1 / 20

The Magic of Ettercap

The Magic of Ettercap. Matthew Sullivan Information Assurance Student Group March 8, 2010. Don’t Go To Prison. What is Ettercap ?. Intercepts traffic Alters traffic Does lots of scary things Has powerful (and easy to use) filtering language that allows for custom scripting

jill
Download Presentation

The Magic of Ettercap

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Magic of Ettercap Matthew Sullivan Information Assurance Student Group March 8, 2010

  2. Don’t Go To Prison

  3. What is Ettercap? Intercepts traffic Alters traffic Does lots of scary things Has powerful (and easy to use) filtering language that allows for custom scripting Can be “unified” or “bridged”

  4. Wait… unifi-what? Also was there something about building a bridge in all that? Unified Victim Computer The Interwebz Network Card 1 Ettercap Bridged Victim Computer The Interwebz Network Card 2 Network Card 1 Ettercap

  5. Deluxe Password Sniffer Ettercap has a powerful password sniffer, and can find and display passwords in following protocols: TELNET, FTP, POP, IMAP, rlogin, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, Napster, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, Half-Life, Quake 3, MSN, YMSG Darn, that’s a LOT of protocols I can steal passwords from!

  6. (show demo)

  7. DNS Tampering Ettercap can intercept DNS requests, check against its own configuration, and reply back with an illegitimate IP Fake response occurs before the real response can reach the target, so the victim computer ignores it Can be done easily in “unified” mode, no bridging required

  8. DNS Tampering(continued) Victim Computer Legit DNS Server Ettercap So what does this look like? Victim: where is www.iastate.edu? Ettercap: do I have a record for this? If so, reply with an illegitimate IP address Victim: I received an answer to my request for www.iastate.edu, so all is well Legit DNS Server: I know this record, replying with legit IP Victim: I just got another response for my request, but it’s already been fulfilled, so I’m ignoring this response

  9. DNS Tampering(continued) • This attack is perfect for situations where bridging isn’t possible • (perhaps the attacker doesn’t have physical access that high up in the network) • Isn’t foolproof though • SSL-protected websites will present certificate errors • If the line is fast enough, the legitimate DNS server can reply before Ettercap has had time to process and submit its own res

  10. Packet Dropping • So by now you know that Ettercap can search packets and modify their contents • But that’s not all! It can drop packets too • For example, a filter can be set up to watch for DHCP REQUEST • Perhaps from all computers • Perhaps just from 00:1d:24:11:f4:3C • If it matches what we are looking for, we just drop the packet, and they never will receive an IP address to get onto the network

  11. SSL Sniffing Ettercap can sniff and modify SSL packets by sending an unsigned certificate to the victim.

  12. SSL Sniffing Carnegie Mellon Study In an online study conducted among 409 participants, the researchers found that the majority of respondents would ignore warnings about an expired Secure Sockets Layer (SSL) certificate. The more tech-savvy the user, the more likely they would be to ignore it, the study found. 50 percent of Firefox 2 users polled who could identify the term "expired security certificate," 71 percent said they would ignore the warning. Of the 59 percent of Firefox 2 users who understood the significance of a "domain mismatch" warning, 19 percent said they would ignore the hazard. The Carnegie Mellon team conducted a second study, with 100 participants and under lab conditions. The participants were shown an invalid certificate warning when they navigated to a bank Web site. 69 percent of technologically savvy Firefox 2 users ignored an expired certificate warning from their bank. * Taken from http://news.cnet.com/8301-1009_3-10297264-83.html

  13. SSL SniffingISU WebCT Case Study • Last year, the certificate for WebCT was not renewed before its expiration • ITS was immediately inundated with calls and requests for support; employees walked users through how to ignore the certificate error • The certificate remained invalid for two days • Such problems train the average user to simply ignore these types of warnings • “I’ve seen this before, and they just told me to click ignore last time.”

  14. SSL Sniffing(continued) • What’s the take-away? • It’s easy to sniff SSL with an invalid certificate • People ignore SSL warnings • Most will continue onwards anyway • Remember: if you encounter an invalid certificate, be careful and use your head!

  15. Exploiting SSH “SSH Downgrade Attack” Some SSH2 servers are backwards-compatible with SSH1 These servers report their version as ssh-1.99

  16. Exploiting SSH(continued) Using a custom Ettercap filter, we intercept the server’s response: replace("SSH-1.99", "SSH-1.51") Now the SSH client believes the server only supports SSH1 and establishes an SSH1 connection

  17. Exploiting SSH(continued) Ettercap sees the entire handshake and steals the login credentials With some more custom scripting, Ettercap can even decrypt and dump the SSH1 connection data

  18. So, are you scared yet? Did I hear a “no” answer out there? Alright, let’s bring out the big guns…

  19. Demo Time:Do I Have Your Data? You’ve been using my Wi-Fi access point called “IASTATE” Jeff has been busy ‘deauthing’ the real IASTATE access point, which makes your computer wander over to my AP instead Have you logged in to Gmail, CyMail, WebCT, or Facebook since being here?

  20. (show demo)

More Related