Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: ARP Poisoning 101 (Not sniffing info...)

  1. #1
    Just burned his ISO Whiskey's Avatar
    Join Date
    Jan 2010
    Posts
    5

    Question ARP Poisoning 101 (Not sniffing info...)

    First of all Hello!

    A new laptop, new Back|Track 4...needless to say I am in heaven. I decided to practice using Ettercap while connected to my network to see if I could sniff logins or at the very least use the browser plug-in to follow browser pages. I select my D-Link router as target 1 and my desktop pc as target two (Connected directly through LAN) Using unified sniffing with the browser plug-in enabled I activate Mitm Arp Posion and start sniffing...

    Now occasionally some information will come down but nothing of any interest and certainly no login information or browser visits despite logging in to several locations on my personal computer. When I use the plugin that tests if there is any poisoning going on..it returns a big negative.

    So if your still with me I appreciate it and have a couple questions!

    1.) Am I using Ettercap correctly? If so, what could interfere with a proper MITM Arp Poison attack?

    2.) If a network has more than one router do I set both or more routers for "Target 1" ? and all clients as "Target 2" ?

    3.) Finally...I wanted to make sure my laptop was not responsible for any flakey Back | Track performance. How can I test to make sure my wireless chip is fully capable of packet injection? (Dv7-1245dx)


    Thank-you for any help your willing to provide! Have a fantastic day

    Wh|$KeY

  2. #2
    Junior Member
    Join Date
    Jan 2010
    Posts
    46

    Default Re: ARP Poisoning 101 (Not sniffing info...)

    I don't know about 1 & 2, but to answer your third question there is a pretty simple test to determine if your card is capable of injection. Just google for "aircrack-ng injection test". Shouldn't be hard to find.

  3. #3
    Member
    Join Date
    Jan 2010
    Location
    The new forums
    Posts
    462

    Default Re: ARP Poisoning 101 (Not sniffing info...)

    There are tons of tutorials out there, check out any of these links:

    Google

    Also take a look at the video section in the old forums, don't know how long these will be around but there are great examples there too:

    Backtrack Videos - Remote Exploit Forums

    3.) Finally...I wanted to make sure my laptop was not responsible for any flakey Back | Track performance. How can I test to make sure my wireless chip is fully capable of packet injection? (Dv7-1245dx)
    http://www.aircrack-ng.org/doku.php?id=injection_test

  4. #4
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    17

    Default Re: ARP Poisoning 101 (Not sniffing info...)

    What sort of information are you after?

    If you are SSL (HTTPS) passwords such as facebook, hotmail, gmail then i highly recommend SSLstrip.

    *You need Ethercap and dsniff (arpspoof) for this - they are all built into backtrack.

  5. #5
    Just burned his ISO Whiskey's Avatar
    Join Date
    Jan 2010
    Posts
    5

    Default Re: ARP Poisoning 101 (Not sniffing info...)

    @MarkW7

    -I am after login forms in general. However most are now https it seems so yes...I will read-up on SSlstrip and dsniff.

    @Lincoln

    -Yes that test was perfect and worked! And I love the video portion, I bookmarked it right away! I read many tutorials with variations on this MITM attack and followed them precisely as well as using my own knowledge. For some reason when I check to see if I truly poisoned the victim...it always returns as negative...I still can't figure that out!

  6. #6
    Junior Member
    Join Date
    Feb 2010
    Posts
    34

    Default Re: ARP Poisoning 101 (Not sniffing info...)

    This page is probably the best page that i have been looking for. I been up for hours and hours all night trying to figure out why i cant see the passwords..This is my system:

    Windows Vista 64 bit
    Backtrack 4 Dual Boot
    My laptop is connected to my router..I dont have a usb or a wifi card

    I been trying to run ettercap all night and it just wont work. I would see pages every now and then but its not consistent.

    when i run ettercap -G. everything is fine. But after a while i get this error
    ----------------------------------------------------------------------------------------
    ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

    No protocol specified
    Error: cannot open display: :0.0
    No protocol specified
    Error: cannot open display: :0.0
    No protocol specified
    Error: cannot open display: :0.0
    suff .asp
    No protocol specified
    Error: cannot open display: :0.0
    No protocol specified
    Error: cannot open display: :0.0
    No protocol specified
    Error: cannot open display: :0.0

    -----------------------------------------------------------------------
    Was driving me nuts i google this info with no such luck..But i found this page and now i see why. I think its because the test that you provided for injection and what not..I ran this test

    aireplay-ng -9 wlan0

    this is what i got back from running the test

    root@bt:~# aireplay-ng -9 wlan0
    ioctl(SIOCSIWMODE) failed: Device or resource busy

    ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
    ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Make
    sure RFMON is enabled: run 'airmon-ng start wlan0 <#>'
    Sysfs injection support was not found either.

    root@bt:~# airmon-ng


    Interface Chipset Driver

    wlan0 Intel 4965/5xxx iwlagn - [phy0]

    root@bt:~# aireplay-ng -9 wlan0
    ioctl(SIOCSIWMODE) failed: Device or resource busy

    ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
    ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Make
    sure RFMON is enabled: run 'airmon-ng start wlan0 <#>'
    Sysfs injection support was not found either.

    root@bt:~# aireplay-ng -9 -i wlan1 wlan0
    ioctl(SIOCSIWMODE) failed: Device or resource busy

    ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
    ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Make
    sure RFMON is enabled: run 'airmon-ng start wlan0 <#>'
    Sysfs injection support was not found either.


    so now i see why i probably get those errors. My network card dose not support injection..wow search and you will find

    thanks for this post now i can take a asprin and go buy me the correct card that does support injection

  7. #7
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    2

    Default Re: ARP Poisoning 101 (Not sniffing info...)

    I tried both means of capture, neither functioned.
    arpspoof -i eth0 -t 10.10.65.14 10.10.1.1
    arpspoof: couldn't arp for host 10.10.65.14


    I know the host exists (test computer on my network).
    solutions?

  8. #8
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default Re: ARP Poisoning 101 (Not sniffing info...)

    Quote Originally Posted by Whiskey View Post
    1.) Am I using Ettercap correctly? If so, what could interfere with a proper MITM Arp Poison attack?
    Have you edited the etter.conf? (/etc/etter.conf) You will need to uncomment iptables and set default user as root.
    I'm sure a quick googling ("etter.conf iptables default user") should give you enough info on how to do this (if you haven't already done it).

    Quote Originally Posted by Whiskey View Post
    2.) If a network has more than one router do I set both or more routers for "Target 1" ? and all clients as "Target 2" ?
    You shouldn't select all clients, that's a mistake. You can only sniff one, max two clients at a time, and if 2 are selected, their internet connection will slow down.
    The explanation for this is simple: When selecting one client, all his traffic will pass trough your computer. You know that wireless cards speed isn't unlimited (54mbps max, unless it's an N adapter or a ethernet card), so when selecting all clients, your card will not have the required capacity to redirect every traffic to every client. This will result in a effective DOS attack against the network.
    As for the routers part, I think you should only set the target (target 1 or target 2, as long as you put the victim('s) on the opposite target) as your gateway. I think that if there are other routers connected directly to the router you're connected to, you should treat them as clients, but i'm not sure.

    Quote Originally Posted by Big_Mike View Post
    My laptop is connected to my router..I dont have a usb or a wifi card
    (...)
    aireplay-ng -9 wlan0
    this is what i got back from running the test

    root@bt:~# aireplay-ng -9 wlan0
    ioctl(SIOCSIWMODE) failed: Device or resource busy
    (...)
    root@bt:~# airmon-ng

    Interface Chipset Driver

    wlan0 Intel 4965/5xxx iwlagn - [phy0]

    root@bt:~# aireplay-ng -9 wlan0
    ioctl(SIOCSIWMODE) failed: Device or resource busy

    ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
    ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Make
    sure RFMON is enabled: run 'airmon-ng start wlan0 <#>'
    Sysfs injection support was not found either.
    Two Things:

    1) You said you don't have wifi, so... What's this? --> "wlan0 Intel 4965/5xxx iwlagn - [phy0]"
    As far as I know, this IS a wifi card.

    2) You really should pay more attention to error messages. You assumed your card didn't support injection, but you haven't really tested. Those errors occurred because you don't have monitor mode enabled (yes, it's required to inject). Now, let's take a quick look at those error messages, shall we?

    ioctl(SIOCSIWMODE) failed: Device or resource busy
    Means that your interface its being used (maybe by wicd?).
    ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
    ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Make
    sure RFMON is enabled: run 'airmon-ng start wlan0
    <#>'
    Sysfs injection support was not found either.
    The bold part explains everything and points you to a solution.
    As a alternative to 'airmon-ng start wlan0' you can also use the following:
    Code:
    ifconfig wlan0 down
    iwconfig wlan0 mode monitor
    ifconfig wlan0 up
    Personally I like this last one better because I don't like to create another interface (mon0), but it really doesn't matter. As long as you use mon0 if you chose to use airmon-ng.

    Quote Originally Posted by phuhrenzix View Post
    I tried both means of capture, neither functioned.
    arpspoof -i eth0 -t 10.10.65.14 10.10.1.1
    arpspoof: couldn't arp for host 10.10.65.14

    I know the host exists (test computer on my network).
    solutions?
    In order to provide you with a solution, I will need some more info about your setup.
    VMware or LiveCD/HDD/USB install?
    Does eth0 refers to your ethernet interface?
    You can also post your iwconfig output.

  9. #9
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    9

    Default Re: ARP Poisoning 101 (Not sniffing info...)

    I'm having the exact same problem except that I'm trying to use airodump, but I get the same response as OP.
    I'm running BT4 off VMware with an atheros ar9170 usb adapter.
    My iwconfig reply is:
    lo no wireless extensions.

    eth0 no wireless extensions.

    ath0 IEEE 802.11-MIMO ESSID:""
    Mode:Ad-Hoc Frequency:2.437 GHz Cell: Not-Associated
    Bit Rate:54 Mb/s Tx-Power=-2147483648 dBm Sensitivity=0/3
    Retry RTS thrff Fragment thrff
    Encryption keyff
    Power Managementff

    My airmon-ng reply is:
    Interface Chipset Driver

    ath0 AR9001U Otus

    And my airodump-ng ath0 reply is:
    ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
    ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Make
    sure RFMON is enabled: run 'airmon-ng start ath0 <#>'
    Sysfs injection support was not found either.

    I'm not entirely sure what to do at this point.

  10. #10
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default Re: ARP Poisoning 101 (Not sniffing info...)

    Quote Originally Posted by Whiskey View Post
    And my airodump-ng ath0 reply is:
    ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
    ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead. Make
    sure RFMON is enabled: run 'airmon-ng start ath0 <#>'
    Sysfs injection support was not found either.

    I'm not entirely sure what to do at this point. .
    Have you red what I wrote regarding that error message?

    EDIT: Nevermind, saw your other thread, i'll answer there.
    Last edited by Snayler; 02-09-2010 at 07:03 PM.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •