The Magic of Ettercap

Download Report

Transcript The Magic of Ettercap 

Matthew Sullivan
Information Assurance Student Group
March 8, 2010
 Intercepts
 Alters
 Does
traffic
traffic
lots of scary things
 Has
powerful (and easy to use) filtering
language that allows for custom scripting
 Can
be “unified” or “bridged”
Unified
Victim Computer
The Interwebz
Network Card 1
Ettercap
Bridged
Victim Computer
The Interwebz
Network Card 2
Network Card 1
Ettercap
 Ettercap
has a powerful password sniffer,
and can find and display passwords in
following protocols:
 TELNET, FTP, POP, IMAP, rlogin, SSH1, ICQ,
SMB, MySQL, HTTP, NNTP, X11, Napster, IRC,
RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS,
SNMP, Half-Life, Quake 3, MSN, YMSG
 Darn, that’s
a LOT of protocols I can steal
passwords from!
(show demo)
 Ettercap
can intercept DNS requests,
check against its own configuration, and
reply back with an illegitimate IP
 Fake
response occurs before the real
response can reach the target, so the
victim computer ignores it
 Can
be done easily in “unified” mode, no
bridging required
 So
what does this look like?
Victim Computer
Legit DNS Server
Ettercap
Victim: where is www.iastate.edu?
Ettercap: do I have a record for this? If so, reply with an
illegitimate IP address
Victim: I received an answer to my request for www.iastate.edu,
so all is well
Legit DNS Server: I know this record, replying with legit IP
Victim: I just got another response for my request, but it’s
already been fulfilled, so I’m ignoring this response
 This
attack is perfect for situations where
bridging isn’t possible
• (perhaps the attacker doesn’t have physical
access that high up in the network)
 Isn’t
foolproof though
• SSL-protected websites will present certificate
errors
• If the line is fast enough, the legitimate DNS
server can reply before Ettercap has had time to
process and submit its own res
 So
by now you know that Ettercap can
search packets and modify their contents
• But that’s not all! It can drop packets too
 For
example, a filter can be set up to watch
for DHCP REQUEST
• Perhaps from all computers
• Perhaps just from 00:1d:24:11:f4:3C
 If
it matches what we are looking for, we just
drop the packet, and they never will receive
an IP address to get onto the network
 Ettercap
can sniff and modify SSL packets
by sending an unsigned certificate to the
victim.





In an online study conducted among 409 participants, the researchers
found that the majority of respondents would ignore warnings about an
expired Secure Sockets Layer (SSL) certificate. The more tech-savvy the
user, the more likely they would be to ignore it, the study found.
50 percent of Firefox 2 users polled who could identify the term "expired
security certificate," 71 percent said they would ignore the warning.
Of the 59 percent of Firefox 2 users who understood the significance of a
"domain mismatch" warning, 19 percent said they would ignore the
hazard.
The Carnegie Mellon team conducted a second study, with 100
participants and under lab conditions. The participants were shown an
invalid certificate warning when they navigated to a bank Web site. 69
percent of technologically savvy Firefox 2 users ignored an expired
certificate warning from their bank.
* Taken from http://news.cnet.com/8301-1009_3-10297264-83.html


Last year, the certificate for WebCT was not
renewed before its expiration
ITS was immediately inundated with calls and
requests for support; employees walked users
through how to ignore the certificate error

The certificate remained invalid for two days

Such problems train the average user to simply
ignore these types of warnings
• “I’ve seen this before, and they just told me to click
ignore last time.”
 What’s
the take-away?
• It’s easy to sniff SSL with an invalid certificate
• People ignore SSL warnings
• Most will continue onwards anyway
 Remember: if
you encounter an invalid
certificate, be careful and use your head!
 “SSH
Downgrade
Attack”
 Some
SSH2 servers
are backwardscompatible with
SSH1
 These
servers
report their
version as ssh-1.99
 Using
a custom Ettercap filter, we
intercept the server’s response:
replace("SSH-1.99", "SSH-1.51")
 Now
the SSH client believes the server
only supports SSH1 and establishes an
SSH1 connection
 Ettercap
sees the
entire handshake
and steals the login
credentials
 With
some more
custom scripting,
Ettercap can even
decrypt and dump
the SSH1 connection
data
Did I hear a “no” answer out there?
Alright, let’s bring out the big guns…
 You’ve
been using my Wi-Fi access point
called “IASTATE”
 Jeff
has been busy ‘deauthing’ the real
IASTATE access point, which makes your
computer wander over to my AP instead
 Have
you logged in to Gmail, CyMail,
WebCT, or Facebook since being here?
(show demo)