Results 1 to 9 of 9

Thread: Last resort with tcpreplay

  1. #1
    Just burned his ISO
    Join Date
    Oct 2007
    Posts
    9

    Default Last resort with tcpreplay

    I've been reading on these boards for about a week now and it's great to see how much information is here. After my router got hacked and I realized that someone else was utilizing my wireless connection I decided that it was time to look into some network security, and testing my network security. I am trying to see if it is possible to view my internet activity if I know the password to my wireless network. I am using BT2 on vmware on a macbook pro just so you know. After installing tcpreplay 2.3.5 (someone on the boards suggested this stable release to fix some problems with the lo interface) I ran the replay and listened with several dsniff tools, etc. For some reason I can still not get anything to come up. I know the dump file was recorded while I was looking at webpages, chatting on IM, and other things like that to make sure that there would be data to see. The recorded data was encrypted by my WEP network, and then decrypted using airdecap with the BSSID, ESSID, and Key all entered. Tcpreplay gives a successful result showing that it is sending the data, but none of the sniffing tools "see" anything. I have tried everything I could find looking through old threads and still am unable to get anything to come up with the sniffers. Any suggestions on how to fix this?

    Here's a pic if it helps:
    hxxp://i20.tinypic.com/mshx21.jpg

    Thanks for your help!

  2. #2
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default

    Quote Originally Posted by castlecrazy View Post
    After installing tcpreplay 2.3.5 (someone on the boards suggested this stable release to fix some problems with the lo interface) I ran the replay and listened with several dsniff tools, etc. For some reason I can still not get anything to come up. I know the dump file was recorded while I was looking at webpages, chatting on IM, and other things like that to make sure that there would be data to see. The recorded data was encrypted by my WEP network, and then decrypted using airdecap with the BSSID, ESSID, and Key all entered. Tcpreplay gives a successful result showing that it is sending the data, but none of the sniffing tools "see" anything. I have tried everything I could find looking through old threads and still am unable to get anything to come up with the sniffers. Any suggestions on how to fix this?

    Here's a pic if it helps:
    hxxp://i20.tinypic.com/mshx21.jpg

    Thanks for your help!
    I believe your talking about me here in this thread.......

    Do me a favor..post a pic of your finished command.....

    airdecap-ng -b (bssid) -e (ESSID) -w (networks wep key) capturedata.cap



    And I'll take a look.
    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

  3. #3
    Just burned his ISO
    Join Date
    Oct 2007
    Posts
    9

    Default

    Yes I was talking about you in several of those threads actually. You seem to help out the n00bs here quite a bid

    On to the problem, I actually did get driftnet to display images. The only problem is that dsniff, urlsnarf, and msgsnarf all show nothing. I made sure that the dump file contained data while looking at images, reading mail, entering email passwords, chatting with iChat, and several other things to test with. Here is the output from airdecap as requested:



    Oh, and the command was just "airdecap-ng -b 00:00:00:00:00:00 -w 00:00:00:00:00 dumpfile-01.cap" with the appropriate BSSID and Key entered

  4. #4
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default

    hmmm...

    Interesting. And you 100% sure you have VALID captured data?? 1,511 data packets isn't a whole lot to work with ya know. The more the better!!!

    Have you an Atheros chipped card that your capturing this data from??

    N/m...

    Have you tried using this.....

    tcpreplay -i ath0 dump-dec.cap

    -or-

    tcpreplay -i wlan0 dump-dec.cap

    -or-

    tcpreplay -i <YOUR device here> dump-dec.cap

    Instead of this??

    tcpreplay -i lo dump-dec.cap


    BTW..if that doesn't work...may I have a copy of your capture file to try it out on my own?? If so...upload it to rapidshare and send me the link via PM...and I'll see what I can "dig" up for ya.

    Also consider alternative tools such as ettercap for passwords.


    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

  5. #5
    Just burned his ISO
    Join Date
    Oct 2007
    Posts
    9

    Default

    It was only about 5 minutes of capture which is why it is so small. It was intended simply for testing. My card is a ralink (rausb0). When trying "driftnet -i rausb0" , I am getting "driftnet: unknown data link type 105". The only way it appears to work is through lo. None of your suggested interfaces worked. They all gave errors. I also tried using a virtual interface (at0) and could only get information through driftnet. Is there anything special I need to be doing with these other tools to get them to work? I am simply replaying the data and then putting in "<driftnet, urlsnarf, etc> -i lo". Any more ideas?

  6. #6
    Member
    Join Date
    Jun 2007
    Posts
    218

    Default

    "unknown data link type 105", sounds like your card is in monitor mode.

  7. #7
    Just burned his ISO
    Join Date
    Oct 2007
    Posts
    9

    Default

    Thanks level. Should have known that. I took the card out of monitor mode and was able to get the rausb0 interface to work with tcpreplay. However, I was still unable to get anything to work with anything except driftnet. Can someone maybe send me a file that they KNOW will work with urlsnarf or msgsnarf so that I can test to see if maybe my tools are just not working?

  8. #8
    Just burned his ISO
    Join Date
    Oct 2007
    Posts
    9

    Default

    I tried several more things today and can still get nothing to show up. I even made a larger capture file to make sure that there would be something to show. The ONLY tool that works is driftnet. Very frustrating. Xploitz, I will work on getting a file up to send to you. In the mean time does anyone have any other suggestions for me to try?

  9. #9
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default

    Quote Originally Posted by castlecrazy View Post
    I tried several more things today and can still get nothing to show up. I even made a larger capture file to make sure that there would be something to show. The ONLY tool that works is driftnet. Very frustrating. Xploitz, I will work on getting a file up to send to you. In the mean time does anyone have any other suggestions for me to try?
    Have you tried.....different speeds?? Maybe your replaying the info too fast for your open windows to read???

    To replay traffic at half-speed:
    # tcpreplay --multiplier=0.5 --intf1=eth0 sample.pcap


    To replay at 25 packets per second:
    # tcpreplay --pps=25 --intf1=eth0 sample.pcap





    Or have you tried doing a continuous loop???




    Replaying files multiple times

    To replay the sample.pcap an infinitely or until CTRL-C is pressed:
    # tcpreplay --loop=0 --intf1=eth0 sample.pcap
    All of this came from the tcpreplay website here>>>>>>
    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •