Sniffing Tutorial:

[streaker69]

The only way I know how to do this is to physically go to the computer you want to poison/victimize, boot up into some kind of recovery CD like ERD Commander that allows you to edit the registry and change the keys associated with "warn on false certificate"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Internet Settings]
"WarnonBadCertRecving"=dword:00000000

For linux and mac machines, GL & HF cuz i got no clue

regedit -s evilfile.reg

Use social engineering to get them to run it. I push Registry updates out through logon scripts, but there's other ways to do it.

[The_Denv]

I was figuring out what type of hashes Ettercap captured with my example within Post: 119.

I don't think anyone noticed it either as it seems for some reason it the post was overlooked. I think its important about what types of hashes to look out for within Ettercap.

I would love to hear Xploitz response as he is the only one Ive noticed who has been on more than 'anyone of us' LOL, and he knows that too! I kind of feel in the dark here people. I would hate to think after 2 years being here that I am still classified as an outsider ...anyway its done and dusted, although I would still love to hear the replies of experienced pentesters.

...It can't be as simple as a standard WEP hash and using aircrack-ng to extract them? If it is then I will laugh my head off and slap it and shout the word "Doh" VERY loud! lol

EDIT: I modified this post because I was not myself last night and I kinda revealed my identity within this last post. Please understand why I modified this post

[skindeep]

Thanks! Worked great. This is pretty scary stuff... sure as hell makes a point that NOONE should be using WEP!!!

FYI, I found something interesting. When I was logging into ebay with my account, ebay actually prompted me stating that "there is a slight chance" somebody is using a fake certificate. Pretty interesting. I wonder what they do to anticipate the fake certificate.

I was pleasantly surprised to also find that my bank didn't give up my info. The SSL fake cert. came up, but nothing was reported. I'm wondering if it had to do with the three-step login process. It requests more then just a password on the first page.

Anyone else have any interesting stories they found?

Are there are other tuts on how to use ettercap for other functions? Is it possible to just watch general web traffic? To list the address that you visit?

I'm off to try testing how this works when I log in using my company VPN on my work laptop. I'm assuming it would only return an encrypted hash correct? At least I hope so.

[ninja senses]

Thanks! Worked great. This is pretty scary stuff... sure as hell makes a point that NOONE should be using WEP!!!

FYI, I found something interesting. When I was logging into ebay with my account, ebay actually prompted me stating that "there is a slight chance" somebody is using a fake certificate. Pretty interesting. I wonder what they do to anticipate the fake certificate.

I was pleasantly surprised to also find that my bank didn't give up my info. The SSL fake cert. came up, but nothing was reported. I'm wondering if it had to do with the three-step login process. It requests more then just a password on the first page.

Anyone else have any interesting stories they found?

Are there are other tuts on how to use ettercap for other functions? Is it possible to just watch general web traffic? To list the address that you visit?

I'm off to try testing how this works when I log in using my company VPN on my work laptop. I'm assuming it would only return an encrypted hash correct? At least I hope so.

yea there is, i think its under plugins or extensions, i forget.

[Storo]

Sorry for bad english!

I have a little problem... my ettercap works fine with my gmail or hotmail account, but when i try to log in on any forum (local forum in my network) i get only

"HTTP:xxx.xxx.xxx.xxx ->USER: usernema PASS: INFO: link of forum"
Pass field is empty, but i get my username and that is on every forum i try to log in.

Can someone plz help!

THX!

[phoenix910]

Hey guys, I tried this out on BT3 Beta, and noticed that this doesn't work. I followed this to the very step, and looked up a number of different tutorials on the net (all the same though). Is there anything I have to do differently in BT3 Beta? Or is it just due to the new version of ettercap, and in which case, do I have to use the old one? Thanks guys, if there is any newer tuts, could you point me to them? Thanks.

-Stephen

[purehate]

Hey guys, I tried this out on BT3 Beta, and noticed that this doesn't work. I followed this to the very step, and looked up a number of different tutorials on the net (all the same though). Is there anything I have to do differently in BT3 Beta? Or is it just due to the new version of ettercap, and in which case, do I have to use the old one? Thanks guys, if there is any newer tuts, could you point me to them? Thanks.

-Stephen

what part is not working for you? I havent used it yet in beta but I can take a look.

[phoenix910]

Well, command-wise, there is no issues there, nor in the uncommenting of the files involved or anything, and all of the instructions in ettercap appear to function fine, however when I surf with other PC's (linux or windows), no certificate is issued, and no passwords are passed through ettercap, no matter what sort of protocol or website I use. I am using a basic 5 port switch, with a DHCP on my router (and ettercap does detect DHCP requests, but obviously they are passed through the network openly anyway). I am just currently unsure if it is an issue with my switch, or whether it's a software thing. If you could look, that would be greatly appreciated. Thanks man!

-Stephen

[The_Denv]

Well, command-wise, there is no issues there, nor in the uncommenting of the files involved or anything, and all of the instructions in ettercap appear to function fine, however when I surf with other PC's (linux or windows), no certificate is issued, and no passwords are passed through ettercap, no matter what sort of protocol or website I use. I am using a basic 5 port switch, with a DHCP on my router (and ettercap does detect DHCP requests, but obviously they are passed through the network openly anyway). I am just currently unsure if it is an issue with my switch, or whether it's a software thing. If you could look, that would be greatly appreciated. Thanks man!

-Stephen

It works perfectly on my end. Have you ticked the box within ARP posioning that states 'Sniff Remote Connections'? Do you have the target/s down as 'ANY'? Im using B|T3b aswell, it should work fine for you. Post back any problems.

[phoenix910]

Yeah, I've ticked the Sniff Remote Connections box and all. Basically, everything it said here, I did exactly the same, and also followed a similar one using driftnet. Hasn't worked for me so far. If it works fine for others, I'll try it out on a more corporate switch through one of my pentests. I'd just prefer to have it downpacked before then.

-Stephen