Help with Ettercap

[mishu]

Guys,
I was following the hoto here http://www.backtrack-linux.org/forum...poisoning.html

but output is zero for me... after doing so, my network got jammed. seems kinda DoS. Now I need the follwoing::
What I have::::

Gateway: 192.168.0.1/24
Target host: Windows Server 2003 or Windows XP/Vista; 192.168.0.4/24

My laptop: WinXP 192.168.0.10/24
BT5 in Vmware in my laptop with bridged mode IF (eth1, eth2); 192.168.2.100/24 and 101/24

Now I want to sniff and see what the 192.168.0.4 is sending/receiving. Including pictures, passwords, etc. from my laptop using bt5.

please help me guys... I'm planning to write my name in ethical hacker...

Mishu~

[ghostdog67]

here start with this one : http://xxx

Read this, it will help you understand the tool.........: http://openmaniak.com/ettercap.php

[thorin]

I love it when people do things they don't understand and then wonder why things don't work.

Please do some networking 101 type reading so that you comprehend what's going on when you ARP Poison and why your network might go tits up after doing so.

Lastly please ONLY do this on your LAN. Futzing with things you're unfamiliar with is likely to result in problems for others on a corporate, business, or school LAN. Which wastes someone else's time to fix and lots of other peoples' time and effort in lost productivity.

[mishu]

to "thorin" sir,
First of all, i am doing this in my own LAN... and I am so newbie, that it's getting hard for me... about the networking 101, keeping this in mind...

the first thing is let's consider, i know just nothing... at this point, even following the compelte step by step, i found nothing... where in the case of wireshark, i can see the packets, open them up... but only when they are just for my IF. (means when exactly for my MAC). So I am doing Arp Poisoning for fool the target regarding the MAC it is sending... I'm not sure, for learning matter, as since the network is switched, the switch is keeping an ARP table, specific MAC for specific physical ports. Thus when I do the poisoning, or flood with fake MACs, i'm trying to fool the victim, but how?? because even if i pretend to be the desired MAC of the victim, then the switch has the MAC table for the original one, not the spoofed one. I found for my case, MAC flooding makes the victim paraniod, but as the switch works its own way and thus I can't do the wiretap... thus i need a real elaboration and step by step guidance...
After reading the manual for ettercap, i did it whole evening, but same is happening everytime...

ideas???

[ghostdog67]

If you are using ettercap on BT5 , then there are some bugs, cant help you with this, i am trying to find some fixes.

[thorin]

to "thorin" sir,
First of all, i am doing this in my own LAN... and I am so newbie, that it's getting hard for me... about the networking 101, keeping this in mind...

That's fine. It's just sadly not unheard of around here for people to have tried this on corporate LAns etc where it not only ends up sucking for person doing it but for everyone else on the LAN as well.

the first thing is let's consider, i know just nothing... at this point, even following the compelte step by step, i found nothing... where in the case of wireshark, i can see the packets, open them up... but only when they are just for my IF. (means when exactly for my MAC). So I am doing Arp Poisoning for fool the target regarding the MAC it is sending... I'm not sure, for learning matter, as since the network is switched, the switch is keeping an ARP table, specific MAC for specific physical ports. Thus when I do the poisoning, or flood with fake MACs, i'm trying to fool the victim, but how?? because even if i pretend to be the desired MAC of the victim, then the switch has the MAC table for the original one, not the spoofed one. I found for my case, MAC flooding makes the victim paraniod, but as the switch works its own way and thus I can't do the wiretap... thus i need a real elaboration and step by step guidance...

No quite. In general you're trying to fool the target(s)/victim(s) into thinking that you're the default GW or system they're trying to reach. Yes the switch keeps an ARP table however you're trying to tell the victim(s) (and perhaps the switch) that you're something you're not. http://en.wikipedia.org/wiki/ARP_spoofing

[r083rt]

*************************************note of warning******************************


when using ettercap you must press 'q' to quit if you close the terminal you will cause a dos (denial of service) the arp cache needs to be resolved

I suggest you do some reading and view some tutorials on ettercap and arp poisioning before you crash anyones network


r083rt

[mishu]

dear folks,
I was using the GUI for my first attempt. What i did was using the GUI is:

I took the target victim 192.168.0.10 (a host), router GW was 192.168.0.1

Then I just opened the ettercap GUI and did the scan. after that, selected the target1 as router and then target2 as the victim. Then did the MITM ARP Poisoning from menu and then start sniff. AFter that, I opened the wireshark and started to capture. It gave me all the things.

At this stage, it was fine as my first attempt on hacking. next level was to get SSL data. Thus I found the GUI is not helping me any more. I used the following::

first all the time, echo "1" to ip_forward.
then doing the manual iptables NAT rules for 80 to 1000

then run the sslstrip. After that, aprspoof -i eth0 victim IP Router IP
Then ettercap -i eth0 -Tq

When i did so, i found it finally able to show the yahoo password for just once. Facebook failed, hotmail just did not opened the first page at all, gmail failed too. It is jamming the whole network actually. So need to be tuned up.

Or as suggested by my fellow friend here, BT4. Thinking of getting the VMware and ISO of BT4.
The BT4 is not there in site... can somebody tell me the URL???

And for all of you guys, I need your help so that I can learn. And I'm doing Testing in my very personal Network... That's for sure...

Mishu~

[littleld]

Before even trying to add on tools like sslstrip, I would make sure that you fully understand ettercap first. In your above example, it looks redundant to run both arpspoof and ettercap simultaneously, but I really don't know for sure. If you've been able to get ettercap working with sslstrip, and you're noticing that it doesn't always capture passwords, you should know that ettercap isn't failsafe and does produce unpredictable results. For example, if you work with filters, you'll see that sometimes the filters trigger and other times they don't, for seemingly random reasons.

[mishu]

the first thing is I was following youtrube and google forum postings... anyway... i found doing an arpspoof makes network so bad in condition. thus if there is a chance of doing it without the arpspoof command, that's better. and about ettercap, I am using CLI, not the GUI. The GUI is more easy and understandable, but even though the CLI gives some outpit, GUI gives nothign.

I have switched back to BT4. Not sure, the thing is not working even if i blindly follwo the youtube helps...

Mishu`