I don't know about 1 & 2, but to answer your third question there is a pretty simple test to determine if your card is capable of injection. Just google for "aircrack-ng injection test". Shouldn't be hard to find.
ARP Poisoning 101 (Not sniffing info...)
First of all Hello!
A new laptop, new Back|Track 4...needless to say I am in heaven. I decided to practice using Ettercap while connected to my network to see if I could sniff logins or at the very least use the browser plug-in to follow browser pages. I select my D-Link router as target 1 and my desktop pc as target two (Connected directly through LAN) Using unified sniffing with the browser plug-in enabled I activate Mitm Arp Posion and start sniffing...
Now occasionally some information will come down but nothing of any interest and certainly no login information or browser visits despite logging in to several locations on my personal computer. When I use the plugin that tests if there is any poisoning going on..it returns a big negative.
So if your still with me I appreciate it and have a couple questions!
1.) Am I using Ettercap correctly? If so, what could interfere with a proper MITM Arp Poison attack?
2.) If a network has more than one router do I set both or more routers for "Target 1" ? and all clients as "Target 2" ?
3.) Finally...I wanted to make sure my laptop was not responsible for any flakey Back | Track performance. How can I test to make sure my wireless chip is fully capable of packet injection? (Dv7-1245dx)
Thank-you for any help your willing to provide! Have a fantastic day
Wh|$KeY
Re: ARP Poisoning 101 (Not sniffing info...)
I don't know about 1 & 2, but to answer your third question there is a pretty simple test to determine if your card is capable of injection. Just google for "aircrack-ng injection test". Shouldn't be hard to find.
Re: ARP Poisoning 101 (Not sniffing info...)
There are tons of tutorials out there, check out any of these links:
Also take a look at the video section in the old forums, don't know how long these will be around but there are great examples there too:
Backtrack Videos - Remote Exploit Forums
http://www.aircrack-ng.org/doku.php?id=injection_test3.) Finally...I wanted to make sure my laptop was not responsible for any flakey Back | Track performance. How can I test to make sure my wireless chip is fully capable of packet injection? (Dv7-1245dx)
Re: ARP Poisoning 101 (Not sniffing info...)
What sort of information are you after?
If you are SSL (HTTPS) passwords such as facebook, hotmail, gmail then i highly recommend SSLstrip.
*You need Ethercap and dsniff (arpspoof) for this - they are all built into backtrack.
Re: ARP Poisoning 101 (Not sniffing info...)
@MarkW7
-I am after login forms in general. However most are now https it seems so yes...I will read-up on SSlstrip and dsniff.
@Lincoln
-Yes that test was perfect and worked! And I love the video portion, I bookmarked it right away! I read many tutorials with variations on this MITM attack and followed them precisely as well as using my own knowledge. For some reason when I check to see if I truly poisoned the victim...it always returns as negative...I still can't figure that out!
Re: ARP Poisoning 101 (Not sniffing info...)
This page is probably the best page that i have been looking for. I been up for hours and hours all night trying to figure out why i cant see the passwords..This is my system:
Windows Vista 64 bit
Backtrack 4 Dual Boot
My laptop is connected to my router..I dont have a usb or a wifi card
I been trying to run ettercap all night and it just wont work. I would see pages every now and then but its not consistent.
when i run ettercap -G. everything is fine. But after a while i get this error
----------------------------------------------------------------------------------------
ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
No protocol specified
Error: cannot open display: :0.0
No protocol specified
Error: cannot open display: :0.0
No protocol specified
Error: cannot open display: :0.0
suff .asp
No protocol specified
Error: cannot open display: :0.0
No protocol specified
Error: cannot open display: :0.0
No protocol specified
Error: cannot open display: :0.0
-----------------------------------------------------------------------
Was driving me nuts i google this info with no such luck..But i found this page and now i see why. I think its because the test that you provided for injection and what not..I ran this test
aireplay-ng -9 wlan0
this is what i got back from running the test
root@bt:~# aireplay-ng -9 wlan0
ioctl(SIOCSIWMODE) failed: Device or resource busy
ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Make
sure RFMON is enabled: run 'airmon-ng start wlan0 <#>'
Sysfs injection support was not found either.
root@bt:~# airmon-ng
Interface Chipset Driver
wlan0 Intel 4965/5xxx iwlagn - [phy0]
root@bt:~# aireplay-ng -9 wlan0
ioctl(SIOCSIWMODE) failed: Device or resource busy
ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Make
sure RFMON is enabled: run 'airmon-ng start wlan0 <#>'
Sysfs injection support was not found either.
root@bt:~# aireplay-ng -9 -i wlan1 wlan0
ioctl(SIOCSIWMODE) failed: Device or resource busy
ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Make
sure RFMON is enabled: run 'airmon-ng start wlan0 <#>'
Sysfs injection support was not found either.
so now i see why i probably get those errors. My network card dose not support injection..wow search and you will find
thanks for this post now i can take a asprin and go buy me the correct card that does support injection
Re: ARP Poisoning 101 (Not sniffing info...)
I tried both means of capture, neither functioned.
arpspoof -i eth0 -t 10.10.65.14 10.10.1.1
arpspoof: couldn't arp for host 10.10.65.14
I know the host exists (test computer on my network).
solutions?
Re: ARP Poisoning 101 (Not sniffing info...)
Have you edited the etter.conf? (/etc/etter.conf) You will need to uncomment iptables and set default user as root.Originally Posted by Whiskey
I'm sure a quick googling ("etter.conf iptables default user") should give you enough info on how to do this (if you haven't already done it).
You shouldn't select all clients, that's a mistake. You can only sniff one, max two clients at a time, and if 2 are selected, their internet connection will slow down.
The explanation for this is simple: When selecting one client, all his traffic will pass trough your computer. You know that wireless cards speed isn't unlimited (54mbps max, unless it's an N adapter or a ethernet card), so when selecting all clients, your card will not have the required capacity to redirect every traffic to every client. This will result in a effective DOS attack against the network.
As for the routers part, I think you should only set the target (target 1 or target 2, as long as you put the victim('s) on the opposite target) as your gateway. I think that if there are other routers connected directly to the router you're connected to, you should treat them as clients, but i'm not sure.
Two Things:
1) You said you don't have wifi, so... What's this? --> "wlan0 Intel 4965/5xxx iwlagn - [phy0]"
As far as I know, this IS a wifi card.
2) You really should pay more attention to error messages. You assumed your card didn't support injection, but you haven't really tested. Those errors occurred because you don't have monitor mode enabled (yes, it's required to inject). Now, let's take a quick look at those error messages, shall we?
Means that your interface its being used (maybe by wicd?).ioctl(SIOCSIWMODE) failed: Device or resource busy
The bold part explains everything and points you to a solution.ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Make
sure RFMON is enabled: run 'airmon-ng start wlan0 <#>'
Sysfs injection support was not found either.
As a alternative to 'airmon-ng start wlan0' you can also use the following:
Personally I like this last one better because I don't like to create another interface (mon0), but it really doesn't matter. As long as you use mon0 if you chose to use airmon-ng.Code:ifconfig wlan0 down iwconfig wlan0 mode monitor ifconfig wlan0 up
In order to provide you with a solution, I will need some more info about your setup.
VMware or LiveCD/HDD/USB install?
Does eth0 refers to your ethernet interface?
You can also post your iwconfig output.
Re: ARP Poisoning 101 (Not sniffing info...)
I'm having the exact same problem except that I'm trying to use airodump, but I get the same response as OP.
I'm running BT4 off VMware with an atheros ar9170 usb adapter.
My iwconfig reply is:
lo no wireless extensions.
eth0 no wireless extensions.
ath0 IEEE 802.11-MIMO ESSID:""
Mode:Ad-Hoc Frequency:2.437 GHz Cell: Not-Associated
Bit Rate:54 Mb/s Tx-Power=-2147483648 dBm Sensitivity=0/3
Retry RTS thrff Fragment thr
Encryption key
Power Management
My airmon-ng reply is:
Interface Chipset Driver
ath0 AR9001U Otus
And my airodump-ng ath0 reply is:
ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Make
sure RFMON is enabled: run 'airmon-ng start ath0 <#>'
Sysfs injection support was not found either.
I'm not entirely sure what to do at this point.
Re: ARP Poisoning 101 (Not sniffing info...)
Have you red what I wrote regarding that error message?
EDIT: Nevermind, saw your other thread, i'll answer there.
Last edited by Snayler; 02-09-2010 at 07:03 PM.
Posting Permissions