Sniffing Tutorial:

[imported_spankdidly]

I still haven't figured this out yet, can anyone help?

Read this http://www.mobileread.com/forums/arc...hp/t-7091.html and don't be a noobcake. Have you set the config file properly with iptables? are you running iptables with nat? are you using command line or Gui version?

[ninja senses]

Read this http://www.mobileread.com/forums/arc...hp/t-7091.html and don't be a noobcake. Have you set the config file properly with iptables? are you running iptables with nat? are you using command line or Gui version?

I figured it out, I was putting my default gateway and computer I was attacking as separate targets. Once I put them under the same targets, it was fine. BUT im only catching some passwords I enter. I was able to get a password off google and facebook, but site like aol, digg and myspace I couldnt. Is it because they don't use SSL certificates? That doesnt make sense though because sniffing should be able to collect all the info being sent through the network including password hashes right?

[ninja senses]

You need to be connected to the network to perform this sort of attack, so using a device thats in monitor/promisc mode will not work. Please read post 46 again, then stop, think about what you've read, try to visualise it in your head, then realise why you need to be connected to the network

heh I realized this. My laptop was connected and internet was running, but when I would visit webpages while I was arp poisoning it, they would just time out. It stopped doing that and started working when I put the ip of the laptop and default gateway under the same victims list instead of separate

[God beta]

I did it, and I was able to see my user+pass when logging
into my yahoo mail account, however I tried with myspace
and no luck it didnt even show that any packets were being
transmitted, I'd like to know a way to intercept packets even
if they are hashed, I've no problem putting my RTables to use

Also, I read previously on this board that there was a way to
auto answer the certificates, because I had to accept it like
4-5 times, at which point if I was the victim my suspicion would
grow with every un familiar step in reading my emails

[fenec]

I found that if you have the IP target in group 1 and group 2, it does not work. Just try it with group 1 only.

i had the same problem ,
ARP poisoning victims:

GROUP 1 : 192.168.1.129 00:18:4D:E1:8C:79

GROUP 2 : ANY (all the hosts in the list)
Starting Unified sniffing...
then nothing


can you tell me if we have to add the victim target in the fisrt group?
can you precise the part just before sniffing?


thanks.

[ninja senses]

i had the same problem ,
ARP poisoning victims:

GROUP 1 : 192.168.1.129 00:18:4D:E1:8C:79

GROUP 2 : ANY (all the hosts in the list)
Starting Unified sniffing...
then nothing


can you tell me if we have to add the victim target in the fisrt group?
can you precise the part just before sniffing?


thanks.

Add the victim target to group one also, did you edit the .conf file at all?

[ninja senses]

I did it, and I was able to see my user+pass when logging
into my yahoo mail account, however I tried with myspace
and no luck it didnt even show that any packets were being
transmitted, I'd like to know a way to intercept packets even
if they are hashed, I've no problem putting my RTables to use

Also, I read previously on this board that there was a way to
auto answer the certificates, because I had to accept it like
4-5 times, at which point if I was the victim my suspicion would
grow with every un familiar step in reading my emails

I would like to know this also

[fenec]

hi everybody,
i follow the steps of the tuto and it doesnt work.

i have this error

Perhaps iptables or your kernel needs to be upgraded.
iptables v1.3.8: can't initialize iptables table `nat': Permission denied (you m ust be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.3.8: can't initialize iptables table `nat': Permission denied (you m ust be root)
Perhaps iptables or your kernel needs to be upgraded.

i am using BT3 and i am sure that i am ROOT .I have also modified the ".conf file", can you help me please?
thanks

[The_Denv]

Hey all,

I read every post and I have found that not one post really went into detail about hashes and passwords. I'm no professional when it comes to algorithms, but I do know a few things.

Below is an example of an Ettercap session with hashed passwords within the result window:

Code:

rausb0 ->       00:11:22:33:44:55       192.168.0.5     255.255.255.0

Privileges dropped to UID 65534 GID 65534...

  28 plugins
  39 protocol dissectors
  53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services
Randomizing 255 hosts for scanning...
Scanning the whole netmask for 255 hosts...
4 hosts added to the hosts list...

ARP poisoning victims:

 GROUP 1 : ANY (all the hosts in the list)

 GROUP 2 : ANY (all the hosts in the list)

HTTP : 192.168.0.1:80 -> USER: admin  PASS:   INFO: 192.168.0.1/
HTTP : 192.168.0.1:80 -> USER: admin  PASS: pasword123  INFO:192.168.0.1/
DHCP: [00:55:44:33:22:11] DISCOVER
DHCP: [00:55:44:33:22:11] DISCOVER
DHCP: [00:55:44:33:22:11] REQUEST 192.168.0.122
DHCP: [00:55:44:33:22:11] DISCOVER
DHCP: [00:55:44:33:22:11] REQUEST 192.168.0.122
HTTP : 70.42.62.151:443 -> USER:
130162765U38301f160187cf5be454820e8ee28321  PASS:
2D211F9S846C4BC18EF5E31  INFO: www.somedomain.com/signin.php
SMB : 192.168.0.4:139 -> USER: SomeGameTitle  HASH:
SomeGame:"":"":6DCEF12ABB80C8C600000000000000000000000000000000:1BC99DD8D536475CC66259DDD1EDE3486EA32816B0D7D326:BB34S11411DD7983
DOMAIN: SOME_Domain
DHCP: [00:12:R5:71:16:80] DISCOVER
DHCP: [00:11:22:33:44:55] REQUEST 192.168.0.4
DHCP: [00:11:22:33:44:55] REQUEST 192.168.0.4
HTTP : 66.135.209.253:80 -> USER: ebayuser123  PASS:
VPmg4tiC4X8GuXpd/qrgW.  INFO:
http://offer.ebay.co.uk/ws/eBayISAPI.dll?MfcISAPICommand=MakeBid&uiid=152123184.........[snipped]
IRC : 83.XXX.XXX.XXX:6667 -> USER: IrcUser123 (Iu mycomputer irc.someserver.org
:Iu)
IRC : 83.XXX.XXX.XXX:6667 -> USER: IrcUser123  PASS: password123  INFO:
/msg nickserv identify password
SMB : 192.168.0.55:139 -> USER: SomeGameTitle  HASH:
SomeGame:"":"":D2756E74C96E8C8C00000000000000000000000000000000:A4728DB9886987DC8D244BE15FCC7AD4633B5F98DA78A349:A3CC356CF43A0BCE
DOMAIN: SOME_Domain

Passwords/Hashes within this session are:
1) password123 [plain-text]
1) 2D211F9S846C4BC18EF5E31
3) 6DCEF12ABB80C8C600000000000000000000000000000000:1 BC99DD8D536475CC66259DDD1EDE3486EA32816B0D7D326:BB 34S11411DD7983
4) VPmg4tiC4X8GuXpd/qrgW.
5) D2756E74C96E8C8C00000000000000000000000000000000:A 4728DB9886987DC8D244BE15FCC7AD4633B5F98DA78A349:A3 CC356CF43A0BCE

Edit: I have came to a conclusion, I think these hashes are just salted with the SSID of the AP and can be cracked with aircrack-ng.

NOTE: All Information within this example are false. They are 'just' examples, the hashes are still valid but 'made-up'. Anyway, No need for me to crack these hashes anymore as I am ditching this project and moving onto another project.

[imported_anubis2k7]

Also, I read previously on this board that there was a way to
auto answer the certificates, because I had to accept it like
4-5 times, at which point if I was the victim my suspicion would
grow with every un familiar step in reading my emails

The only way I know how to do this is to physically go to the computer you want to poison/victimize, boot up into some kind of recovery CD like ERD Commander that allows you to edit the registry and change the keys associated with "warn on false certificate"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Internet Settings]
"WarnonBadCertRecving"=dword:00000000

For linux and mac machines, GL & HF cuz i got no clue