Results 1 to 9 of 9

Thread: How to train your ferret

Hybrid View

  1. #1
    Senior Member
    Join Date
    Jul 2011
    Posts
    236

    Exclamation How to train your ferret

    Background:
    Ferret can tell the user so much. I'd guess the majority of the Ferret users out there implement it for it's firesheep style capabilities. On the other hand, there are users out there like myself, who love the ngrep style output that Ferret spits in addition to the cookie grabbin' it does. It pulls so much juicy information out..... It is not just for authentication cookie grabs!
    A bit of knowledge about Ferret: This holds true with the old 32-bit build of Ferret, as well, if you will follow my steps it will hold true for you too... If directing Ferret to listen to a "Managed Mode" NIC (i.e. wlan0), it will accept the --channel flag with no issues, but it will passively ignore it. Instead of changing the channel of the NIC, it will ignore your syntax and stay on the channel it is currently locked onto. Now, if directing Ferret to listen to a "Monitor Mode" NIC (i.e. mon0), it will switch the NIC to channel 6 by default. The way around this would be to add the --channel flag.
    I'd like to tell you all of my romp with one of my favorite tools in the world "Ferret". Ever since I made the switch over to 64-bit Back|Track, I've been trying to tame the little creature. Back in my 32-bit days Ferret worked without a hitch; however, the leap over to 64-bit has proven a bit of a struggle. In this thread I will attempt to explain everything I've done in as much detail as possible (Sadly, I've had to edit a lot of the dumps due to the 10000 character limit on this forum thread); when all was said and done, I had a properly working build of Ferret on my 64-bit machine. If you follow along with me, I will show you how to accomplish the very same thing.
    My starting point was to use my own file archives for hamster. Some programs are so "vital" to my niche of hacking, that I consider them to be irreplaceable if a Back|Track dev were to consider them "outdated/not-needed" via an apt-get upgrade and such; so what I did in the transition to 64-bit was to grab the files from my 32-bit build. As it turns out, the version of Ferret included with 64-bit Back|Track is 32-bit anyways.....
    The error when trying to run a 32-bit build of Ferret on 64-bit Back|Track
    Code:
    ferret: error while loading shared libraries: libpcap.so.0.8: cannot open shared object file: No such file or directory
    I did some lookin' on google for the source code of Ferret. I found the 1.1.3 build here: 1.1.3. I grabbed a copy and proceeded to build it.
    It seemed to fix the problem, no shared library errors this time. The problem I now saw, was that I couldn't tell Ferret which channel to sniff on. To get it to run, I had to avoid throwing a --channel flag to it.
    Code:
    root@bt:~# ferret -i mon0
    -- FERRET 1.1.3 - 2007 (c) Errata Security
    -- build = Nov 20 2011 17:26:44 (64-bits)
    -- libpcap version 1.0.0
     3  mon0
    SNIFFING: mon0
    LINKTYPE: 127
    live(1): unknown linktype = 127 (expected Ethernet or wifi)
    ^C-- graceful exit --
    I now had a working 64-bit build of Ferret. But, it lacked two things:
    1) The capability to change WiFi channels. Fixed easily enough via: iwconfig mon0 <channel>.
    • However, this messed with my script: quickset.sh.
    • Not having a direct channel select capability required me to rewrite quickset.sh to adjust for 32-bit or 64-bit builds of Ferret. I did this, but later removed the patch to quickset.sh after realising the later fix for Ferret.


    2) Much like Driftnet, this new build didn't know how to properly interpret what I believe are called wifitap headers (aka. linktype 127).
    • Those wifitap headers can tell you a bunch of cool stuff about the nodes around you...... When you can see them with Ferret it is like looking at tcpdump/ngrep/wireshark with all the nonsense removed.

    At this point I did some more searching on google and came across a newer version of Ferret: Version 1.2.0. For about a second everything seemed sweet; Ferret accepted the --channel flag AND was properly interpreting wifitap headers....Sure enough though, Murphy decided to hang out in my kernel and the following happened.
    Code:
    root@root:~/ferret/bin# ./ferret -i mon0 --channel 4
    [0] ./ferret
    [1] -i
    [2] mon0
    [3] --channel
    [4] 4
    -- FERRET 1.2.0 - 2008 (c) Errata Security
    -- build = Dec 17 2011 06:56:26 (64-bits)
    -- libpcap version 1.0.0
     3  mon0
    -- Sniffing on interface "mon0"
    SNIFFING: mon0
    LINKTYPE: 127 WiFi-Radiotap
    CHANGE: iwconfig mon0 channel 4
    proto="WiFi", op="probe", macaddr=[cc:08:e0:61:60:a9], SSID="Hurley MyWi", BSSID=[ff:ff:ff:ff:ff:ff]
    Traffic seen
    Segmentation fault (core dumped)
    A Seg fault....what luck right?
    So, I started thinking back to the original 32-bit Ferret built issue. I booted into the 32-bit version of Back|Track and built the 1.2.0 build of Ferret and then dropped the executable onto my 64-bit Back|Track.
    Code:
    ferret: error while loading shared libraries: libpcap.so.0.8: cannot open shared object file: No such file or directory
    Maybe I could locate the file it was seeking somehow..(The following dump is from the 64-bit Back|Track)
    Code:
    root@bt:~# whereis libpcap.so.0.8
    libpcap.so.0: /usr/lib/libpcap.so.0.8 /usr/lib64/libpcap.so.0.8
    So I found the files on 64-bit Back|Track, but what to do with em? I launched my 32-bit version of Back|Track, did the same and came across /usr/lib/libpcap.so.0.8. I then temporarily moved the file and attempted to launch Ferret.
    Code:
    ferret: error while loading shared libraries: libpcap.so.0.8: cannot open shared object file: No such file or directory
    I had found the file! So, I grabbed a copy of it and dropped it into ~ on my 64-bit build of Back|Track. From there I looked at the same location as I had found on the 32-bit version
    Code:
    root@bt:~# ls /usr/lib | grep libpcap.so.0.8
    libpcap.so.0.8
    Well, the file existed already, copying my new file into that location might screw other stuff up. So, I took a look at /usr
    Code:
    root@bt:~# ls /usr
    bin  games  include  lib  lib32  lib64  local  man  sbin  share  src
    I took a quick peek at lib32.... Kapow! No file! Could it be this simple? When it comes to hacking I try to touch every possibility/combination possible. Time to start copying files.... The following two dumps are from the libpcap.so.0.8 files located on the 64-bit version of backtrack copied to /usr/lib32
    Code:
    root@bt:~# whereis libpcap.so.0.8
    libpcap.so.0: /usr/lib/libpcap.so.0.8 /usr/lib64/libpcap.so.0.8
    root@bt:~# cp /usr/lib/libpcap.so.0.8 /usr/lib32
    root@bt:~# ferret -i mon0
    ferret: error while loading shared libraries: libpcap.so.0.8: wrong ELF class: ELFCLASS64
    root@bt:~# cp /usr/lib64/libpcap.so.0.8 /usr/lib32
    cp: overwrite `/usr/lib32/libpcap.so.0.8'? y
    root@bt:~# ferret -i mon0
    ferret: error while loading shared libraries: libpcap.so.0.8: wrong ELF class: ELFCLASS64

    I had one last ace up my sleeve, time to go all in. So, I copied libpcap.so.8 from 32-bit Back|Track to the /usr/lib32 directory in 64-bit Back|Track and attempted to launch the 32-bit build of Ferret (1.2.0) on 64-bit Back|Track.
    Code:
    root@bt:~# cp libpcap.so.0.8 /usr/lib32
    cp: overwrite `/usr/lib32/libpcap.so.0.8'? y
    root@bt:~# ferret -i mon0
    [0] ferret
    [1] -i
    [2] mon0
    -- FERRET 1.2.0 - 2008 (c) Errata Security
    -- build = Dec 17 2011 10:29:42 (32-bits)
    -- libpcap version 1.0.0
     3  mon0
    -- Sniffing on interface "mon0"
    SNIFFING: mon0
    LINKTYPE: 127 WiFi-Radiotap
    CHANGE: iwconfig mon0 channel 6
    proto="WiFi", op="probe", macaddr=[00:26:4a:28:3e:d0], SSID="(broadcast)", BSSID=[ff:ff:ff:ff:ff:ff]
    Traffic seen
    ^C-- graceful exit --
    Winner, Winner, Chicken Dinner!!! But, would the --channel flag work? As you can see from above, Ferret was defaulting to channel 6. Let it ride......
    Code:
    root@root:~# ferret -i mon0 --channel 11
    [0] ferret
    [1] -i
    [2] mon0
    [3] --channel
    [4] 11
    -- FERRET 1.2.0 - 2008 (c) Errata Security
    -- build = (32-bits)
    -- libpcap version 1.0.0
     3  mon0
    -- Sniffing on interface "mon0"
    SNIFFING: mon0
    LINKTYPE: 127 WiFi-Radiotap
    CHANGE: iwconfig mon0 channel 11
    proto="WiFi", op="probe", macaddr=[00:16:24:49:f1:93], SSID="(broadcast)", BSSID=[ff:ff:ff:7f:b7:ff]
    Traffic seen
    ^C-- graceful exit --
    Well, the proof is in the puddin'. There ya have it folks, the most recent build of Ferret I could find, working properly on 64-bit Back|Track with all the previous 32-bit toppings... Thank you for taking your time to read through my little tutorial. My hope is that you had as much fun reading it, as I did writing it. Below is the step-by-step guide.
    Dropbox'd Files

    1) Grab you a copy of erratasec.zip located at: erratasec.zip
    a) Alternatively, you could trust me and just grab the file from my dropbox.

    2) Launch a 32-bit build of Back|Track and grab /usr/lib/libpcap.so.0.8
    a) As well, you could trust me and grab the dropbox file.

    3) In your 32-bit build of Back|Track unzip the erratasec.zip file and proceed to ferret/build/gcc4
    a) make
    b) cd ../../bin
    c) Grab that Ferret file

    4) Launch 64-bit Back|Track
    a) With the two files: ferret and libpcap.so.0.8 you are ready for battle...
    b) cp libpcap.so.0.8 /usr/lib32
    c) As I mentioned earlier, I don't even know if my directory listings are proper for the current build of Back|Track...I customise way to much to generalize here....
    d) So, with step C mentioned, overwrite the current ferret with the new ferret, wherever it may be.

    5) Happy Hacking!
    V/r,
    Snafu
    Pffbt..[quote]I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me.. Or thinks I'm a smart ass.. [/quote]

  2. #2
    Just burned his ISO
    Join Date
    May 2011
    Posts
    11

    Default Re: How to train your ferret

    Thanks you so much for this post !!

  3. #3
    Senior Member
    Join Date
    Jul 2011
    Posts
    236

    Default Response!

    ronin101,

    Thank you for taking the time to read it. When I originally post this, I figured it would have grabbed way more attention then it did. Thanks again!
    V/r,
    Snafu
    Pffbt..[quote]I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me.. Or thinks I'm a smart ass.. [/quote]

  4. #4
    Member melissabubble's Avatar
    Join Date
    Aug 2011
    Location
    c:\
    Posts
    85

    Default Re: How to train your ferret

    hey snafu777, Did you get Driftnet working on 64bit too?

  5. #5
    Senior Member
    Join Date
    Jul 2011
    Posts
    236

    Default Re: How to train your ferret

    Haven't tried yet, is there an issue with it?
    V/r,
    Snafu
    Pffbt..[quote]I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me.. Or thinks I'm a smart ass.. [/quote]

  6. #6
    Member melissabubble's Avatar
    Join Date
    Aug 2011
    Location
    c:\
    Posts
    85

    Default Re: How to train your ferret

    It works on 32bit but not on 64bit. I thought you knew about it cause you seem to mention driftnet in your post. There is alot of post on the net about it only being able to save images to files and can't view them on screen.

  7. #7
    Senior Member VulpiArgenti's Avatar
    Join Date
    Sep 2011
    Location
    lost
    Posts
    174

    Default Re: How to train your ferret

    In moving to BT5R2, I risked the 64bit version (for the first time). I was horrified to see segmentation faults in ferret, and greatly relieved to find this post. Ferret now working again - many thanks.

    PS Would it be worth putting in a ticket at BT bugtraq?

  8. #8
    Senior Member
    Join Date
    Jul 2011
    Posts
    236

    Default Re: driftnet

    melissabubble,

    One day I will try and work with driftnet. Been busy and haven't had the time. Just wanted you to know I haven't disregarded the post you made.

    VulpiArgenti,

    It probably would be worth the trouble ticket, I'm just lazy =>
    V/r,
    Snafu
    Pffbt..[quote]I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me.. Or thinks I'm a smart ass.. [/quote]

  9. #9
    Member melissabubble's Avatar
    Join Date
    Aug 2011
    Location
    c:\
    Posts
    85

    Default Re: How to train your ferret

    That would be great if I could get driftnet work on 64bit. I was searching around on the net and found this site that maybe could help out. And here's the patch that needs to be put in but i'm not that great with this kinda thing. Let me know how it turns outs.

    http://www.deepthought.ws/linux/debi...ftnet-x64-fix/




    --- driftnet-0.1.6/image.c 2002-07-09 20:26:41.000000000 +0100
    +++ driftnet-0.1.6.new/image.c 2006-08-22 21:14:38.000000000 +0100
    @@ -15,29 +15,20 @@ static const char rcsid[] = "$Id: image.

    /* memstr:
    * Locate needle, of length n_len, in haystack, of length h_len, returning NULL.
    - * Uses the Boyer-Moore search algorithm. Cf.
    - * http://www-igm.univ-mlv.fr/~lecroq/string/node14.html */
    -static unsigned char *memstr(const unsigned char *haystack, const size_t hlen,
    - const unsigned char *needle, const size_t nlen) {
    - int skip[256], k;
    -
    - if (nlen == 0) return (char*)haystack;
    -
    - /* Set up the finite state machine we use. */
    - for (k = 0; k < 255; ++k) skip[k] = nlen;
    - for (k = 0; k < nlen - 1; ++k) skip[needle[k]] = nlen - k - 1;
    -
    - /* Do the search. */
    - for (k = nlen - 1; k < hlen; k += skip[haystack[k]]) {
    - int i, j;
    - for (j = nlen - 1, i = k; j >= 0 && haystack[i] == needle[j]; j--) i--;
    - if (j == -1) return (unsigned char*)(haystack + i + 1);
    - }
    -
    - return NULL;
    + */
    +char *memstr(const unsigned char *haystack, const size_t hlen,
    + const unsigned char *needle, const size_t nlen)
    +{
    + char *p;
    +
    + for (p = haystack; p <= (haystack - nlen + hlen); p++)
    + {
    + if (memcmp(p, needle, nlen) == 0)
    + return p; /* found */
    + }
    + return NULL;
    }

    -
    /* If we run out of space, put us back to the last candidate GIF header. */
    /*#define spaceleft do { if (block > data + len) { printf("ran out of space\n"); return gifhdr; } } while (0)*/
    #define spaceleft if (block > data + len) return gifhdr

Similar Threads

  1. What happened to Ferret/Hamster and Wifezoo?
    By Maverick13 in forum BackTrack 5 Tool Requests (NOW CLOSED) Please see sticky
    Replies: 2
    Last Post: 06-08-2011, 12:25 AM
  2. BackTrack 4 R2 - Ferret Not Installed
    By cseven in forum BackTrack Bugs
    Replies: 5
    Last Post: 11-24-2010, 08:47 PM
  3. Hamster/Ferret not working properly
    By Omegga in forum Beginners Forum
    Replies: 0
    Last Post: 10-18-2010, 07:41 PM
  4. how to train backtrack?
    By pr3diker in forum Beginners Forum
    Replies: 8
    Last Post: 01-23-2010, 08:13 PM
  5. ferret hamster but for *nix ?
    By opreat0r in forum OLD General IT Discussion
    Replies: 5
    Last Post: 03-20-2008, 09:22 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •