GTK. This time I clicked it and un-clicked it to make sure it is down. But It seems like no help. I found trouble turning down the MITM services, like old times. I would have to click x to close the pop up and kill ettercap entirely to quit program. Ncurse seems ok. I will attach the Ncurse Log. Merry Xmas for real, LOL

https://drive.google.com/file/d/0B8jnfUilQZAFSHc5WlhCRG52Nm8/edit?usp=sharing

[koeppea]

I just had a look at the logfiles provided. The exessive occurance of gtk_refresh_host_list is definitely not normal. After scan, the list only updated once. I'll try to reproduce on my old iBook.

You know a good howto install ettercap on OSX?

[Pandoxie]

I used Homebrew, just get the latest HEAD, and change the cmake mode to release or debug(the default is none) then u r good to go

[koeppea]

ok I'm just about installing it. But it's quite a pain once you're used to use Linux.... OSX 10.4 doesn't make it easier.

[Pandoxie]

forget to say, if you use Brew, here is the formula. Change the file at /usr/local/Library/Formula/ettercap.rb, then brew install ettercap. REMEMBER to change the url and sha1 if you tared all the files locally. But I think if you don't want to use any third party package manager, it should be the same process as in Linux. Brew insalled quite a lot dependencies automatically.

If you wanna GTK, you should first: brew install gtk+, notice the formula: "'-DENABLE_GTK=ON',", the homebrew guys disabled GTK in default...somehow.

/usr/local/Library/Formula/ettercap.rb ->

require 'formula'

class Ettercap < Formula homepage 'http://ettercap.github.io/ettercap/' url 'http://downloads.sourceforge.net/project/ettercap/ettercap/0.8.0-Lacassagne/ettercap-0.8.0.tgz' sha1 '95c854ce4072bf42c99f9d9b149f59e296421c4d'

depends_on 'cmake' => :build depends_on 'ghostscript' => :build depends_on 'pcre' depends_on 'libnet' depends_on 'curl' # require libcurl >= 7.26.0

fixes absence of strndup function on 10.6 and lower; merged upstream

def patches "https://github.com/Ettercap/ettercap/commit/1692218693ed419465466299c8c76da41c37c945.patch" end if MacOS.version < :lion

def install libnet = Formula.factory 'libnet'

args = ['..'] + std_cmake_args + [
  "-DINSTALL_SYSCONFDIR=#{etc}",
  '-DENABLE_GTK=ON',
  "-DHAVE_LIBNET:FILEPATH=#{libnet.opt_prefix}/lib/libnet.dylib"
]
args.delete '-DCMAKE_BUILD_TYPE=None'
args << '-DCMAKE_BUILD_TYPE=Debug'

mkdir "build" do
  system "cmake", *args
  system "make install"
end

end end

[Pandoxie]

@LocutusOfBorg @ryandesign. guys, could you do me a favor and enlighten me on this quite strange phenomena:

I just bought a infrared remote controller(broadlink), which is capable of getting online by WIFI and controlled by iphone/android app remotely(internet of course). I am quite fascinated by its way of initial configuration and I really could not understand.

Here is the magic: Since this device doesnot have a web configure interface, all I have to do to get it authorized to use my WAP2 protected hotspot is---1, Launch the app from a mobile phone which is already online using my router; 2, then click search for device; 3, fill in my ssid (auto detected) and password in the app form, then click begin search and configure devices!!! Then the infrared controller magically get online! useing my ssid and password!

I am just astonished so that I deciced to use ettercap to sniff around( that's why I like this tool). Somehow, during the search & configure, all I find is that the app is sending huge amount of udp traffic through port 15000 to the gateway(the router), nothing else. I shall attach the pcap for your enjoy. May you guys with more knowledge can please explain how the hell this is done?

The pcap: https://drive.google.com/file/d/0B8jnfUilQZAFbUMtanF0dFdGaUk/edit?usp=sharing

BTW, I am always wondering, how can I decrypt information from the '...' in the sniff the packages, just try to find the encoding method, not ascii? or ? Thanks a ton.

[koeppea]

Mhh I'm still having problems even installing git using brew on my OSX 10.4 laptop with Tiger. Could you please by chance join into our IRC channel that we can discuss directly?

[koeppea]

This is what happens:

~ $ brew install git
==> Installing dependencies for git: ld64, cctools, pkg-config, openssl, curl-ca-bundle, curl, expat
==> Installing git dependency: ld64
==> Downloading http://opensource.apple.com/tarballs/ld64/ld64-97.17.tar.gz
Already downloaded: /Library/Caches/Homebrew/ld64-97.17.tar.gz
==> Downloading patches
######################################################################## 100.0%
######################################################################## 100.0%
######################################################################## 100.0%
==> Patching
patching file src/ld/MachOWriterExecutable.hpp
patching file src/ld/ld.cpp
patching file src/other/ObjectDump.cpp
patching file src/ld/Options.cpp
Hunk #1 succeeded at 68 with fuzz 2 (offset 36 lines).
Hunk #2 succeeded at 2598 with fuzz 1 (offset 443 lines).
==> make CC=/usr/bin/gcc CXX=/usr/bin/g++ OTHER_CPPFLAGS=-I/usr/local/opt/libunwind-headers/include -I/usr/local/opt/dyld-headers/include -I/usr/local/opt/cctools-headers/include OTHER_LD
src/ld/MachOWriterExecutable.hpp:2921:   instantiated from 'mach_o::executable::Writer<A>::Writer(const char*, Options&, std::vector<ExecutableFile::DyLibUsed, std::allocator<ExecutableFile::DyLibUsed> >&) [with A = arm]'
src/ld/ld.cpp:3777:   instantiated from here
src/ld/MachOWriterExecutable.hpp:603: error: 'mach_o::executable::Writer<arm>& mach_o::executable::WriterAtom<arm>::fWriter' is protected
src/ld/MachOWriterExecutable.hpp:1159: error: within this context
make: *** [src/ld/ld.o] Error 1

READ THIS: https://github.com/mistydemeo/tigerbrew/wiki/troubleshooting

~ $ 

[eaescob]

This isn't the first time people have had issues with ettercap using brew. Why Tiger? Sorry but not sure how much time we should spend supporting old OS.

On Thursday, December 26, 2013, koeppea wrote:

This is what happens:

~ $ brew install git ==> Installing dependencies for git: ld64, cctools, pkg-config, openssl, curl-ca-bundle, curl, expat ==> Installing git dependency: ld64 ==> Downloading http://opensource.apple.com/tarballs/ld64/ld64-97.17.tar.gz Already downloaded: /Library/Caches/Homebrew/ld64-97.17.tar.gz ==> Downloading patches ######################################################################## 100.0% ######################################################################## 100.0% ######################################################################## 100.0% ==> Patching patching file src/ld/MachOWriterExecutable.hpp patching file src/ld/ld.cpp patching file src/other/ObjectDump.cpp patching file src/ld/Options.cpp Hunk #1 succeeded at 68 with fuzz 2 (offset 36 lines). Hunk #2 succeeded at 2598 with fuzz 1 (offset 443 lines). ==> make CC=/usr/bin/gcc CXX=/usr/bin/g++ OTHER_CPPFLAGS=-I/usr/local/opt/libunwind-headers/include -I/usr/local/opt/dyld-headers/include -I/usr/local/opt/cctools-headers/include OTHER_LD src/ld/MachOWriterExecutable.hpp:2921: instantiated from 'macho::executable::Writer::Writer(const char, Options&, std::vector<ExecutableFile::DyLibUsed, std::allocator >&) [with A = arm]' src/ld/ld.cpp:3777: instantiated from here src/ld/MachOWriterExecutable.hpp:603: error: 'mach_o::executable::Writer& macho::executable::WriterAtom::fWriter' is protected src/ld/MachOWriterExecutable.hpp:1159: error: within this context make: ** [src/ld/ld.o] Error 1

READ THIS: https://github.com/mistydemeo/tigerbrew/wiki/troubleshooting

~ $

— Reply to this email directly or view it on GitHubhttps://github.com/Ettercap/ettercap/issues/435#issuecomment-31225276 .

Emilio Escobar / eescobar@gmail.com

• Great spirits have always encountered strong oppositions from mediocre minds. -- Einstein

[koeppea]

Because that's the only device I have with MacOSX.

I thought it's quite easy to install and to reproduce the problem. But of course. If it's too much effort, it's maybe not worth it.

[Pandoxie]

Sry I just saw this post. I saw that you brew install git, but AFAIK git is provided by OSx, I am not sure it is there in Tiger, but I haven't done that. For me, all I did was: Brew install gtk+

Brew install ettercap

You do not have to install any dependency by yourself. Just remember to change the formula like I said in the my last post.  But if you are having trouble installing git, sry I cannot help:( cuz I have no experience. BTW, did u see my last question about infrared device? LOL, I am having a bet with my friend about how it works. But we don't know exactly how it works for now..... Need experts! — Sent from Mailbox for iPhone

On Fri, Dec 27, 2013 at 1:42 AM, koeppea notifications@github.com wrote:

Because that's the only device I have with MacOSX. I thought it's quite easy to install and to reproduce the problem.

But of course. If it's too much effort, it's maybe not worth it.

Reply to this email directly or view it on GitHub: https://github.com/Ettercap/ettercap/issues/435#issuecomment-31228797

[LocutusOfBorg]

BTW, did u see my last question about infrared device? LOL, I am having a bet with my friend about how it works. But we don't know exactly how it works for now..... Need experts!

ok

"Here is the magic: Since this device does not have a web configure interface, all I have to do to get it authorized to use my WAP2 protected hotspot is---1, Launch the app from a mobile phone which is already online using my router; 2, then click search for device; 3, fill in my ssid (auto detected) and password in the app form, then click begin search and configure devices!!! Then the infrared controller magically get online! using my ssid and password!"

the infrared device has wifi and infrared right? Are you sure the application didn't send the WIFI details with another channel? Maybe the app just creates a new wifi ssid and sends it to the remote infrared controller, no? or maybe they are sent by infrared or something else, if a device cannot join a wifi network isn't capable to reach any information from it

[Pandoxie]

Thanks for your input. Setup a valid ssid and send predefined information would be the most convenient way, but It was not quite right since my phone did not disconnect itself from the hotspot. I am quite relieved that I finally found the answer to this huge disturbance! After seeing the online teardown of this device, I immediately noticed the wifi chip:cc3300. It has a patented tech called SmartConfig.

http://processors.wiki.ti.com/index.php/CC3000

How it works is quite funny and genius, you should check it up. I wrote something about it on my blog ( in Chinese, sry), http://www.pandoxie.info/blog/post/all-is-network-advanced

Best wishes, Have a nice day. I shall move on to toy with CUDA:) Hope you guys can get Ettercap better and better

On Sun, Dec 29, 2013 at 12:57 AM, Gianfranco Costamagna < notifications@github.com> wrote:

BTW, did u see my last question about infrared device? LOL, I am having a bet with my friend about how it works. But we don't know exactly how it works for now..... Need experts!

ok

"Here is the magic: Since this device does not have a web configure interface, all I have to do to get it authorized to use my WAP2 protected hotspot is---1, Launch the app from a mobile phone which is already online using my router; 2, then click search for device; 3, fill in my ssid (auto detected) and password in the app form, then click begin search and configure devices!!! Then the infrared controller magically get online! using my ssid and password!"

the infrared device has wifi and infrared right? Are you sure the application didn't send the WIFI details with another channel? Maybe the app just creates a new wifi ssid and sends it to the remote infrared controller, no? or maybe they are sent by infrared or something else, if a device cannot join a wifi network isn't capable to reach any information from it

— Reply to this email directly or view it on GitHubhttps://github.com/Ettercap/ettercap/issues/435#issuecomment-31300142 .

Sincerely from Xu, Deyuan

Address: Department of Mechanical Engineering, Fudan University

Phone: +86 18502194128

Web: http://www.pandoxie.info

P Please consider the environment before printing this email

[koeppea]

I can confirm that the MITM intput box isn't correctly taking the input to the MITM function. I'm looking into it...

[koeppea]

@Pandoxie could you please test if the pull request #526 fixes the curses issue?

[koeppea]

@Pandoxie we've just merged the pull request #526 into the latest git master branch which should fix the curses issue. Could you please test if the curses issue has been solved for you by just pulling and building the latest git?

[LocutusOfBorg]

@koeppea do you have any clue for merging this in ettercap?

redir_command_on = "sh /usr/local/etc/ettercap/pf.sh %iface %port %rport"
redir_command_off = "sh /usr/local/etc/ettercap/pfunload.sh"

pf.sh--->

#!/bin/sh
cd /usr/local/etc/ettercap/
touch EtterPF.conf
touch Ettertoken.txt
isOldItem=cat EtterPF.conf | grep "rdr pass on $1 inet proto tcp from any to any port $2 -> localhost port $3"
if [ -z "$isOldItem" ]; then
printf "rdr pass on $1 inet proto tcp from any to any port $2 -> localhost port $3\n" >>EtterPF.conf
else
printf "Old Item Found, Just Reload\n" >> EtterLog.log 2>&1
fi

Token=cat Ettertoken.txt | grep 'Token' | awk '{ print $3 }'
if [ -n "$Token" ]; then
printf "Revoke Old Token: $Token\n" >> EtterLog.log 2>&1
pfctl -a sslsniff -Fa -X $Token >> EtterLog.log 2>&1
fi
pfctl -a sslsniff -E -f "EtterPF.conf" &> Ettertoken.txt
Token=cat Ettertoken.txt | grep 'Token' | awk '{ print $3 }'
printf "\n\nNewly Add Token: $Token\n" >> EtterLog.log 2>&1

pfunload.sh

#!/bin/sh
cd /usr/local/etc/ettercap/
Token=cat Ettertoken.txt | grep 'Token' | awk '{ print $3 }'
if [ -n "$Token" ]; then
printf "Revoke Old Token: $Token\n" >> EtterLog.log 2>&1
pfctl -a sslsniff -Fa -X $Token >> EtterLog.log 2>&1
printf "Flushed\n" &> Ettertoken.txt
fi

[Pandoxie]

Wow, thank you for the reply. I will give it a try after work~ — Sent from Mailbox for iPhone

On Fri, Apr 18, 2014 at 2:07 AM, koeppea notifications@github.com wrote:

@Pandoxie we've just merged the pull request #526 into the latest git master branch which should fix the curses issue.

Could you please test if the curses issue has been solved for you by just pulling and building the latest git?

Reply to this email directly or view it on GitHub: https://github.com/Ettercap/ettercap/issues/435#issuecomment-40744142

[koeppea]

@koeppea do you have any clue for merging this in ettercap?

I think this isn't then done? We have then to add a new section to the etter.conf under the MacOSX version ?. Unfortunately I don't have Mac Box handy so I don't know which command belongs to which MacOSX version nor can I evaluate the commands in the script. If the script works as intended I would support it, but would place it in the share directory of ettercap rather than in the etc directory.

We would have to amend the describing text in etter.conf. Just a suggestion:

diff --git a/share/etter.conf.v4 b/share/etter.conf.v4
index 0fd2009..3269451 100644
--- a/share/etter.conf.v4
+++ b/share/etter.conf.v4
@@ -173,7 +173,7 @@ remote_browser = "xdg-open http://%host%url"
    #redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %

 #---------------
-#    Mac Os X
+#    Mac Os X up to version 10.4 <-- ???
 #---------------

 # quick and dirty way:
@@ -204,7 +204,7 @@ remote_browser = "xdg-open http://%host%url"

 #---------------
-#   Open BSD
+#   Open BSD and Mac Os X version 10.5 and above <-- ???
 #---------------

 # unfortunately the pfctl command does not accepts direct rules adding
@@ -215,11 +215,16 @@ remote_browser = "xdg-open http://%host%url"
  #   rdr pass on $1 inet proto tcp from any to any port $2 -> localhost port $3 | pfctl -a sslsniff -f -
  # ----- cut here -------

+# ettercap provides a script performing the "pfctl" commands and keeping track 
+# of the rules added. the script is located in the "share" directory. Here we 
+# assume the share directory of ettercap is located in /usr/local/ettercap/share. 
+# Adapt it if the share directory has a different location.
+
 # it's important to remember that you need "rdr-anchor sslsniff" in your
 # pf.conf in the TRANSLATION section.

-   #redir_command_on = "the_script_described_above %iface %port %rport"
-   #redir_command_off = "pfctl -a sslsniff -Fn"
+   #redir_command_on = "/usr/local/ettercap/share/pfload.sh %iface %port %rport"
+   #redir_command_off = "/usr/local/ettercap/share/pfunload.sh"

 # also, if you create a group called "pfusers" and have EC_GID be that group,
 # you can do something like:

Maybe @eaescob can test the script.

[LocutusOfBorg]

Yes, so in the meanwhile I suggest to keep this one open we have a pull request or something similar :)

[eaescob]

I'll test those scripts

[koeppea]

Is FreeBSD also using ipctl?

Von Samsung Mobile gesendet

[koeppea]

I suggest to keep this one open we have a pull request or something similar :)

sure I at least would like to hear from @Pandoxie

BTW: I meant pfctl not ipctl.

[Pandoxie]

@koeppea Sorry for the delay. I tried to build the HEAD tonight, but somehow I failed to get it done... Here is the log: https://gist.github.com/Pandoxie/7b1fc65c0b58b603bf23 Long time no compiling, maybe I missed something.