Sniffing host OS traffic via guest OS(BT4pre)

[Archangel-Amael]

This why I asked you about your adapter in the first place.
Once again you can not sniff/ monitor or see traffic with vmware's built in network devices, I don't care how you set it up or what you call it.
The only way it is going to work is if you have a usb adapter connected to the guest OS through VMware. Now if you would have read the link that I gave you and understood what it contained you would know this.
So don't get frustrated, it may be a communication problem and if so then I apologize for that. I am trying to make it as plain and simple as possible.
It will work unless you have an adapter that does not go through the vmware networking software, which is exactly what usb devices can do.
In vmware all usb devices are recognized as the same thing. It is the guest operating system that determines what is actually connected whether it is a usb hdd or usb coffee cup warmer or wifi device.
So since you have an alfa usb device connect it to a port and then allow vmware to take control of the device from the host, then use the guest OS to take control/ use the device.
If the device is not recognized at first then you may need to plug and unplug it a couple of times. You can also tell windows to remove the device ( down in the task list) then leave it plugged in Vmware may recognize it then.
Once this is complete then you can use the device just as you would in a normal setup.

[g1ic7h]

archangel.amael, no apologies necessary, I just woke up on the wrong side of the bed..it is I who owe you the apology...I shouldn't have been offended so easily.

I have no trouble sniffing, poisoning, injecting data via vmware
I just cant figure out how to sniff the host OS without poisoning my lan. I'm sure this is easy and I'm just overlooking something simple.
Hope this pic will clarify things:


notice no usb devices connected to vm...redirecting all traffic on my net via
bridged vm network setting. but I'm poisoning.

[Archangel-Amael]

You should have both an outward facing IP and an internal one,
The internal one is the one you want to scan.
A simple fast way to find this is to use something like autoscan -network
it is included. Or look at the vmware network setting configuration tool
This should also tell you the host machines internal ip address.
Either windows or vmware should be acting as a dhcp server.
Most likely it is windows . On my vmware-server box vmware acts as the dchp server and provides the IP's. The tool is called something like "manage virtual networks". I am not 100% sure how workstation sets all of that ( files, folders and naming conventions) up. But it should be very similar.
Ifconfig should also give you some info on the ip address as well.

[g1ic7h]

You should have both an outward facing IP and an internal one,

I understand you here...All six of my boxes use static ip addresses.
I set them up this way, so I know which box I'm mucking with.
I run a Apache server as well on my net...if I want to connect to it inside my net I call it by its internal ip address (i.e. 192.168.1.115) and from outside my net I use a DNS service that points to my network or I can call my outward ip
address. (i.e. 74.125.75.75)--fake for obvious reasons.
My router handles all the port forwarding to the appropriate box/s via my internal static ip addresses...if I used automatic assigning of ip addresses I would never know where my boxes where and port forwarding would be useless.

I do thank you all for your input and assistance...I will continue to research
and update when I have found a solution.

[Archangel-Amael]

I do thank you all for your input and assistance...I will continue to research
and update when I have found a solution.

That's what I am here for.
So do you know the IP address of the host then?
If so then this is the IP address you need to target. It should work just fine.

[g1ic7h]

So do you know the IP address of the host then?

Sure, I set the address on it.

If so then this is the IP address you need to target. It should work just fine.

normally, It is not possible to sniff a remote host with out arp poisoning it...correct.

guest OS ip 192.168.1.103
host OS ip 192.168.1.106
vm network bridged

ie: ettercap -i eth0 -T /192.168.1.106/ (from guest OS)

But this seems to works in vmware.
lol, I never thought to try because ,normally , this wouldn't work.

[Archangel-Amael]

normally, It is not possible to sniff a remote host with out arp poisoning it...correct.

ARP poisoning is not always needed to sniffing network traffic.
For example what if the network does not use the AR protocol? Does that mean said network is safe from network sniffing.

[g1ic7h]

For example what if the network does not use the AR protocol? Does that mean said network is safe from network sniffing.

If you have access to the wire, bridged sniffing comes to mind.
If my memory servers, I believe Balding parrot, posted a nice diagram of
a tap...back in 2007. As far as non arp based nets (static link) I'm not sure
but I would think all would be susceptible to this form of sniffing.