I believe your talking about me here in this thread.......Originally Posted by castlecrazy
Do me a favor..post a pic of your finished command.....
airdecap-ng -b (bssid) -e (ESSID) -w (networks wep key) capturedata.cap
And I'll take a look.
Last resort with tcpreplay
I've been reading on these boards for about a week now and it's great to see how much information is here. After my router got hacked and I realized that someone else was utilizing my wireless connection I decided that it was time to look into some network security, and testing my network security. I am trying to see if it is possible to view my internet activity if I know the password to my wireless network. I am using BT2 on vmware on a macbook pro just so you know. After installing tcpreplay 2.3.5 (someone on the boards suggested this stable release to fix some problems with the lo interface) I ran the replay and listened with several dsniff tools, etc. For some reason I can still not get anything to come up. I know the dump file was recorded while I was looking at webpages, chatting on IM, and other things like that to make sure that there would be data to see. The recorded data was encrypted by my WEP network, and then decrypted using airdecap with the BSSID, ESSID, and Key all entered. Tcpreplay gives a successful result showing that it is sending the data, but none of the sniffing tools "see" anything. I have tried everything I could find looking through old threads and still am unable to get anything to come up with the sniffers. Any suggestions on how to fix this?
Here's a pic if it helps:
hxxp://i20.tinypic.com/mshx21.jpg
Thanks for your help!
I believe your talking about me here in this thread.......
Do me a favor..post a pic of your finished command.....
airdecap-ng -b (bssid) -e (ESSID) -w (networks wep key) capturedata.cap
And I'll take a look.
[CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
[CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
[/B][/SIZE]
[URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
[/CENTER]
Yes I was talking about you in several of those threads actually. You seem to help out the n00bs here quite a bid
On to the problem, I actually did get driftnet to display images. The only problem is that dsniff, urlsnarf, and msgsnarf all show nothing. I made sure that the dump file contained data while looking at images, reading mail, entering email passwords, chatting with iChat, and several other things to test with. Here is the output from airdecap as requested:
Oh, and the command was just "airdecap-ng -b 00:00:00:00:00:00 -w 00:00:00:00:00 dumpfile-01.cap" with the appropriate BSSID and Key entered
hmmm...
Interesting. And you 100% sure you have VALID captured data?? 1,511 data packets isn't a whole lot to work with ya know. The more the better!!!
Have you an Atheros chipped card that your capturing this data from??
N/m...
Have you tried using this.....
tcpreplay -i ath0 dump-dec.cap
-or-
tcpreplay -i wlan0 dump-dec.cap
-or-
tcpreplay -i <YOUR device here> dump-dec.cap
Instead of this??
tcpreplay -i lo dump-dec.cap
BTW..if that doesn't work...may I have a copy of your capture file to try it out on my own?? If so...upload it to rapidshare and send me the link via PM...and I'll see what I can "dig" up for ya.
Also consider alternative tools such as ettercap for passwords.
[CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
[CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
[/B][/SIZE]
[URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
[/CENTER]
It was only about 5 minutes of capture which is why it is so small. It was intended simply for testing. My card is a ralink (rausb0). When trying "driftnet -i rausb0" , I am getting "driftnet: unknown data link type 105". The only way it appears to work is through lo. None of your suggested interfaces worked. They all gave errors. I also tried using a virtual interface (at0) and could only get information through driftnet. Is there anything special I need to be doing with these other tools to get them to work? I am simply replaying the data and then putting in "<driftnet, urlsnarf, etc> -i lo". Any more ideas?
"unknown data link type 105", sounds like your card is in monitor mode.
Thanks level. Should have known that. I took the card out of monitor mode and was able to get the rausb0 interface to work with tcpreplay. However, I was still unable to get anything to work with anything except driftnet. Can someone maybe send me a file that they KNOW will work with urlsnarf or msgsnarf so that I can test to see if maybe my tools are just not working?
I tried several more things today and can still get nothing to show up. I even made a larger capture file to make sure that there would be something to show. The ONLY tool that works is driftnet. Very frustrating. Xploitz, I will work on getting a file up to send to you. In the mean time does anyone have any other suggestions for me to try?
Have you tried.....different speeds?? Maybe your replaying the info too fast for your open windows to read???
To replay traffic at half-speed:# tcpreplay --multiplier=0.5 --intf1=eth0 sample.pcapAll of this came from the tcpreplay website here>>>>>>
To replay at 25 packets per second:# tcpreplay --pps=25 --intf1=eth0 sample.pcap
Or have you tried doing a continuous loop???
Replaying files multiple times
To replay the sample.pcap an infinitely or until CTRL-C is pressed:# tcpreplay --loop=0 --intf1=eth0 sample.pcap
[CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
[CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
[/B][/SIZE]
[URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
[/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]
[URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
[/CENTER]
Posting Permissions
