Results 1 to 10 of 13

Thread: ARP Poisoning 101 (Not sniffing info...)

Hybrid View

  1. #1
    Just burned his ISO Whiskey's Avatar
    Join Date
    Jan 2010
    Posts
    5

    Question ARP Poisoning 101 (Not sniffing info...)

    First of all Hello!

    A new laptop, new Back|Track 4...needless to say I am in heaven. I decided to practice using Ettercap while connected to my network to see if I could sniff logins or at the very least use the browser plug-in to follow browser pages. I select my D-Link router as target 1 and my desktop pc as target two (Connected directly through LAN) Using unified sniffing with the browser plug-in enabled I activate Mitm Arp Posion and start sniffing...

    Now occasionally some information will come down but nothing of any interest and certainly no login information or browser visits despite logging in to several locations on my personal computer. When I use the plugin that tests if there is any poisoning going on..it returns a big negative.

    So if your still with me I appreciate it and have a couple questions!

    1.) Am I using Ettercap correctly? If so, what could interfere with a proper MITM Arp Poison attack?

    2.) If a network has more than one router do I set both or more routers for "Target 1" ? and all clients as "Target 2" ?

    3.) Finally...I wanted to make sure my laptop was not responsible for any flakey Back | Track performance. How can I test to make sure my wireless chip is fully capable of packet injection? (Dv7-1245dx)


    Thank-you for any help your willing to provide! Have a fantastic day

    Wh|$KeY

  2. #2
    Junior Member
    Join Date
    Jan 2010
    Posts
    46

    Default Re: ARP Poisoning 101 (Not sniffing info...)

    I don't know about 1 & 2, but to answer your third question there is a pretty simple test to determine if your card is capable of injection. Just google for "aircrack-ng injection test". Shouldn't be hard to find.

  3. #3
    Member
    Join Date
    Jan 2010
    Location
    The new forums
    Posts
    462

    Default Re: ARP Poisoning 101 (Not sniffing info...)

    There are tons of tutorials out there, check out any of these links:

    Google

    Also take a look at the video section in the old forums, don't know how long these will be around but there are great examples there too:

    Backtrack Videos - Remote Exploit Forums

    3.) Finally...I wanted to make sure my laptop was not responsible for any flakey Back | Track performance. How can I test to make sure my wireless chip is fully capable of packet injection? (Dv7-1245dx)
    http://www.aircrack-ng.org/doku.php?id=injection_test

  4. #4
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    17

    Default Re: ARP Poisoning 101 (Not sniffing info...)

    What sort of information are you after?

    If you are SSL (HTTPS) passwords such as facebook, hotmail, gmail then i highly recommend SSLstrip.

    *You need Ethercap and dsniff (arpspoof) for this - they are all built into backtrack.

  5. #5
    Just burned his ISO Whiskey's Avatar
    Join Date
    Jan 2010
    Posts
    5

    Default Re: ARP Poisoning 101 (Not sniffing info...)

    @MarkW7

    -I am after login forms in general. However most are now https it seems so yes...I will read-up on SSlstrip and dsniff.

    @Lincoln

    -Yes that test was perfect and worked! And I love the video portion, I bookmarked it right away! I read many tutorials with variations on this MITM attack and followed them precisely as well as using my own knowledge. For some reason when I check to see if I truly poisoned the victim...it always returns as negative...I still can't figure that out!

  6. #6
    Junior Member
    Join Date
    Feb 2010
    Posts
    34

    Default Re: ARP Poisoning 101 (Not sniffing info...)

    This page is probably the best page that i have been looking for. I been up for hours and hours all night trying to figure out why i cant see the passwords..This is my system:

    Windows Vista 64 bit
    Backtrack 4 Dual Boot
    My laptop is connected to my router..I dont have a usb or a wifi card

    I been trying to run ettercap all night and it just wont work. I would see pages every now and then but its not consistent.

    when i run ettercap -G. everything is fine. But after a while i get this error
    ----------------------------------------------------------------------------------------
    ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

    No protocol specified
    Error: cannot open display: :0.0
    No protocol specified
    Error: cannot open display: :0.0
    No protocol specified
    Error: cannot open display: :0.0
    suff .asp
    No protocol specified
    Error: cannot open display: :0.0
    No protocol specified
    Error: cannot open display: :0.0
    No protocol specified
    Error: cannot open display: :0.0

    -----------------------------------------------------------------------
    Was driving me nuts i google this info with no such luck..But i found this page and now i see why. I think its because the test that you provided for injection and what not..I ran this test

    aireplay-ng -9 wlan0

    this is what i got back from running the test

    root@bt:~# aireplay-ng -9 wlan0
    ioctl(SIOCSIWMODE) failed: Device or resource busy

    ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
    ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Make
    sure RFMON is enabled: run 'airmon-ng start wlan0 <#>'
    Sysfs injection support was not found either.

    root@bt:~# airmon-ng


    Interface Chipset Driver

    wlan0 Intel 4965/5xxx iwlagn - [phy0]

    root@bt:~# aireplay-ng -9 wlan0
    ioctl(SIOCSIWMODE) failed: Device or resource busy

    ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
    ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Make
    sure RFMON is enabled: run 'airmon-ng start wlan0 <#>'
    Sysfs injection support was not found either.

    root@bt:~# aireplay-ng -9 -i wlan1 wlan0
    ioctl(SIOCSIWMODE) failed: Device or resource busy

    ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
    ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Make
    sure RFMON is enabled: run 'airmon-ng start wlan0 <#>'
    Sysfs injection support was not found either.


    so now i see why i probably get those errors. My network card dose not support injection..wow search and you will find

    thanks for this post now i can take a asprin and go buy me the correct card that does support injection

  7. #7
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    2

    Default Re: ARP Poisoning 101 (Not sniffing info...)

    I tried both means of capture, neither functioned.
    arpspoof -i eth0 -t 10.10.65.14 10.10.1.1
    arpspoof: couldn't arp for host 10.10.65.14


    I know the host exists (test computer on my network).
    solutions?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •