Sniffing Tutorial:

[yeehaw]

Hello,

I never thought that my little tutorial would become such a big thread.
I first thought of making a video about this subject, but I think it isn't necessary, but if some people still would like a video tutorial, please tell me.

yeehaw

Ps. Please point out any grammar mistakes I make while typing, so I can make my english better.

[phoenix910]

Video Tutorial might be nice, just so I can compare exactly what I am doing and see what I am doing wrong

-Stephen

[merlin051]

I tested this on BT3 on my wired lan and my wireless lan, works like a charm.

Un-comment the lines in etter.conf, run ettercap, unified sniffing --> select card-->scan for hosts-->Mitm-->Arp Poisoning--> sniff remote connections only-->Start Sniffing

at this point, you can open driftnet to capture jpegs.

usr/local/driftnet/driftnet -i ath0 (change to match your card!!)

certs are issued, and a fully patched XPbox will warn you that its not safe but gives the option to "Click to continue anyway" using ie7

If this still isnt working, change your mac to something that stands out. (00:11:22:33:44:55)open wireshark and look for the arp poisoning to make sure its happening.

set the filter to ARP

and the poisoning will look something like this:

192.168.1.1 is 00:11:22:33:44:55
192.168.1.2 is 00:11:22:33:44:55
192.168.1.3 is 00:11:22:33:44:55
192.168.1.3 is 00:11:22:33:44:55
192.168.1.5 is 00:11:22:33:44:55

This is your computer spoofing the arps and causes you to receive traffic meant for different destinations.

This is how i understand it to work. Please someone correct me if my understanding is wrong

[phoenix910]

Yeah I've followed everything to the exact word, and still no beans as yet. Even tried two different networks.

-Stephen

[merlin051]

What did wireshark say when you started the poisoning??

[phoenix910]

Wireshark found 10.1.1.3 (my other host), but ettercap captured nothing at all, even through a vulnerable XP computer. You used ath0, but this still works over ethernet as far as I know, correct? The rest was all just the results of the Ettercap host scan. Do I have to wait for this to randomly select a host or not? Because it's going through my entire subnet to the nth degree, and will take huge amounts of time to do so. What could I be doing wrong?

-Stephen

[merlin051]

so, let me get this right, your using ettercap scanning for hosts what is the output of the hosts scan, does it see all the hosts it should? wired or wireless its the same.

Now open up wireshark, watch the traffic.

Now use ettercap to initiate arp poisoning, your looking for it spoofing your MAC against your hosts ip (10.1.1.3)


10.1.1.3 is 00:11:22:33:44:55. <-- that indicates your arp spoofing is working, that MAC should match your MAC and not the MAC of 10.1.1.3.

Only 1 host on your network??

[phoenix910]

Only 1 host I powered on at the time, thought I can get more if need be. Heck, I can get up to 300, but 1 is easier for now

Ettercap scans don't seem to display results of finding any hosts. Do I need to let it do this?
And Wireshark doesn't have 10.1.1.3 on my MAC, it shows 10.1.1.3 found on it's own MAC, i.e. just a regular "Where is" type query. Thanks for your help so far, and look forward to more of it

-Stephen

[merlin051]

Yes, if your host list is empty then ettercap is just sitting dead and doing nothing.

You need ettercap to scan for hosts and detect the IP your wanting to spoof with your poisoned arps.

If its not picking them up on a scan, try manually entering the IP's-->> Add Host IP?? i think

There is a way to do it with target 1/2 ect,, I cant remember which is which, so just enter the IP's in both. It will just spoof any hosts in the list.

300 clients wow, whats your profession?

Wireshark is showing 10.1.1.3 on its own MAC because your spoofing isnt working. hence an empty hosts list

[phoenix910]

Ah, that makes sense. Yeah, I'll try that when I get home tonight. My profession? I'm the security advisor/network assistant for an R-12 school - that's where the 300 clients come from. I just wanted to get this downpacked at home before I see if the school is vulnerable. I'm sort of new to the job, so not familiar with every area, hence why I'm still only the assistant Thanks for your help. I'll let you know how it goes.

-Stephen