Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: Sniffing host OS traffic via guest OS(BT4pre)

  1. #11
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    This why I asked you about your adapter in the first place.
    Once again you can not sniff/ monitor or see traffic with vmware's built in network devices, I don't care how you set it up or what you call it.
    The only way it is going to work is if you have a usb adapter connected to the guest OS through VMware. Now if you would have read the link that I gave you and understood what it contained you would know this.
    So don't get frustrated, it may be a communication problem and if so then I apologize for that. I am trying to make it as plain and simple as possible.
    It will work unless you have an adapter that does not go through the vmware networking software, which is exactly what usb devices can do.
    In vmware all usb devices are recognized as the same thing. It is the guest operating system that determines what is actually connected whether it is a usb hdd or usb coffee cup warmer or wifi device.
    So since you have an alfa usb device connect it to a port and then allow vmware to take control of the device from the host, then use the guest OS to take control/ use the device.
    If the device is not recognized at first then you may need to plug and unplug it a couple of times. You can also tell windows to remove the device ( down in the task list) then leave it plugged in Vmware may recognize it then.
    Once this is complete then you can use the device just as you would in a normal setup.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  2. #12
    Junior Member g1ic7h's Avatar
    Join Date
    Jul 2007
    Posts
    73

    Default

    archangel.amael, no apologies necessary, I just woke up on the wrong side of the bed..it is I who owe you the apology...I shouldn't have been offended so easily.

    I have no trouble sniffing, poisoning, injecting data via vmware
    I just cant figure out how to sniff the host OS without poisoning my lan. I'm sure this is easy and I'm just overlooking something simple.
    Hope this pic will clarify things:


    notice no usb devices connected to vm...redirecting all traffic on my net via
    bridged vm network setting. but I'm poisoning.
    "A teacher is never a giver of truth; he is a guide, a pointer to the truth that the student must discover for himself." - Bruce Lee

  3. #13
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    You should have both an outward facing IP and an internal one,
    The internal one is the one you want to scan.
    A simple fast way to find this is to use something like autoscan -network
    it is included. Or look at the vmware network setting configuration tool
    This should also tell you the host machines internal ip address.
    Either windows or vmware should be acting as a dhcp server.
    Most likely it is windows . On my vmware-server box vmware acts as the dchp server and provides the IP's. The tool is called something like "manage virtual networks". I am not 100% sure how workstation sets all of that ( files, folders and naming conventions) up. But it should be very similar.
    Ifconfig should also give you some info on the ip address as well.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  4. #14
    Junior Member g1ic7h's Avatar
    Join Date
    Jul 2007
    Posts
    73

    Default

    You should have both an outward facing IP and an internal one,
    I understand you here...All six of my boxes use static ip addresses.
    I set them up this way, so I know which box I'm mucking with.
    I run a Apache server as well on my net...if I want to connect to it inside my net I call it by its internal ip address (i.e. 192.168.1.115) and from outside my net I use a DNS service that points to my network or I can call my outward ip
    address. (i.e. 74.125.75.75)--fake for obvious reasons.
    My router handles all the port forwarding to the appropriate box/s via my internal static ip addresses...if I used automatic assigning of ip addresses I would never know where my boxes where and port forwarding would be useless.

    I do thank you all for your input and assistance...I will continue to research
    and update when I have found a solution.
    "A teacher is never a giver of truth; he is a guide, a pointer to the truth that the student must discover for himself." - Bruce Lee

  5. #15
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by g1ic7h View Post
    I do thank you all for your input and assistance...I will continue to research
    and update when I have found a solution.
    That's what I am here for.
    So do you know the IP address of the host then?
    If so then this is the IP address you need to target. It should work just fine.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  6. #16
    Junior Member g1ic7h's Avatar
    Join Date
    Jul 2007
    Posts
    73

    Default

    So do you know the IP address of the host then?
    Sure, I set the address on it.

    If so then this is the IP address you need to target. It should work just fine.
    normally, It is not possible to sniff a remote host with out arp poisoning it...correct.

    guest OS ip 192.168.1.103
    host OS ip 192.168.1.106
    vm network bridged

    ie: ettercap -i eth0 -T /192.168.1.106/ (from guest OS)

    But this seems to works in vmware.
    lol, I never thought to try because ,normally , this wouldn't work.
    "A teacher is never a giver of truth; he is a guide, a pointer to the truth that the student must discover for himself." - Bruce Lee

  7. #17
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by g1ic7h View Post
    normally, It is not possible to sniff a remote host with out arp poisoning it...correct.
    ARP poisoning is not always needed to sniffing network traffic.
    For example what if the network does not use the AR protocol? Does that mean said network is safe from network sniffing.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  8. #18
    Junior Member g1ic7h's Avatar
    Join Date
    Jul 2007
    Posts
    73

    Default

    For example what if the network does not use the AR protocol? Does that mean said network is safe from network sniffing.
    If you have access to the wire, bridged sniffing comes to mind.
    If my memory servers, I believe Balding parrot, posted a nice diagram of
    a tap...back in 2007. As far as non arp based nets (static link) I'm not sure
    but I would think all would be susceptible to this form of sniffing.
    "A teacher is never a giver of truth; he is a guide, a pointer to the truth that the student must discover for himself." - Bruce Lee

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •