You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello
I'm trying to intercept some tls traffic on a nonstandard port.
Here is what I'm doing: sudo ettercap -T -M arp /ip1// /ip2// -w /filelocation
I uncommented the redir_command_on and redir_command_off for ipv4 and ipv6 and changed ec_uid and ec_gid to 0.
It looks like it's working. But when ip1 initiates the tls handshake, I can see the handshake but it doesn't look like ettercap actually intercepted it. After the handshake, the traffic remains encrypted.
If I start ettercap with a GUI I see that the redirect rules specify certain Services, could it be an issue that I expect ettercap to work with TLS over tcp and a non standard service?
Is there a way for me to verify and troubleshoot what is happening?
Thanks in advance.
The text was updated successfully, but these errors were encountered:
I know what he means since I had the same issue.
If the TLS server is running e.g. on port 8443, the redirect rule will not redirect to the SSL listener as well not continue with performing a TLS handshake.
The reason is that the port for https is defined in etter.conf. When you change the port for https to 8443 in etter.conf, SSL interception will work.
One more word to the Redirect rule.
For behavior backward compatibility, the redirect rules are installed to capture traffic to any destination for the various SSL protocols. However nowadays, this is seldom what is desired as TLS servers behave quite differntly depending on the version and hardening (HSTS). I recommend removing all redirect rules when Ettercap has been started but MITM is not yet started.
Then insert SSL intercept rules only for the desired target, to avoid collateral. Then continue starting the MITM.
Hint
Don't forget about IPv6 in dual-stack networks.
Hello
I'm trying to intercept some tls traffic on a nonstandard port.
Here is what I'm doing:
sudo ettercap -T -M arp /ip1// /ip2// -w /filelocation
I uncommented the redir_command_on and redir_command_off for ipv4 and ipv6 and changed ec_uid and ec_gid to 0.
It looks like it's working. But when ip1 initiates the tls handshake, I can see the handshake but it doesn't look like ettercap actually intercepted it. After the handshake, the traffic remains encrypted.
If I start ettercap with a GUI I see that the redirect rules specify certain Services, could it be an issue that I expect ettercap to work with TLS over tcp and a non standard service?
Is there a way for me to verify and troubleshoot what is happening?
Thanks in advance.
The text was updated successfully, but these errors were encountered: