Dns_spoof working in ettercap; But not able to sniff.

[Miyamoto]

Have been reading this forum for a long time, but first post here.

I got a problem with ettercap. I think I have done everything correctly but am unable to sniff credentials entered in my localhost local login page. The steps are as follows:

1. Saved a login page. (its not HTTPS.) and put it in my localhost

2. Connected an AP to the machine. IP of AP is 10.10.2.1 and IP of machine is 10.10.2.100

3. started apache

4. Started ettercap in same machine as well as in another machine too (not at the same time) enabling dns_spoof and autoadd plugin. Command was
ettercap -T -q -M ARP:remote // // -i eth0 (wlan1 if in another machine) -P dns_spoof
I have everything setup in ettercap, uid,guid to 0, uncommented iptables, dns_spoof to my machine ip.

5. dns_spoof works well, it redirects anyone who is connected to my localhost with login page. but when I enter user name and password in the login page and hit enter/submit.. ettercap is unable to sniff anything. I have tried using ettercap with iptables and sslstrip too.

So, please point out if anything i did was wrong, or help me to get it work.
Also, the same login page works fine with airbase-ng.
Thanks in advance.

[maverik35]

It looks like everything is fine to me..As long as ettercap for sniffing and forwarding is concerned; looks ok...The plugin also as it should be...
Try the -l parameter with ettercap, it save all trafic in a file, example: ettercap -T -q -l my_data -M ARP:remote // // -i eth0 (wlan1 if in another machine) -P dns_spoof
This way you will save all credentials traffic in a file named my_data.eci
If you use the-L parameter, you will create 2 files: my_data.eci and my_data.ecp..The eci file has the credentials..Just read it with etterlog: etterlog my_data.eci
You must install the etterlog (aptitude install etterlog)..
I assume you are using BT5, you can try this in BT4 final..BT5 is not that stable...Another thing, put the uid and guid back to 65534 and try using one target and the GW..See what happens...
Try it and keep posting..
Best of lucks...

[Miyamoto]

Thanks for you reply maverick.
I did as you said, but it didnt work. But i solved it, i didnt use the "ARP:remote" option, and it worked. I wonder why....
Now, I got another problem, dns_spoof works fine sometimes but sometimes it doesnt work. i guess this dns_spoof does the same thing as dnsspoof from dsniff. Both dns spoofing tools behave in the same way, sometimes they redirect and sometimes they dont. I would be more than happy to know why is it behaving like that, what are the "terms and conditions" for dns spoofing?
Also, has anyone had this problem?

Thanks.

[snowleopard]

hi, i'm a new guy to learn how to use Ettercap.

I want to capture or sniff my gateway password and username within that login webpage.
Any one can help me or point me out to some where to get this info.??
I have Alfa awus036H adapter card and using VMware for learning this matter.
Thanks alot ....first...

[maverik35]

I do not understand well your question, could you be more specific?...
Using your computer, you want to sniff the user and paswword of the gateway in the same computer?..Using the web browser and accesing gateway and at the same time sniffing with the same computer?..
If so, just arp poisson yourself (ip) and gateway -------> ettercap -Tqi "iface" -M arp:remote /your ip/ /GW/
..Or use the VM and do it that way, with your comp and the virtual (VM)..

Hope this helps.

[snowleopard]

hi, i'm a new guy to learn how to use Ettercap.

I want to capture or sniff my gateway password and username within that login webpage.
Any one can help me or point me out to some where to get this info.??
I have Alfa awus036H adapter card and using VMware for learning this matter.
Thanks alot ....first...

Hi, Thanks for pay attention my Questions.

Im using :- 1) backtrack 4 R2
2)Using WinXp as based Os, and using VMware open 2 more OS (a)winxp & (b)backtrack4 r2
3) The (a) & (b) vmware_based OS , using bringing network method to access internet.
Now i already to poison (a) & gateway(192.168.1.1) ,(b) is the in the middle attack.

So,when i try to use (a) to login the wifi_modem login webpage and key in the username and password then successful login.
BUt,problem was my ettercap not showing what im key in from that wifi_modem login page!!!

So..can you point me out what wrong...

[sickness]

Backtrack 4 is no longer supported, download the latest Backtrack 5 R1.