Jump to content

Build an ettercap infusion using Kali Linux


Garland
 Share

Recommended Posts

As my first attempt to build an infusion was an abysmal failure, I thought I would share a bit of what I've learned for those who would like a working ettercap infusion which functions likes whistlemaster's sslstrip infusion.

The issue that I ran into is that the default ettercap package (ettercap_NG-0.7.3-2_ar71xx.ipk) only supports "text" mode, which is interactive. Launch this in the background via a PHP exec and the Pineapple's CPU load pegs. Running 'top' shows that ettercap is consuming most of the CPU (around 80%).

The solution is to not use ettercap's interactive text mode; however the mode you need to use (daemon mode) is broken in ettercap_NG-0.7.3-2_ar71xx.ipk. A patch exists which fixes this issue. To build a new package with the patch applied, boot up a Kali Linux VM (which has plenty of free disk space) and follow these instructions to build the OpenWRT toolchain then build a patched ettercap:

http://wiki.openwrt.org/doc/howto/buildroot.exigence

Following this page I run the following commands on my Kali VM:

sudo apt-get update
sudo apt-get install subversion build-essential
sudo apt-get install git-core
apt-get install libncurses5-dev zlib1g-dev gawk


Next I creating an 'openwrt' directory, then switched to a non-root user:

mkdir openwrt

chown nobody openwrt

cd openwrt

su nobody

bash

Then I used svn to 'check out' the appropriate branch, then installed feeds:

svn co svn://svn.openwrt.org/openwrt/branches/attitude_adjustment
cd ./attitude_adjustment
./scripts/feeds update -a
./scripts/feeds install
-a

Next use the Menu Config to build ettercap as a module:

make menuconfig

When the text-based menu comes up arrow down to network, then hit the space bar, then arrow down to ettercap and hit the space bar again. There should be an "M" (for module) next to ettercap. Right arrow and hit return on "Exit" twice, then hit return one last time to save your configuration.

We will now run make, which will build the toolchain (this takes a while) as well as download and build the ettercap package. Note: This package will still be broken, but don't worry, we will be patching it in a few minutes. Go ahead and run make:

make

That will take quite a while to run, so come back in a bit...

Next we will add in the necessary patch for ettercap. Using the editor of your choice create a new file:


vi ./feeds/packages/net/ettercap/patches/004-daemon-ui.patch

Paste in the following content, then write the file and quit your editor:

diff -ruN ettercap-NG-0.7.3-old/src/ec_ui.c ettercap-NG-0.7.3-new/src/ec_ui.c
--- ettercap-NG-0.7.3-old/src/ec_ui.c 2006-10-03 18:24:09.000000000 +0200
+++ ettercap-NG-0.7.3-new/src/ec_ui.c 2006-10-03 18:28:57.000000000 +0200
@@ -336,7 +336,7 @@
BUG_IF(ops->fatal_error == NULL);
GBL_UI->fatal_error = ops->fatal_error;
- BUG_IF(ops->input == NULL);
+ BUG_IF((ops->input == NULL)&&(ops->type != UI_DAEMONIZE));
GBL_UI->input = ops->input;
BUG_IF(ops->progress == NULL);

Now we need to increment the package number by editing the 12th line of the ettercap Makefile:

vi ./feeds/packages/net/ettercap/Makefile +12

Change the line from this:

PKG_RELEASE:=2

To look like this:

PKG_RELEASE:=3

Now run make one last time to build the patched ettercap package:

make

Once the compile finishes (if all went well) you should now have the following file:

./bin/ar71xx/packages/ettercap_NG-0.7.3-3_ar71xx.ipk

Use scp to copy this file to your Pineapple, then ssh into your Pineapple and run the following commands (on the Pineapple):

opkg remove ettercap
opkg install ./ettercap_NG-0.7.3-3_ar71xx.ipk


At this point you should test to make sure that you can now use the -D (daemonize) option:


ettercap -i br-lan -D -m /tmp/test.log

I see the following:

ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
Dissector "dns" not supported (etter.conf line 70)
Daemonizing ettercap...

If that worked and you didn't get an error, go ahead and kill ettercap and remove the log file:

killall ettercap
rm /tmp/test.log


Now were ready to clone the sslstrip infusion and modify our clone to use ettercap. First, make sure you have installed the sslstrip infusion. It is a good idea to clear all of your sslstrip log files first. Then run the following commands on your Pineapple to clone this infusion and make the necessary changes to adapt it for ettercap:

cp -r /pineapple/components/infusions/sslstrip/ /pineapple/components/infusions/ettercap
cd /pineapple/components/infusions/ettercap/
find . -type f -exec sed -ie "s/sslstrip/ettercap/g" {} \;
sed -ie "s/1.3/1.0/g" ./handler.php
sed -ie "s/\texec(\"iptables/\t\/\/exec(\"iptables/g" includes/actions.php
sed -ie "s/ettercap -a -k -f -w /ettercap -i br-lan -D -w /g" includes/actions.php
sed -ie "s/ettercap -k -f -w /ettercap -i br-lan -D -m /g" includes/actions.php
sed -ie "s/^iptables/#iptables/g" includes/autostart.sh
sed -ie "s/ettercap -k -f -w /ettercap -i br-lan -D -m /g" includes/autostart.sh
sed -ie "s/ettercap -a/ettercap -i br-lan -D -w/g" includes/vars.php


At this point it is probably a good idea to reboot your Pineapple, so issue the following command:

reboot

In my case the sslstrip infusion was set to autostart on boot and the ettercap infusion inherited that setting when we cloned it, so after a reboot I can see that the ettercap infusion started. If you didn't delete your log files from your sslstrip infustion you may find that the new ettercap infusion has clones of those files. Just stop ettercap, delete these log files, then restart ettercap and you should be good to go.

You should stop here; however If you want to return to the original (default) ettercap and see the high CPU load issue I mentioned at this beginning of this post, just run the following commands:

cd /root
opkg remove ettercap
opkg update
opkg install ettercap


Then run these commands to modify the ettercap infusion to use text mode:

cd /pineapple/components/infusions/ettercap/
sed -ie "s/ettercap -i br-lan -D -w /ettercap -i br-lan --text -w /g" includes/actions.php

sed -ie "s/ettercap -i br-lan -D -m /ettercap -i br-lan --text -m /g" includes/actions.php
sed -ie "s/ettercap -i br-lan -D -w/ettercap -i br-lan --text -w/g" includes/vars.php

When looking with the 'top' program, the new ettercap (in daemon mode) averages around 3% load; however with the default ettercap the load is around 80%.

Again I hope that this post helps someone out there who wanted a working ettercap infusion.

-Garland

Link to comment
Share on other sites

Garland,

Are you going to submit your final product as an infusion for everyone else to use? I'll do it manually if I have to, because I'm a sadist, but it would be a great addition to the Pineapple Bar. Of course WhistleMaster might need to ok the cloning of his sslstrip infusion.... That being said...good work!

Link to comment
Share on other sites

I couldn't take any credit for the infusion itself. I only changed seven lines.

If you would like to see what the ettercap infusion looks like, without going through all of the trouble to build a new ettercap package, you can ssh to your Pineapple and paste the following lines to build the ettercap infusion (as long as you have the sslstrip infusion installed):

cp -r /pineapple/components/infusions/sslstrip/ /pineapple/components/infusions/ettercap
cd /pineapple/components/infusions/ettercap/
find . -type f -exec sed -ie "s/sslstrip/ettercap/g" {} \;
sed -ie "s/1.3/1.0/g" ./handler.php
sed -ie "s/\texec(\"iptables/\t\/\/exec(\"iptables/g" includes/actions.php
sed -ie "s/ettercap -a -k -f -w /ettercap -i br-lan -D -w /g" includes/actions.php
sed -ie "s/ettercap -k -f -w /ettercap -i br-lan -D -m /g" includes/actions.php
sed -ie "s/^iptables/#iptables/g" includes/autostart.sh
sed -ie "s/ettercap -k -f -w /ettercap -i br-lan -D -m /g" includes/autostart.sh
sed -ie "s/ettercap -a/ettercap -i br-lan -D -w/g" includes/vars.php

sed -ie "s/ettercap -i br-lan -D -w /ettercap -i br-lan --text -w /g" includes/actions.php

sed -ie "s/ettercap -i br-lan -D -m /ettercap -i br-lan --text -m /g" includes/actions.php
sed -ie "s/ettercap -i br-lan -D -w/ettercap -i br-lan --text -w/g" includes/vars.php

Refresh the web UI and you will have the ettercap infusion; however it will use the default, text-mode ettercap, which will cause excessive CPU load.

If you don't like the ettercap infusion, you can remove it using the Pineapple Bar menus. Also, if you ssh into your Pineapple and run ettercap manually, you don't have the CPU problem with the default ettercap, as your shell is being interactive with ettercap. The CPU issue only comes up when you background ettercap without an interactive shell.

Edited by Garland
Link to comment
Share on other sites

I'd actually like to run your daemonized version. I just thought since you have already created a patched .ipk you could post that or package the whole thing up as a MarkV ettercap infusion. I appreciate you sharing such a comprehensive how to post regardless.

Link to comment
Share on other sites

Here is my unofficial package file for the daemonized ettercap (ettercap_NG-0.7.3-3_ar71xx.ipk).

https://filetea.me/default/#t1s2Wtp6OCmSxCtY6z1f6SFeQ

Just scp this to your Pineapple, then ssh into the Pineapple and run:

opkg remove ettercap
opkg install ./ettercap_NG-0.7.3-3_ar71xx.ipk


Then copy and paste these commands to build the daemonized ettercap infusion:

rm -rf /pineapple/components/infusions/ettercap
cp -r /pineapple/components/infusions/sslstrip/ /pineapple/components/infusions/ettercap
cd /pineapple/components/infusions/ettercap/
find . -type f -exec sed -ie "s/sslstrip/ettercap/g" {} \;
sed -ie "s/1.3/1.0/g" ./handler.php
sed -ie "s/\texec(\"iptables/\t\/\/exec(\"iptables/g" includes/actions.php
sed -ie "s/ettercap -a -k -f -w /ettercap -i br-lan -D -w /g" includes/actions.php
sed -ie "s/ettercap -k -f -w /ettercap -i br-lan -D -m /g" includes/actions.php
sed -ie "s/^iptables/#iptables/g" includes/autostart.sh
sed -ie "s/ettercap -k -f -w /ettercap -i br-lan -D -m /g" includes/autostart.sh
sed -ie "s/ettercap -a/ettercap -i br-lan -D -w/g" includes/vars.php


Hope this helps,

-Garland

Link to comment
Share on other sites

That's awesome. But that Filetea website only shares it as long as you have the browser open. As soon as I went to get it the site failed and then it says file not found.

Link to comment
Share on other sites

There is already an ettercap infusion, not yet ported to firmware 3.0 and / or MK5, but it will be soon.

If you don't mind Garland, I would use your new ettercap package for the infusion ! Great work by the way !

EDIT: My infusion is ready for MK5 :) I suggest to lock this topic to avoid confusion among users.

Edited by Whistle Master
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...