Garland Posted October 31, 2013 Posted October 31, 2013 As my first attempt to build an infusion was an abysmal failure, I thought I would share a bit of what I've learned for those who would like a working ettercap infusion which functions likes whistlemaster's sslstrip infusion.The issue that I ran into is that the default ettercap package (ettercap_NG-0.7.3-2_ar71xx.ipk) only supports "text" mode, which is interactive. Launch this in the background via a PHP exec and the Pineapple's CPU load pegs. Running 'top' shows that ettercap is consuming most of the CPU (around 80%).The solution is to not use ettercap's interactive text mode; however the mode you need to use (daemon mode) is broken in ettercap_NG-0.7.3-2_ar71xx.ipk. A patch exists which fixes this issue. To build a new package with the patch applied, boot up a Kali Linux VM (which has plenty of free disk space) and follow these instructions to build the OpenWRT toolchain then build a patched ettercap:http://wiki.openwrt.org/doc/howto/buildroot.exigenceFollowing this page I run the following commands on my Kali VM:sudo apt-get updatesudo apt-get install subversion build-essentialsudo apt-get install git-coreapt-get install libncurses5-dev zlib1g-dev gawkNext I creating an 'openwrt' directory, then switched to a non-root user:mkdir openwrt chown nobody openwrt cd openwrt su nobody bash Then I used svn to 'check out' the appropriate branch, then installed feeds:svn co svn://svn.openwrt.org/openwrt/branches/attitude_adjustmentcd ./attitude_adjustment./scripts/feeds update -a./scripts/feeds install -aNext use the Menu Config to build ettercap as a module:make menuconfigWhen the text-based menu comes up arrow down to network, then hit the space bar, then arrow down to ettercap and hit the space bar again. There should be an "M" (for module) next to ettercap. Right arrow and hit return on "Exit" twice, then hit return one last time to save your configuration.We will now run make, which will build the toolchain (this takes a while) as well as download and build the ettercap package. Note: This package will still be broken, but don't worry, we will be patching it in a few minutes. Go ahead and run make:makeThat will take quite a while to run, so come back in a bit...Next we will add in the necessary patch for ettercap. Using the editor of your choice create a new file:vi ./feeds/packages/net/ettercap/patches/004-daemon-ui.patchPaste in the following content, then write the file and quit your editor: diff -ruN ettercap-NG-0.7.3-old/src/ec_ui.c ettercap-NG-0.7.3-new/src/ec_ui.c --- ettercap-NG-0.7.3-old/src/ec_ui.c 2006-10-03 18:24:09.000000000 +0200 +++ ettercap-NG-0.7.3-new/src/ec_ui.c 2006-10-03 18:28:57.000000000 +0200 @@ -336,7 +336,7 @@ BUG_IF(ops->fatal_error == NULL); GBL_UI->fatal_error = ops->fatal_error; - BUG_IF(ops->input == NULL); + BUG_IF((ops->input == NULL)&&(ops->type != UI_DAEMONIZE)); GBL_UI->input = ops->input; BUG_IF(ops->progress == NULL); Now we need to increment the package number by editing the 12th line of the ettercap Makefile:vi ./feeds/packages/net/ettercap/Makefile +12Change the line from this:PKG_RELEASE:=2To look like this:PKG_RELEASE:=3Now run make one last time to build the patched ettercap package:makeOnce the compile finishes (if all went well) you should now have the following file:./bin/ar71xx/packages/ettercap_NG-0.7.3-3_ar71xx.ipkUse scp to copy this file to your Pineapple, then ssh into your Pineapple and run the following commands (on the Pineapple):opkg remove ettercapopkg install ./ettercap_NG-0.7.3-3_ar71xx.ipkAt this point you should test to make sure that you can now use the -D (daemonize) option:ettercap -i br-lan -D -m /tmp/test.logI see the following: ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA Dissector "dns" not supported (etter.conf line 70) Daemonizing ettercap... If that worked and you didn't get an error, go ahead and kill ettercap and remove the log file:killall ettercaprm /tmp/test.logNow were ready to clone the sslstrip infusion and modify our clone to use ettercap. First, make sure you have installed the sslstrip infusion. It is a good idea to clear all of your sslstrip log files first. Then run the following commands on your Pineapple to clone this infusion and make the necessary changes to adapt it for ettercap:cp -r /pineapple/components/infusions/sslstrip/ /pineapple/components/infusions/ettercapcd /pineapple/components/infusions/ettercap/find . -type f -exec sed -ie "s/sslstrip/ettercap/g" {} \;sed -ie "s/1.3/1.0/g" ./handler.phpsed -ie "s/\texec(\"iptables/\t\/\/exec(\"iptables/g" includes/actions.phpsed -ie "s/ettercap -a -k -f -w /ettercap -i br-lan -D -w /g" includes/actions.phpsed -ie "s/ettercap -k -f -w /ettercap -i br-lan -D -m /g" includes/actions.phpsed -ie "s/^iptables/#iptables/g" includes/autostart.shsed -ie "s/ettercap -k -f -w /ettercap -i br-lan -D -m /g" includes/autostart.shsed -ie "s/ettercap -a/ettercap -i br-lan -D -w/g" includes/vars.phpAt this point it is probably a good idea to reboot your Pineapple, so issue the following command:rebootIn my case the sslstrip infusion was set to autostart on boot and the ettercap infusion inherited that setting when we cloned it, so after a reboot I can see that the ettercap infusion started. If you didn't delete your log files from your sslstrip infustion you may find that the new ettercap infusion has clones of those files. Just stop ettercap, delete these log files, then restart ettercap and you should be good to go.You should stop here; however If you want to return to the original (default) ettercap and see the high CPU load issue I mentioned at this beginning of this post, just run the following commands:cd /rootopkg remove ettercapopkg updateopkg install ettercapThen run these commands to modify the ettercap infusion to use text mode:cd /pineapple/components/infusions/ettercap/sed -ie "s/ettercap -i br-lan -D -w /ettercap -i br-lan --text -w /g" includes/actions.php sed -ie "s/ettercap -i br-lan -D -m /ettercap -i br-lan --text -m /g" includes/actions.phpsed -ie "s/ettercap -i br-lan -D -w/ettercap -i br-lan --text -w/g" includes/vars.phpWhen looking with the 'top' program, the new ettercap (in daemon mode) averages around 3% load; however with the default ettercap the load is around 80%.Again I hope that this post helps someone out there who wanted a working ettercap infusion.-Garland
thesugarat Posted October 31, 2013 Posted October 31, 2013 Garland, Are you going to submit your final product as an infusion for everyone else to use? I'll do it manually if I have to, because I'm a sadist, but it would be a great addition to the Pineapple Bar. Of course WhistleMaster might need to ok the cloning of his sslstrip infusion.... That being said...good work!
Garland Posted November 1, 2013 Author Posted November 1, 2013 (edited) I couldn't take any credit for the infusion itself. I only changed seven lines.If you would like to see what the ettercap infusion looks like, without going through all of the trouble to build a new ettercap package, you can ssh to your Pineapple and paste the following lines to build the ettercap infusion (as long as you have the sslstrip infusion installed):cp -r /pineapple/components/infusions/sslstrip/ /pineapple/components/infusions/ettercapcd /pineapple/components/infusions/ettercap/find . -type f -exec sed -ie "s/sslstrip/ettercap/g" {} \;sed -ie "s/1.3/1.0/g" ./handler.phpsed -ie "s/\texec(\"iptables/\t\/\/exec(\"iptables/g" includes/actions.phpsed -ie "s/ettercap -a -k -f -w /ettercap -i br-lan -D -w /g" includes/actions.phpsed -ie "s/ettercap -k -f -w /ettercap -i br-lan -D -m /g" includes/actions.phpsed -ie "s/^iptables/#iptables/g" includes/autostart.shsed -ie "s/ettercap -k -f -w /ettercap -i br-lan -D -m /g" includes/autostart.shsed -ie "s/ettercap -a/ettercap -i br-lan -D -w/g" includes/vars.php sed -ie "s/ettercap -i br-lan -D -w /ettercap -i br-lan --text -w /g" includes/actions.php sed -ie "s/ettercap -i br-lan -D -m /ettercap -i br-lan --text -m /g" includes/actions.phpsed -ie "s/ettercap -i br-lan -D -w/ettercap -i br-lan --text -w/g" includes/vars.phpRefresh the web UI and you will have the ettercap infusion; however it will use the default, text-mode ettercap, which will cause excessive CPU load.If you don't like the ettercap infusion, you can remove it using the Pineapple Bar menus. Also, if you ssh into your Pineapple and run ettercap manually, you don't have the CPU problem with the default ettercap, as your shell is being interactive with ettercap. The CPU issue only comes up when you background ettercap without an interactive shell. Edited November 1, 2013 by Garland
thesugarat Posted November 1, 2013 Posted November 1, 2013 I'd actually like to run your daemonized version. I just thought since you have already created a patched .ipk you could post that or package the whole thing up as a MarkV ettercap infusion. I appreciate you sharing such a comprehensive how to post regardless.
Garland Posted November 1, 2013 Author Posted November 1, 2013 Here is my unofficial package file for the daemonized ettercap (ettercap_NG-0.7.3-3_ar71xx.ipk). https://filetea.me/default/#t1s2Wtp6OCmSxCtY6z1f6SFeQJust scp this to your Pineapple, then ssh into the Pineapple and run:opkg remove ettercapopkg install ./ettercap_NG-0.7.3-3_ar71xx.ipkThen copy and paste these commands to build the daemonized ettercap infusion:rm -rf /pineapple/components/infusions/ettercapcp -r /pineapple/components/infusions/sslstrip/ /pineapple/components/infusions/ettercapcd /pineapple/components/infusions/ettercap/find . -type f -exec sed -ie "s/sslstrip/ettercap/g" {} \;sed -ie "s/1.3/1.0/g" ./handler.phpsed -ie "s/\texec(\"iptables/\t\/\/exec(\"iptables/g" includes/actions.phpsed -ie "s/ettercap -a -k -f -w /ettercap -i br-lan -D -w /g" includes/actions.phpsed -ie "s/ettercap -k -f -w /ettercap -i br-lan -D -m /g" includes/actions.phpsed -ie "s/^iptables/#iptables/g" includes/autostart.shsed -ie "s/ettercap -k -f -w /ettercap -i br-lan -D -m /g" includes/autostart.shsed -ie "s/ettercap -a/ettercap -i br-lan -D -w/g" includes/vars.phpHope this helps,-Garland
thesugarat Posted November 1, 2013 Posted November 1, 2013 That's awesome. But that Filetea website only shares it as long as you have the browser open. As soon as I went to get it the site failed and then it says file not found.
Garland Posted November 1, 2013 Author Posted November 1, 2013 Oops... Try this link:http://www.qfpost.com/file/d?g=6yb584pNj
Whistle Master Posted November 1, 2013 Posted November 1, 2013 (edited) There is already an ettercap infusion, not yet ported to firmware 3.0 and / or MK5, but it will be soon. If you don't mind Garland, I would use your new ettercap package for the infusion ! Great work by the way ! EDIT: My infusion is ready for MK5 :) I suggest to lock this topic to avoid confusion among users. Edited November 1, 2013 by Whistle Master
Sebkinne Posted November 1, 2013 Posted November 1, 2013 We will be patching our repository with this.
Recommended Posts