# How to sniff username and pass

You are assumed that you have knowledge about ettercap as we are going to use ettercap for this tuto

I did this mini tutorial cos i wanted to play with ettercap filters.

If u had ever sniffed for username and password from RE Forum, U would noticed that the username is sent in clear text but the password is sent as a MD5 hash. The MD5 hash is computed by a javascript. If we look into the source code of the main forum page "http://forums.remote-exploit.org/index.php" we can notice that the MD5 javascript is located here "http://forums.remote-exploit.org/clientscript/vbulletin_md5.js". Lets look at the first line of the login section of the index.php. 'onsubmit' means that when we press LOG IN button 'md5hash' javascript function is executed. The value entered to password field 'vb_login_password'is sent to the javascript and next the MD5 hash is computed and send back to the FORM as a 'vb_login_md5password' and 'vb_login_md5password_utf'.How to "hack" this login method ? Of course we can sniff username and md5 hash and then md5 can be broken by rainbow table. But i think there are a lot of other better way to get the password. I like Ettercap and its packet filters. That's why I 'hacked' the forum using my own Ettercap filter. OK. the main idea is that the password must be forced to be send to the web server in plain text. it's obvious that the User shouldnt notices that his/her network is sniffed. So the login script must be modified in that way to allow normal logging into the forum. The simplest way to do this is modifying login section of index.php. As we see bellow, there are input tags, type='hidden'. These fields are filed in by a java md5hash script and next are sent to the server. I think the best solution is just to add new input field and copy password string to there. To do this, existing html code must be modified. Lets use ETTERCAP and its filters. But first we should look at the http traffic generated by RE Forum during logging in. Start the ETHEREAL. As we see, HTML source code isn't sent in plain text! It is compressed by gzip (deflate). To disable this feature we have to remove from HTTP packets this entry "Accept-Encoding:gzip,deflate" and replace it by something other(i've seen ettercap and yahoo tutorial,thats why i know this ;-). Lets use one of Ettetcap filters to eliminate gzip compression. Now we can sniff network and we notice that the forum page is sent without gzip compresion ! pure HTML code ! so let's modify sth. I suggest replace a useless part of line 14 by sth useful like new input tag ;-)
I added ONFOCUS to login button section cos I wanted to assign "vb_login_password.value" to x.value from new input tag to send the x to the server in plain text.

onfocus="x.value =vb_login_password.value" />

now we have new useless parameter 'x' which is send in plain text to the server to the 'login.php'. Server ignores it, however we don't cos this is our desired password!

To start sniffing, ettercap filter must be compiled.
1.create new empty file ForumFilter.filter
2.copy and paste the included ettercap filter into the file
3.compile it. 'etterfilter ForumFilter.filter -o ForumFilter'

next, start ettercap
1.Sniff ->Unified Sniffing
2.Host -> Scan for Hosts
3.Host -> Host List and add victims machine to target 1 and router etc. to target 2
4.MITM -> ARP Spoofing, Sniff Remote connections
5.Filter - > Load new filter, ...than open our ForumFilter
6.Start - > start sniffing

next start ETHEREAL
network is sniffed
if everything is done correctly, the username and password should appear in plain text

in the sniffer.

http://darkc0de.com/