Promiscuous Mode??????????

**imported_vvpalin** · 05-03-2009, 12:47 AM

Originally Posted by kazalku

Ok.. let's start from fresh? Why do you need promiscuous mode rather than monitor mode? I mean, the final purpose..

The final result being able to connect to a AP and sniff all clients activity. Im about as white hat as they come, and besides we all know there is a better way to do this passivly so honestly i want to do it just so i can say i can i guess.

iwconfig wlan0 channel #
ifconfig wlan0 promisc
ifconfig wlan0 up

You know this is the only place ive been able to find that info, however i must say even tho it seems to work based on what ifconfig spits out

This before i input

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

And this after

UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1

No matter what i do with wireshark or tcpdump i still cant see anything from my other computer ... well unless i ping it lol

Does it need to be down before i can make the switch? Also is there a problem with the mac drivers and promisc that anyone know about?

**imported_cybrsnpr** · 05-03-2009, 12:53 AM

No matter what i do with wireshark or tcpdump i still cant see anything from my other computer ... well unless i ping it lol

Does it need to be down before i can make the switch? Also is there a problem with the mac drivers and promisc that anyone know about?

Keep in mind that AP's act as layer 2 devices (ie. a switch), so in promisc mode, you wouldn't see traffic that isn't broadcast, multicast or destined for your specific device.
For a test, do a broadcast ping from another connected box. You should see it show up in wireshark on the box you have promisc mode on (if your interface is connected to the same AP).

I know of no driver problem. I tested this using an Alfa on BT4.

**imported_vvpalin** · 05-03-2009, 01:42 AM

Originally Posted by cybrsnpr

Keep in mind that AP's act as layer 2 devices (ie. a switch), so in promisc mode, you wouldn't see traffic that isn't broadcast, multicast or destined for your specific device.
For a test, do a broadcast ping from another connected box. You should see it show up in wireshark on the box you have promisc mode on (if your interface is connected to the same AP).

I know of no driver problem. I tested this using an Alfa on BT4.

First thank you 10 times over for the help, i think i get what your saying but at the same time im even more confused.

It was my understanding that a wired LAN more specifically say a Linksys Wired Router acted as a switch, however a wireless lan or AP multicasted everything and acted as a hub.

I have read many many things that say its possible givin the correct card and driver set to connect to a AP and watch all traffic from clients, even lupin has said he was successful at this under one test.

Have you ever been able connect to an AP and watch all http traffic just by opening wireshark on your alfa under bt4? Its said and even demonstrated that this is possible "altho i havent seen it done in bt however mac and win i have"

**imported_cybrsnpr** · 05-03-2009, 02:06 AM

however a wireless lan or AP multicasted everything and acted as a hub

I don't think this is true. But when you are dealing with wireless clients, the flow of traffic over the air and it's subsequent capture by another wireless device in monitor mode would be the same effect as if you were sniffing on a wired hub.

Have you ever been able connect to an AP and watch all http traffic just by opening wireshark on your alfa under bt4?

Just gave it a try on both an Alfa, and on an Atheros...no luck. Hmm, interesting.
But, I always used monitor mode when I wanted to sniff on a wireless link.

Is there a reason you don't want to use mon mode or is this just curosity?

**imported_vvpalin** · 05-03-2009, 02:49 AM

Originally Posted by cybrsnpr

Is there a reason you don't want to use mon mode or is this just curosity?

Yes i just want to be able to do it and if not know why its not able to be done, as i know it is in other configurations. Its now turned into something thats going to eat me alive until i figure it out as ive put almost everything else on hold.

However there is another reason as to why if you think about it, if dealing with WPA or WPA2 you cant sniff real time as airtune-ng doesn't support it yet .. only WEP. Is there another way to do it that im unaware of ... i tried wpa-buddy but that didnt work as it only exports to a file.

Regardless i think this is a pretty big issue to not have a crystal clear answer for. Like i said im guessing its a driver issue as lupin has already stated he has got it to work ... Also lupin what AP's where you connecting to? Maybe that has something to do with it. Because in most references to how its possible they mention open AP's

oh and i just noticed today is my 2 week mark with bt

**imported_cybrsnpr** · 05-03-2009, 04:46 AM

if dealing with WPA or WPA2 you cant sniff real time as airtune-ng doesn't support it yet .. only WEP. Is there another way to do it that im unaware of

Wireshark will decrypt WEP,WPA,WPA2 packets real time if you know the key.

**imported_vvpalin** · 05-03-2009, 05:02 AM

Funny i hadn't thought of doing it all through wireshark.

I know this is possible thats whats bugging me about it, that and the fact there is like 0 documentation on it. Well for doing it in BT anyways ... for windows there is plenty. Hell rite about now id be happpy just to get it working in the doze.

Also i just tried setting my AP to open doing ifconfig wlan0 promisc and trying it with forwarding on and off ... still get nothing. You know i was just thinking, the fact that we can pick up all traffic while not connected means that the AP has to be a hub style not a switch.

Maybe there is some setting that were missing or maybe the drivers just dont work for this.

Its also said to work on mac's so does anyone have osx running and a alfa card so they can test it?

**lupin** · 05-03-2009, 11:22 AM

Originally Posted by vvpalin

lupin has already stated he has got it to work ... Also lupin what AP's where you connecting to?

Remember I was only seeing one side of the conversation though - packets going to the clients but not coming from them. I did try enabling forwarding (I assume you meant IP forwarding yes?) as you asked but it made no difference (I tested it on the Atheros card only).

AP is a Linksys WRT54G using stock firmware.

**imported_vvpalin** · 05-04-2009, 08:34 AM

Originally Posted by lupin

Remember I was only seeing one side of the conversation though - packets going to the clients but not coming from them. I did try enabling forwarding (I assume you meant IP forwarding yes?) as you asked but it made no difference (I tested it on the Atheros card only).

AP is a Linksys WRT54G using stock firmware.

I tested on 2 wrt54g's one with ddwrt the other with openwrt. The thing is you WHERE able to see something, im not able to see anything.

I wouldn't care so much if i just knew why, thats what keeps me coming back to this over and over again.

**kazalku** · 05-04-2009, 09:07 AM

Originally Posted by vvpalin

I wouldn't care so much if i just knew why, thats what keeps me coming back to this over and over again.

I like your mind-set. Keep it up.

BackTrack Linux - Penetration Testing Distribution

Thread: Promiscuous Mode??????????

Thread Tools

Search Thread

Display

Posting Permissions