Results 1 to 10 of 10

Thread: MiTM Attack? How to detect

  1. #1
    Just burned his ISO
    Join Date
    Mar 2010
    Posts
    7

    Exclamation MiTM Attack? How to detect

    I have been sniffing my network with wireshark and ettercap but cant find an attacker. I have my arp set static because I was being arp poisoned but setting it static fixed the problem for a little while. Now my websurfing is real slow and hessitates a lot. Also sometimes my downloads just seem to freeze. I know something malicious is going on but I need proof to bring to my superiors. I'm sure this is being done intentionally by someone else in my IT dept. What tools do you suggest I can use in BT4 and what should I look for. Like I said I dont see anything in ettercap or wireshark out of the ordinary other then the gateway broadcasting every so often? I could really use some help here guys

  2. #2
    grancerote
    Guest

    Default

    hi

    you should be more specific with your question about which method is he using if there is a real person on the background of this.

    for me looks like you have virus than someone in your PC cuz Wireshark doesnt show anything.

    so if you cant find it FORMAT

    lol

  3. #3
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    If you have a problem with you machine that you can't fix you should probably call your helpdesk or follow whatever process you company has setup to deal with such issues.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  4. #4
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by t-alla View Post
    I have been sniffing my network with wireshark and ettercap but cant find an attacker. I have my arp set static because I was being arp poisoned but setting it static fixed the problem for a little while. Now my websurfing is real slow and hessitates a lot. Also sometimes my downloads just seem to freeze. I know something malicious is going on but I need proof to bring to my superiors. I'm sure this is being done intentionally by someone else in my IT dept. What tools do you suggest I can use in BT4 and what should I look for. Like I said I dont see anything in ettercap or wireshark out of the ordinary other then the gateway broadcasting every so often? I could really use some help here guys
    I can think of several things that could be causing that other than someone behaving maliciously. Contact your helpdesk and have someone stop out and see if there's something really wrong.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  5. #5
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    If I found someone stupid enough to be running wireshark on one of my computers their ass would be on the street so damn fast they'd get whiplash. We'd mail them their personal effects.

  6. #6
    Just burned his ISO
    Join Date
    Mar 2010
    Posts
    7

    Default

    I dont have a virus...i'm running a dervative of gentoo! Also my machine works perfectly everywhere else so the problem is on this LAN at work. I dont need to call help desk because I'm the netadmin and I know my system and my network and there is nothing wrong with how it is configured. Does anybody have anything helpful to say? Also why would I have to have my arp set static only at work but no where else? There is something malicious going on and I'm asking for help. Is arp poisoning or session hijacking really that easy to spot? Should I be able to see it immediatly with ettercap plain as day...and what is wrong with wireshark? What tools do you recommend I use to see what is going on?

  7. #7
    Member imported_vvpalin's Avatar
    Join Date
    Apr 2009
    Posts
    442

    Default

    Quote Originally Posted by t-alla View Post
    I know something malicious is going on but I need proof to bring to my superiors.
    Just go show them what you have been doing, thats all the proof they need.
    Using backtrack for the first time is like being 10 years old again with the keys to a Ferrari.

  8. #8
    Just burned his ISO
    Join Date
    Mar 2010
    Posts
    7

    Default

    So I had wireshark and ettercap running all day and ettercap reported "ettercap plugin banshee killed connection" now how do I find the source? I dont see any tcp resets on wireshark but I do see icmp unreachables.

  9. #9
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    4

    Default

    Maybe you should use iptables in order to filter incoming connections.
    Set "drop" rule for all incoming connections from local network except for gateway or router, static ARP, and find out if the problem still exists.

  10. #10
    Just burned his ISO
    Join Date
    Mar 2010
    Posts
    7

    Default

    Thats a good idea K! Why didn't I think of that

    I'll give it a try on monday and let you know how it turns out

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •