July 17th, 2005, 10:15 PM
Have you seen the video at my site that show how to use Dsniff?
July 18th, 2005, 12:30 AM
Thanks Irongeek. Dsniff still doesn't work, and I'm guessing that's because Hotmail uses SSL so the username and password aren't visible in plain-text, but ngrep worked. The only problem is that I'm having trouble saving the output of "ngrep host 126.96.36.199". I tried "ngrep host 188.8.131.52 > /home/knoppix/Desktop/ngrep" but that didn't work, because it ended the command as soon as it begun (and the output file said that 0 packets had been received). Could someone please tell me how I could save the output of ngrep to a file, while letting ngrep run at the same time? I would just copy and paste the output of the ngrep command into a text editor, but aterm doesn't allow this.
I also tried using ettercap, via "ettercap -NaC 192.168.1.1 192.168.1.101" and also "ettercap -NaC 192.168.1.101 192.168.1.1", but neither of those commands returned any passwords (when I accessed my Hotmail account from the iMac).
Please may someone tell me if I'm doing something wrong? I did follow your tut Irongeek, and that's how I've got the ngrep info which I can't save!
July 18th, 2005, 12:40 AM
Is Ngrep giving any errors at all? It just quits running?
July 18th, 2005, 04:23 AM
Well, ngrep works perfectly when I just type in:
I then type in my username and password for my Hotmail account on the iMac, and I see quite a lot of packets, and other info. It doesn't quit itself, but once I've typed in my username+pass on the iMac, and I receive lots of output on the attacking machine, I quit ngrep via Ctrl+C.
ngrep host 184.108.40.206
I tried selecting all of the output, but because of aterm, I could only view the last few packets, and even when they were selected I couldn't find out a way of copying them.
What happened when I tried redirecting the output of ngrep to a file was that, because ngrep doesn't end automatically and continues running until it is manually exited, the output file contained the info as if no packets had been found at all. This is because the redirection caused ngrep to start and stop almost simultaniously, so no packets were caputed. --At least, that's what I think it is!
What I would like to know is: how do I save the output of the ngrep command? How do I then use those packets which I've captured to crack the password? What is wrong with my dsniff/dnsspoof, and what could I do to test their use (dsniff doesn't seem to support SSL, but dnsspoof should)? Thanks again,
July 18th, 2005, 04:39 AM
Maybe you should try Cain instead
July 18th, 2005, 12:32 PM
Irongeek: Thanks for your help, and eventually I will try Cain, but I'm not the kind of guy that gives up, so could someone please help me get this fixed? There are loads of security gurus on this site, there must be at least one who has been through my situation (either that I can't save the ngrep results, or that dsniff doesn't work)? Thanks,
P.S Could someone also tell me what kind of plain-text passwords we're talking about? Thanks!
July 19th, 2005, 12:36 PM
#1) What are you trying to accomplish? I've seen you throw a half dozen tools around this thread, all of which have specific (and different) uses.
#2) If you are trying to simply arp spoof and you can't get things working, there is yet another unix based tool called frag router that you may want to play with. The folks at (what used to be) Foundstone were big pushers of this little utility. Anyway, this is for your arp poisoning adventure.
#3) Ettercap comes with a bunch of canned tools that allow you to do arp poisoning, password logging, DoS attacks, etc., etc.. This is an "one stop shop" solution for the skiddie in all of us. Since you seem interested in doing a lot of things at once, this may be your best bet.
#4) Piping to dev/null isn't a solve all solution for output. There are cases where you will have to specifically state not to drop content to the terminal.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
July 19th, 2005, 03:29 PM
In reference to the post above:
#1) - I'm just trying to find out what you can do once you've spoofed/poisoned the ARP tables, and how the different tools do the same thing. As an example, I tried finding out a Hotmail password (and eventually tried more than one tool). I tried using ngrep, but I couldn't find out how to save the output; I tried ettercap, but that didn't seem to work....; I tried dsniff, which didn't work either, and last but not least, I tried dnsspoof, but also had problems with that! So, I'm just trying to check out the tools, see what they do, and how their results differ.
#2) - Frag router....I'll check it out! I think it's on the Knoppix-STD live CD.
#3) - I'll try out ettercap, but I'll need to learn some more of its parameters before I start using it. Don't know, I'll take a look at it when I next boot up Knoppix-STD.
fragroute : packet fragmentation tool (thanks again Dug)
#4) - Yeh, I couldn't get the /dev/null piping to work....
Also, how could I get the output of ngrep written to a file on the fly? Thanks!
July 19th, 2005, 04:52 PM
#4: probably (also) outputed to stderr; use the following to redirect stderr to stdout (which is itself redirected to dev null):
Credit travels up, blame travels down -- The Boss
July 19th, 2005, 05:21 PM
Thanks ammo for that! I still need to try it out, but hey, if you're confident that it works, then I'm just gonna believe ya! Do you know about any of the other problems though? Like the extremely annoying problem in the aterm terminal, when running the ngrep command (or any other for that matter), because it tends to "chop off" the output so that you can only see about 2 screenfuls of the results.
Also the random things that are happening with dsniff, ettercap, and dnsspoof. Let's take dsniff for a second: can someone please tell me a simple way of testing this? As in, could you mention a website or something to log into, which dsniff can pick up? Then I can find out whether it's just my laptop, an extremely odd network , or something else.