Page 14 of 25 FirstFirst ... 4121314151624 ... LastLast
Results 131 to 140 of 248

Thread: Sniffing Tutorial:

  1. #131
    Just burned his ISO
    Join Date
    Feb 2006
    Posts
    15

    Default

    Hello,

    I never thought that my little tutorial would become such a big thread.
    I first thought of making a video about this subject, but I think it isn't necessary, but if some people still would like a video tutorial, please tell me.

    yeehaw

    Ps. Please point out any grammar mistakes I make while typing, so I can make my english better.

  2. #132

    Default

    Video Tutorial might be nice, just so I can compare exactly what I am doing and see what I am doing wrong

    -Stephen

  3. #133
    Member
    Join Date
    Mar 2007
    Posts
    204

    Default

    I tested this on BT3 on my wired lan and my wireless lan, works like a charm.

    Un-comment the lines in etter.conf, run ettercap, unified sniffing --> select card-->scan for hosts-->Mitm-->Arp Poisoning--> sniff remote connections only-->Start Sniffing

    at this point, you can open driftnet to capture jpegs.

    usr/local/driftnet/driftnet -i ath0 (change to match your card!!)

    certs are issued, and a fully patched XPbox will warn you that its not safe but gives the option to "Click to continue anyway" using ie7

    If this still isnt working, change your mac to something that stands out. (00:11:22:33:44:55)open wireshark and look for the arp poisoning to make sure its happening.

    set the filter to ARP

    and the poisoning will look something like this:

    192.168.1.1 is 00:11:22:33:44:55
    192.168.1.2 is 00:11:22:33:44:55
    192.168.1.3 is 00:11:22:33:44:55
    192.168.1.3 is 00:11:22:33:44:55
    192.168.1.5 is 00:11:22:33:44:55

    This is your computer spoofing the arps and causes you to receive traffic meant for different destinations.

    This is how i understand it to work. Please someone correct me if my understanding is wrong

  4. #134

    Default

    Yeah I've followed everything to the exact word, and still no beans as yet. Even tried two different networks.

    -Stephen

  5. #135
    Member
    Join Date
    Mar 2007
    Posts
    204

    Default

    What did wireshark say when you started the poisoning??

  6. #136

    Default

    Wireshark found 10.1.1.3 (my other host), but ettercap captured nothing at all, even through a vulnerable XP computer. You used ath0, but this still works over ethernet as far as I know, correct? The rest was all just the results of the Ettercap host scan. Do I have to wait for this to randomly select a host or not? Because it's going through my entire subnet to the nth degree, and will take huge amounts of time to do so. What could I be doing wrong?

    -Stephen

  7. #137
    Member
    Join Date
    Mar 2007
    Posts
    204

    Default

    so, let me get this right, your using ettercap scanning for hosts what is the output of the hosts scan, does it see all the hosts it should? wired or wireless its the same.

    Now open up wireshark, watch the traffic.

    Now use ettercap to initiate arp poisoning, your looking for it spoofing your MAC against your hosts ip (10.1.1.3)


    10.1.1.3 is 00:11:22:33:44:55. <-- that indicates your arp spoofing is working, that MAC should match your MAC and not the MAC of 10.1.1.3.

    Only 1 host on your network??

  8. #138

    Default

    Only 1 host I powered on at the time, thought I can get more if need be. Heck, I can get up to 300, but 1 is easier for now

    Ettercap scans don't seem to display results of finding any hosts. Do I need to let it do this?
    And Wireshark doesn't have 10.1.1.3 on my MAC, it shows 10.1.1.3 found on it's own MAC, i.e. just a regular "Where is" type query. Thanks for your help so far, and look forward to more of it

    -Stephen

  9. #139
    Member
    Join Date
    Mar 2007
    Posts
    204

    Default

    Yes, if your host list is empty then ettercap is just sitting dead and doing nothing.

    You need ettercap to scan for hosts and detect the IP your wanting to spoof with your poisoned arps.

    If its not picking them up on a scan, try manually entering the IP's-->> Add Host IP?? i think

    There is a way to do it with target 1/2 ect,, I cant remember which is which, so just enter the IP's in both. It will just spoof any hosts in the list.

    300 clients wow, whats your profession?

    Wireshark is showing 10.1.1.3 on its own MAC because your spoofing isnt working. hence an empty hosts list

  10. #140

    Default

    Ah, that makes sense. Yeah, I'll try that when I get home tonight. My profession? I'm the security advisor/network assistant for an R-12 school - that's where the 300 clients come from. I just wanted to get this downpacked at home before I see if the school is vulnerable. I'm sort of new to the job, so not familiar with every area, hence why I'm still only the assistant Thanks for your help. I'll let you know how it goes.

    -Stephen

Page 14 of 25 FirstFirst ... 4121314151624 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •