"net use" names with ethereal

[André]

hello, small problem:
I have a small network with different workstations with shares.
now i want to capture packets with ethereal which contain the pass and the loginname from those who try to acces the shares.
I've asked some info allready, and I've been told that to connect to a share with windows, windows send a "net use <drive> <"/user> <pass>" command, which can be captured with ethereal.
the only problem is that I don't manage to getting it to work (my ethereal does work!! -->that's not the prob.).
do I need a kind of plugin or sth like that ??
does anyone knows what's the problem ??

greetz...

[d0ppelg@nger]

Are you plugged into a switch or hub?

If you are in a switch then you will not be able to see traffic who's desitnation is not you.
You would have to put the port you are in into what cisco calls, monitor or spanning mode. I'm not sure if all switches support this.
If you are in a hub, then you should see ALL traffic that is on that device.

[Maverick811]

Well, he said that Ethereal does work, so I'm assuming that he's not plugged into a switch - but Andre, if you are on a switch you can use Ettercap to sniff on that network..

I think that I'm understanding your question as in you know the names of the shares and you are typing what you believe to be the right syntax for the Net command, but it's not working?

[d0ppelg@nger]

Ettercap will still only work if you use ARP Poisoning on the system you wish to look at. It would still be a switched network. Also on a switched network you can use any sniffer and will pick up multicast traffic, so it would appear that you were seeing traffic, which you are, you just aren't seeing ALL traffic. Ettercap is a choice prog for ARP Poisoning, but you have to make sure that your system, which is running ettercap, will be able to route for the system you have poisoned. Correct me if I'm wrong on these points.....

[PuReExcTacy]

I might be mistaken, but the windows smb logon procedure is not plain text, so you might actually be capturing the traffic, but it might be encrypted.


PuRe

[André]

a switch.
PuReExcTacy, I think you are wrong, cause i've been told that the user/pass is send unencrypted.
Maverick811,no, the net use command works perfectly, If I know which user/pass to use.
thanks all for replying.

[the_JinX]

then you need to poison the switch..

try ettercap instead

[André]

pfff..seems difficult.
if I'm right the syntax should be: (if we suppose I want to capture "net use" share passwords on a LAN, knowing the IP of the computer where the shares are)
ettercap -a 192.16.2.5:139
Is this right ??

[the_JinX]

ettercap has a console GUI (ncurses)

so all you'd have to do is start (as root) ettercap

and then select the adress you'd like to check out.. ( 192.16.2.5 ) should be in there..

but I think man ettercap could be helpfull...

[MrLinus]

d0ppleg@nger said:

Ettercap is a choice prog for ARP Poisoning, but you have to make sure that your system, which is running ettercap, will be able to route for the system you have poisoned. Correct me if I'm wrong on these points

The ARP poisoning is only for password collection and Man-in-the-Middle (MITM) attacks. You can still listen passively without arp poisoning. When you chose the ARP Poisoning option your machine, depending upon which device/machine you replace, will act as the go-between you and the rest of the network. AO Newsletter #6 has a brief tut on Ettercap. My students use it extensively in the classroom but I'd throw out some caution:

1. In some places it is illegal to gather passwords or to use a tool like Ettercap. Use it wisely and with permission.

2. Sniffing a network to collect username/passwords is also a violation of privacy for some and in other places, akin to stealing. You do this for reasons that are unethical, do not be surprised if someone gets pissed and presses charges. DO NOT DO THIS. Ask permission to use the tool

3. It can flood a network. My students have successfully DoS'd our network on a couple of occassions and I've had one student inform me that one of the plugins also causes a nasty DoS. See point 1.

Ettercap makes far too easy what tools like sniffit, tcpdump, hping, etc. used to do. It also is able to break SSL encryptions, gather passwords, etc. This tool is extremely dangerous and yet.. very little is discussed. I'd suggested that admins get to know it well so they can detect it and shut it down. You can -- in fact -- use Ettercap to detect other Ettercap users.

If you have more questions about it ask here or pm me.