"net use" names with ethereal
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: "net use" names with ethereal

  1. #1
    Junior Member
    Join Date
    Dec 2002
    Posts
    25
    hello, small problem:
    I have a small network with different workstations with shares.
    now i want to capture packets with ethereal which contain the pass and the loginname from those who try to acces the shares.
    I've asked some info allready, and I've been told that to connect to a share with windows, windows send a "net use <drive> <"/user> <pass>" command, which can be captured with ethereal.
    the only problem is that I don't manage to getting it to work (my ethereal does work!! -->that's not the prob.).
    do I need a kind of plugin or sth like that ??
    does anyone knows what's the problem ??

    greetz...

  2. #2
    Member
    Join Date
    Mar 2003
    Posts
    99
    Are you plugged into a switch or hub?

    If you are in a switch then you will not be able to see traffic who's desitnation is not you.
    You would have to put the port you are in into what cisco calls, monitor or spanning mode. I'm not sure if all switches support this.
    If you are in a hub, then you should see ALL traffic that is on that device.

  3. #3
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001
    Posts
    852
    Well, he said that Ethereal does work, so I'm assuming that he's not plugged into a switch - but Andre, if you are on a switch you can use Ettercap to sniff on that network..

    I think that I'm understanding your question as in you know the names of the shares and you are typing what you believe to be the right syntax for the Net command, but it's not working?
    - Maverick

  4. #4
    Member
    Join Date
    Mar 2003
    Posts
    99
    Ettercap will still only work if you use ARP Poisoning on the system you wish to look at. It would still be a switched network. Also on a switched network you can use any sniffer and will pick up multicast traffic, so it would appear that you were seeing traffic, which you are, you just aren't seeing ALL traffic. Ettercap is a choice prog for ARP Poisoning, but you have to make sure that your system, which is running ettercap, will be able to route for the system you have poisoned. Correct me if I'm wrong on these points.....

  5. #5
    Senior Member
    Join Date
    Mar 2003
    Posts
    452
    I might be mistaken, but the windows smb logon procedure is not plain text, so you might actually be capturing the traffic, but it might be encrypted.


    PuRe
    Like this post? Visit PuRe\'s Information Technology Community. We\'ve also got some kick ass Technology Forums. Shop for books and dvds on LiveWebShop.com

  6. #6
    Junior Member
    Join Date
    Dec 2002
    Posts
    25
    a switch.
    PuReExcTacy, I think you are wrong, cause i've been told that the user/pass is send unencrypted.
    Maverick811,no, the net use command works perfectly, If I know which user/pass to use.
    thanks all for replying.

  7. #7
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    then you need to poison the switch..

    try ettercap instead
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  8. #8
    Junior Member
    Join Date
    Dec 2002
    Posts
    25
    pfff..seems difficult.
    if I'm right the syntax should be: (if we suppose I want to capture "net use" share passwords on a LAN, knowing the IP of the computer where the shares are)
    ettercap -a 192.16.2.5:139
    Is this right ??

  9. #9
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    ettercap has a console GUI (ncurses)

    so all you'd have to do is start (as root) ettercap

    and then select the adress you'd like to check out.. ( 192.16.2.5 ) should be in there..

    but I think man ettercap could be helpfull...
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  10. #10
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    d0ppleg@nger said:
    Ettercap is a choice prog for ARP Poisoning, but you have to make sure that your system, which is running ettercap, will be able to route for the system you have poisoned. Correct me if I'm wrong on these points

    The ARP poisoning is only for password collection and Man-in-the-Middle (MITM) attacks. You can still listen passively without arp poisoning. When you chose the ARP Poisoning option your machine, depending upon which device/machine you replace, will act as the go-between you and the rest of the network. AO Newsletter #6 has a brief tut on Ettercap. My students use it extensively in the classroom but I'd throw out some caution:

    1. In some places it is illegal to gather passwords or to use a tool like Ettercap. Use it wisely and with permission.

    2. Sniffing a network to collect username/passwords is also a violation of privacy for some and in other places, akin to stealing. You do this for reasons that are unethical, do not be surprised if someone gets pissed and presses charges. DO NOT DO THIS. Ask permission to use the tool

    3. It can flood a network. My students have successfully DoS'd our network on a couple of occassions and I've had one student inform me that one of the plugins also causes a nasty DoS. See point 1.

    Ettercap makes far too easy what tools like sniffit, tcpdump, hping, etc. used to do. It also is able to break SSL encryptions, gather passwords, etc. This tool is extremely dangerous and yet.. very little is discussed. I'd suggested that admins get to know it well so they can detect it and shut it down. You can -- in fact -- use Ettercap to detect other Ettercap users.

    If you have more questions about it ask here or pm me.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •