Wireless and ettercap

[randalth0r]

I'm trying to listen for passwords with ettercap without using arp poisoning. From what I gather it should be possible to intercept passwords from wireless clients using a wireless network card in promiscuous mode.

Would like some hints as to how I do this. I've tried ettercap -Tzq -i wlan0 // but it doesn't yield any results. When I do the arp poisoning it works well though.

Have I misunderstood the wireless concepts or am I executing the ettercap commands wrong? Is every client in a wifi using it's own crypto key for their communication with their AP?

[Clonmac]

This is the way I understand it and I am no expert on it, so someone else might have a better response.

But packets that are transmitted on a wireless network that is protected are encrypted as they pass "through the air". They are decrypted by the wireless access point and then transmitted via ethernet from there.

Ettercap is an ARP spoofing utility. ARP is an ethernet protocol. So the only way you are going to get Ettercap to work is if you are first authenticated with the wireless access point so that you can talk ethernet to the victim.

You can't use ettercap to sniff packets "through the air" as those packets are not using the ethernet protocol that ettercap understands.

A wireless NIC that is in monitor mode will pick up wireless packets as they are transmitted "through the air." This means that you are capturing the encrypted form of the packet. To break through the encapsulation and read the packet data payload, you'd first need to decrypt each and every packet. But you won't be able to do that "on the fly" to create a MITM attack.

If you didn't want to connect to someone's router before ARP spoofing, then you could also create a fake rogue AP. There is a video HowTo on these forums:

http://www.backtrack-linux.org/forum...-v0-2-1-a.html

[kill_box001]

I'm trying to listen for passwords with ettercap without using arp poisoning. From what I gather it should be possible to intercept passwords from wireless clients using a wireless network card in promiscuous mode.

Would like some hints as to how I do this. I've tried ettercap -Tzq -i wlan0 // but it doesn't yield any results. When I do the arp poisoning it works well though.

Have I misunderstood the wireless concepts or am I executing the ettercap commands wrong? Is every client in a wifi using it's own crypto key for their communication with their AP?

clonmac is correct in what he says about capturing data from a wireless network...if the data is in fact encrypted you wont be able to capture anything from a wireless perspective without the appropriate association key...
if the AP is not encrypted then it is possible to sniff for traffic..if you are trying to go for a passive analysis of traffic i don't think ettercap would do the job and i think what you would want to do is use wireshark, do a capture and then search for tcp && pass | uname or something along those lines...

ive never done just a passive attack on a wireless network myself and would be interested to hear from someone who has

i hope this is helpful

[randalth0r]

Thanks for the responses so far. But let's say I'm connected to an encrypted WPA2 network. Should not all plaintext logins from wireless clients in my proximity be available for me to intercept? If I don't want to be noisy and run an arp poisoning attack.

If a wireless client, within my proximity, logs onto a ftp server (plaintext), then I should be able to capture this data with wireshark without arp poisoning. Correct?

[Guerreiro]

I wonder, can you use wireshark to just capture the encrypted "through-the-air" packets and decrypt them later?

It would be an attack that will be quiet as hell. Also a big hit-and-miss tactic.

[kill_box001]

Thanks for the responses so far. But let's say I'm connected to an encrypted WPA2 network. Should not all plaintext logins from wireless clients in my proximity be available for me to intercept? If I don't want to be noisy and run an arp poisoning attack.

If a wireless client, within my proximity, logs onto a ftp server (plaintext), then I should be able to capture this data with wireshark without arp poisoning. Correct?

No. As the clients are already pre-authenticated with the Access point and are using WPA2 to transmit all data going from the host (laptop, phone etc) to the access point will be encrypted... this means that all data whether plain text or not will be encrypted for wireless transmission (in this case to the WPA2 standard) to the access point ...the ftp password (if it had to travel over the WAN to reach the FTP server) would be sent in plain text for the rest of the duration of transmission after it had reached the Access Point .

if you know anything about the OSI network stack WPA2 sits at the Physical layer of the stack (which is at the bottom) and FTP sits at the Application layer (which is at the top of the stack) , therefore even though the FTP pass phrase and commands are sent in plain text they are secured by protocols at the bottom of the stack (in this case WPA2).

the only way you will be able to view these plain text passwords and commands to the FTP server would be to break the WPA2 pass phrase or find a way to capture the pass phrase (fake AP). You could also have a look at Hak5 – Technolust since 2005 , one of the videos in this season i think covers building a battery powered wifi AP which assumes the identity of any AP a host would be probing for and connects them to the internet allowing you to sniff all traffic passing through your AP.

i hope this is helpful...


also when a host connects to an Access Point that is encrypted WEP, WPA, WPA2 they don't send the password in plain text. Simply there is a 4 way handshake where a challenge is sent by the Access point ( random encrypted data) and the host receives decrypts with their key and sends back the challenge..the AP also has the plain text challenge and if they match then the host is granted access...someone else might be willing to provide the 4 way handshake in more detail as this is a very simple overview

[randalth0r]

Ok! So each wireless client has it's own key for recieving/transmitting data within the WPA2 protected network and without that key intercepting data sent from client to AP (and vice versa) will be impossible. Is this also true for WEP protected networks?

[Snayler]

But let's say I'm connected to an encrypted WPA2 network.

the only way you will be able to view these plain text passwords and commands to the FTP server would be to break the WPA2 pass phrase or find a way to capture the pass phrase (fake AP).

I believe you are confusing OP's mind. He said he is connected to the network in question, meaning he already has the WPA2 Key, so all the traffic he receives is decrypted on arrival.

If a wireless client, within my proximity, logs onto a ftp server (plaintext), then I should be able to capture this data with wireshark without arp poisoning. Correct?

No, because your wireless card will only capture packets addressed to it's IP address. The only passive sniffing way I know is to put the card in monitor mode, use airodump-ng to capture the packets and in the end of the capture (or during the capture, it's also possible), use airdecap-ng to decrypt the packets using the WPA2 Key. More details on this method here.

[randalth0r]

Wow, hehe. Ok, now I'm less confused. Thank you for clearing that up Snayler. I thought wireshark using promiscuous was all that was needed. I didn't know monitor mode and promiscuous was two differing things.

[gunrunr]

you can also use a passive packet capture like airodump and then parse it using programs such as dsniff or xplico. Just make sure you apply the key to the pcap file and decrypt it. This is probably the most passive way to see packets. Its possible to tell if a client is using wireshark on a network.
personally i think you should do a little research on the difference between layer 2 and layer 3 devices and how wireless encapsulation works.
LAN switching - Wikipedia, the free encyclopedia
To decrypt the wpa/wpa2 pcaps use:
airdecap-ng [Aircrack-ng]