Video capturing SSL connection?
Kristian Hermansen
kristian.hermansen at gmail.com
Fri Apr 6 09:32:21 EDT 2007
On 4/6/07, Scott Ehrlich <scott at mit.edu> wrote:
> A while back, someone posted a link, possibly to this list, showing a
> person using a Windows and Linux box to capture the transaction of an
> https session and decode the user's password.
I haven't seen this video, but I am familiar with the tools to carry
out such an attack. They probably used ettercap-ng in the video on
windows. Here's what you want/need to do for Linux to sniff SSL...
* echo 1 > /proc/sys/net/ipv4/ip_forward
* ifconfig eth0 promisc
* dnsspoof
* webmitm
* arpspoof
If you don't like the manual approach, you can just try playing around
with ettercap. Remember that this attack requires man-in-the-middle.
So, I'm not sure how you are going to defeat the browser certificate
check, unless the user just clicks on "Continue Anyway" when
prompted...
--
Kristian Hermansen
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Discuss
mailing list