Background:
Ferret can tell the user so much. I'd guess the majority of the Ferret users out there implement it for it's firesheep style capabilities. On the other hand, there are users out there like myself, who love the ngrep style output that Ferret spits in addition to the cookie grabbin' it does. It pulls so much juicy information out..... It is not just for authentication cookie grabs!
A bit of knowledge about Ferret: This holds true with the old 32-bit build of Ferret, as well, if you will follow my steps it will hold true for you too... If directing Ferret to listen to a "Managed Mode" NIC (i.e. wlan0), it will accept the --channel flag with no issues, but it will passively ignore it. Instead of changing the channel of the NIC, it will ignore your syntax and stay on the channel it is currently locked onto. Now, if directing Ferret to listen to a "Monitor Mode" NIC (i.e. mon0), it will switch the NIC to channel 6 by default. The way around this would be to add the --channel flag.
I'd like to tell you all of my romp with one of my favorite tools in the world "Ferret". Ever since I made the switch over to 64-bit Back|Track, I've been trying to tame the little creature. Back in my 32-bit days Ferret worked without a hitch; however, the leap over to 64-bit has proven a bit of a struggle. In this thread I will attempt to explain everything I've done in as much detail as possible (Sadly, I've had to edit a lot of the dumps due to the 10000 character limit on this forum thread); when all was said and done, I had a properly working build of Ferret on my 64-bit machine. If you follow along with me, I will show you how to accomplish the very same thing.
My starting point was to use my own file archives for hamster. Some programs are so "vital" to my niche of hacking, that I consider them to be irreplaceable if a Back|Track dev were to consider them "outdated/not-needed" via an apt-get upgrade and such; so what I did in the transition to 64-bit was to grab the files from my 32-bit build. As it turns out, the version of Ferret included with 64-bit Back|Track is 32-bit anyways.....
The error when trying to run a 32-bit build of Ferret on 64-bit Back|Track
Code:
ferret: error while loading shared libraries: libpcap.so.0.8: cannot open shared object file: No such file or directory
I did some lookin' on google for the source code of Ferret. I found the 1.1.3 build here: 1.1.3. I grabbed a copy and proceeded to build it.
It seemed to fix the problem, no shared library errors this time. The problem I now saw, was that I couldn't tell Ferret which channel to sniff on. To get it to run, I had to avoid throwing a --channel flag to it.
Code:
root@bt:~# ferret -i mon0
-- FERRET 1.1.3 - 2007 (c) Errata Security
-- build = Nov 20 2011 17:26:44 (64-bits)
-- libpcap version 1.0.0
 3  mon0
SNIFFING: mon0
LINKTYPE: 127
live(1): unknown linktype = 127 (expected Ethernet or wifi)
^C-- graceful exit --
I now had a working 64-bit build of Ferret. But, it lacked two things:
1) The capability to change WiFi channels. Fixed easily enough via: iwconfig mon0 <channel>.
  • However, this messed with my script: quickset.sh.
  • Not having a direct channel select capability required me to rewrite quickset.sh to adjust for 32-bit or 64-bit builds of Ferret. I did this, but later removed the patch to quickset.sh after realising the later fix for Ferret.


2) Much like Driftnet, this new build didn't know how to properly interpret what I believe are called wifitap headers (aka. linktype 127).
  • Those wifitap headers can tell you a bunch of cool stuff about the nodes around you...... When you can see them with Ferret it is like looking at tcpdump/ngrep/wireshark with all the nonsense removed.

At this point I did some more searching on google and came across a newer version of Ferret: Version 1.2.0. For about a second everything seemed sweet; Ferret accepted the --channel flag AND was properly interpreting wifitap headers....Sure enough though, Murphy decided to hang out in my kernel and the following happened.
Code:
root@root:~/ferret/bin# ./ferret -i mon0 --channel 4
[0] ./ferret
[1] -i
[2] mon0
[3] --channel
[4] 4
-- FERRET 1.2.0 - 2008 (c) Errata Security
-- build = Dec 17 2011 06:56:26 (64-bits)
-- libpcap version 1.0.0
 3  mon0
-- Sniffing on interface "mon0"
SNIFFING: mon0
LINKTYPE: 127 WiFi-Radiotap
CHANGE: iwconfig mon0 channel 4
proto="WiFi", op="probe", macaddr=[cc:08:e0:61:60:a9], SSID="Hurley MyWi", BSSID=[ff:ff:ff:ff:ff:ff]
Traffic seen
Segmentation fault (core dumped)
A Seg fault....what luck right?
So, I started thinking back to the original 32-bit Ferret built issue. I booted into the 32-bit version of Back|Track and built the 1.2.0 build of Ferret and then dropped the executable onto my 64-bit Back|Track.
Code:
ferret: error while loading shared libraries: libpcap.so.0.8: cannot open shared object file: No such file or directory
Maybe I could locate the file it was seeking somehow..(The following dump is from the 64-bit Back|Track)
Code:
root@bt:~# whereis libpcap.so.0.8
libpcap.so.0: /usr/lib/libpcap.so.0.8 /usr/lib64/libpcap.so.0.8
So I found the files on 64-bit Back|Track, but what to do with em? I launched my 32-bit version of Back|Track, did the same and came across /usr/lib/libpcap.so.0.8. I then temporarily moved the file and attempted to launch Ferret.
Code:
ferret: error while loading shared libraries: libpcap.so.0.8: cannot open shared object file: No such file or directory
I had found the file! So, I grabbed a copy of it and dropped it into ~ on my 64-bit build of Back|Track. From there I looked at the same location as I had found on the 32-bit version
Code:
root@bt:~# ls /usr/lib | grep libpcap.so.0.8
libpcap.so.0.8
Well, the file existed already, copying my new file into that location might screw other stuff up. So, I took a look at /usr
Code:
root@bt:~# ls /usr
bin  games  include  lib  lib32  lib64  local  man  sbin  share  src
I took a quick peek at lib32.... Kapow! No file! Could it be this simple? When it comes to hacking I try to touch every possibility/combination possible. Time to start copying files.... The following two dumps are from the libpcap.so.0.8 files located on the 64-bit version of backtrack copied to /usr/lib32
Code:
root@bt:~# whereis libpcap.so.0.8
libpcap.so.0: /usr/lib/libpcap.so.0.8 /usr/lib64/libpcap.so.0.8
root@bt:~# cp /usr/lib/libpcap.so.0.8 /usr/lib32
root@bt:~# ferret -i mon0
ferret: error while loading shared libraries: libpcap.so.0.8: wrong ELF class: ELFCLASS64
root@bt:~# cp /usr/lib64/libpcap.so.0.8 /usr/lib32
cp: overwrite `/usr/lib32/libpcap.so.0.8'? y
root@bt:~# ferret -i mon0
ferret: error while loading shared libraries: libpcap.so.0.8: wrong ELF class: ELFCLASS64

I had one last ace up my sleeve, time to go all in. So, I copied libpcap.so.8 from 32-bit Back|Track to the /usr/lib32 directory in 64-bit Back|Track and attempted to launch the 32-bit build of Ferret (1.2.0) on 64-bit Back|Track.
Code:
root@bt:~# cp libpcap.so.0.8 /usr/lib32
cp: overwrite `/usr/lib32/libpcap.so.0.8'? y
root@bt:~# ferret -i mon0
[0] ferret
[1] -i
[2] mon0
-- FERRET 1.2.0 - 2008 (c) Errata Security
-- build = Dec 17 2011 10:29:42 (32-bits)
-- libpcap version 1.0.0
 3  mon0
-- Sniffing on interface "mon0"
SNIFFING: mon0
LINKTYPE: 127 WiFi-Radiotap
CHANGE: iwconfig mon0 channel 6
proto="WiFi", op="probe", macaddr=[00:26:4a:28:3e:d0], SSID="(broadcast)", BSSID=[ff:ff:ff:ff:ff:ff]
Traffic seen
^C-- graceful exit --
Winner, Winner, Chicken Dinner!!! But, would the --channel flag work? As you can see from above, Ferret was defaulting to channel 6. Let it ride......
Code:
root@root:~# ferret -i mon0 --channel 11
[0] ferret
[1] -i
[2] mon0
[3] --channel
[4] 11
-- FERRET 1.2.0 - 2008 (c) Errata Security
-- build = (32-bits)
-- libpcap version 1.0.0
 3  mon0
-- Sniffing on interface "mon0"
SNIFFING: mon0
LINKTYPE: 127 WiFi-Radiotap
CHANGE: iwconfig mon0 channel 11
proto="WiFi", op="probe", macaddr=[00:16:24:49:f1:93], SSID="(broadcast)", BSSID=[ff:ff:ff:7f:b7:ff]
Traffic seen
^C-- graceful exit --
Well, the proof is in the puddin'. There ya have it folks, the most recent build of Ferret I could find, working properly on 64-bit Back|Track with all the previous 32-bit toppings... Thank you for taking your time to read through my little tutorial. My hope is that you had as much fun reading it, as I did writing it. Below is the step-by-step guide.
Dropbox'd Files

1) Grab you a copy of erratasec.zip located at: erratasec.zip
a) Alternatively, you could trust me and just grab the file from my dropbox.

2) Launch a 32-bit build of Back|Track and grab /usr/lib/libpcap.so.0.8
a) As well, you could trust me and grab the dropbox file.

3) In your 32-bit build of Back|Track unzip the erratasec.zip file and proceed to ferret/build/gcc4
a) make
b) cd ../../bin
c) Grab that Ferret file

4) Launch 64-bit Back|Track
a) With the two files: ferret and libpcap.so.0.8 you are ready for battle...
b) cp libpcap.so.0.8 /usr/lib32
c) As I mentioned earlier, I don't even know if my directory listings are proper for the current build of Back|Track...I customise way to much to generalize here....
d) So, with step C mentioned, overwrite the current ferret with the new ferret, wherever it may be.

5) Happy Hacking!