Backtrack 5 – Password Sniffing With Ettercap/Arp Poisoning (LAN) – Tutorial

DfgDfg Admin
edited August 2012 in Tech & Games
Hello everyone,
Today i would like to share a simple / old / educational method of sniffing passwords on a LAN ( Local Area Network).
There are quite a few ways and tools out there designed to do this but to keep things simple and basic, we will be using ettercap from Backtrack 5.

Below i will show you a basic method to use etternet with arp poisoning as Mitm attacks on a LAN. This will allow you to sniff HTTP, FTP, TELNET, POP usernames and passwords.

Updating Ettercap : (This is to make sure you are running the updated version.)

1) Open Terminal and type “sudo apt-get update” and wait for it to finish loading.
2) Next type “apt-get install ettercap”
3) Lastly, type “apt-get install ettercap-gtk


Preparation :

1) Lets open up a terminal and type in “locate etter.conf” and you will be presented with a similiar screen as shown below.
1.png

2) Now go ahead and open up your etter.conf. So in my case i would type, “nano /etc/etter.conf”.
snapshotnanoetterconf.png

3) Ok so now to give ettercap root privileges we will have to change the ec_uid & ec_gid to a value of 0. So the final outcome would be :
2.png
ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default

4) Now i want you to scroll right down to the Linux column. And unhash the two lines shown in the below picture/example.
3.png

#
# Linux Before Mdofication #
# if you use ipchains: #redir_command_on = "ipchains -A input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport" #redir_command_off = "ipchains -D input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport" # if you use iptables: #redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" #redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" #
# Linux after Modification #
# if you use ipchains: #redir_command_on = "ipchains -A input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport" #redir_command_off = "ipchains -D input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport" # if you use iptables: redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

5) Once you have completed and checked your modifications. CLick Ctrl-X (to exit), then press Y (Yes to save) and lastly press the Enter key.

6) Type in “Clear” to clear up your messy terminal. Cleanliness is next to Godliness. Congratulations, we are done with the boring stuff.


LETS BEGIN :

1) Open up a terminal and type ettercap -G.
ETtercap-g.png

2) On the new GUI that appears, Click Sniff –> Unified Sniffing.
choosesniff.png


3) Now go to “Hosts” and click on “Scan for hosts”
choosehost.png

4) Next you will be prompted for your Network Interface ( Shown Below). choose your interface and press the Enter key.
networkinterface.png

5) You will see the GUI scan the whole netmask for 255 hosts and present you with a little message like this :
Randomizing 255 hosts for scanning…
Scanning the whole netmask for 255 hosts…
1 hosts added to the hosts list…
6) Now on the ettercap GUI click on Start –> Start Sniffing.
startsniffing.png

7) Click on MitM –> Arp Poisoning.
mitm.png

8) When the prompt screen appears, tick on Sniff Remote Connections and click OK.
sniffremoteconnections.png

9) Now lets sit back and wait for activity in the server!
2.5 mins later…………..Voila! It shows we have username and passwords of hotmail.com, twoo.com, eurospot.com.
snapshot5.png

10) When you are done, click “Start –>Stop Sniffing” & stop MITM attack. You will notice the command ‘Re-Arping’ on the bottom of your GUI. This means it is fixing up the network to make it look like it was before.

Authors Note :
1) Eettercap takes a little tweaking on different systems to get it going smoothly, so if this method does n0t work for you. Just mess around with it, through mistakes you will learn more icon_razz.gif?m=1129645325g
2) This tutorial was intended to explain mass network sniffing as i had no victims at hand.
3) This is for education purposes, please do not harm the innocent.

via: http://jameslovecomputers.wordpress.com/2012/08/19/backtrack-5-lan-password-sniffing-with-ettercaparp-poisoning-simple-tutorial/

Comments

  • bornkillerbornkiller Administrator In your girlfriends snatch
    edited August 2012
    Another cool BT tutorial added to my collection of BT mayhem. (For educational purposes of course, please do not harm the innocent.)
    Thanks bro. :thumbsup:
  • RemadERemadE Global Moderator
    edited August 2012
    Fuck I love you.
    I stopped using BT for a good couple of years but want to get back into it. Cracking WPA2 passes are the top priority for me right now as everyone locally abandoned WEP :(
  • DfgDfg Admin
    edited August 2012
    [h=2]BackTrack 5 : Harvesting Emails – Tutorial[/h] Hello all,
    Most of you probably already know what i am about to explain here. But bear with me icon_smile.gif?m=1129645325g

    Tools you will need :
    1) Backtrack 5 ( Contains Msfconsole by default)

    Instructions :
    1) Lets begin by opening your shell command on Backtrack 5.
    2) Next type the following commands shown below :

    [email protected]:~# msfconsole
    NOTICE: CREATE TABLE will create implicit sequence “hosts_id_seq” for serial column “hosts.id”
    NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index “hosts_pkey” for table “hosts”
    NOTICE: CREATE TABLE will create implicit sequence “clients_id_seq” for serial column “clients.id”
    NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index “clients_pkey” for table “clients”
    * Allow Msfconsole to fully load till the screen below appears.

    MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
    MMMMMMMMMMM MMMMMMMMMM
    MMMN$ vMMMM
    MMMNl MMMMM MMMMM JMMMM
    MMMNl MMMMMMMN NMMMMMMM JMMMM
    MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
    MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
    MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
    MMMNI MMMMM MMMMMMM MMMMM jMMMM
    MMMNI MMMMM MMMMMMM MMMMM jMMMM
    MMMNI MMMNM MMMMMMM MMMMM jMMMM
    MMMNI WMMMM MMMMMMM MMMM# JMMMM
    MMMMR ?MMNM MMMMM .dMMMM
    MMMMNm `?MMM MMMM` dMMMMM
    MMMMMMN ?MM MM? NMMMMMN
    MMMMMMMMNe JMMMMMNMMM
    MMMMMMMMMMNm, eMMMMMNMMNMM
    MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
    MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
    =[ metasploit v4.2.0-release [core:4.2 api:1.0]
    + — –=[ 805 exploits - 451 auxiliary - 135 post
    + -- --=[ 246 payloads - 27 encoders - 8 nops
    =[ svn r15704 updated 163 days ago (2012.02.23)

    msf > search gather
    Matching Modules
    ================
    Name Disclosure Date Rank Description
    ----
    ----
    auxiliary/admin/oracle/tnscmd 2009-02-01 normal Oracle TNS Listener Command Issuer
    auxiliary/gather/android_htmlfileprovider normal Android Content Provider File Disclosure
    auxiliary/gather/checkpoint_hostname 2011-12-14 normal CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure
    *Allow search gather to load fully

    msf > use gather/search_email_collector
    msf auxiliary(search_email_collector) > show options
    Module options (auxiliary/gather/search_email_collector):
    Name Current Setting Required Description
    ----


    DOMAIN yes The domain name to locate email addresses for
    OUTFILE no A filename to store the generated email list
    SEARCH_BING true yes Enable Bing as a backend search engine
    SEARCH_GOOGLE true yes Enable Google as a backend search engine
    SEARCH_YAHOO true yes Enable Yahoo! as a backend search engine

    msf auxiliary(search_email_collector) > set domain nasa.gov
    domain => nasa.gov
    msf auxiliary(search_email_collector) > run

    [*] Harvesting emails …..
    [*] Searching Google for email addresses from nasa.gov
    [*] Extracting emails from Google search results…
    [*] Searching Bing email addresses from nasa.gov
    one
    [*] Extracting emails from Bing search results…
    [*] Searching Yahoo for email addresses from nasa.gov
    [*] Extracting emails from Yahoo search results…
    [*] Located 23 email addresses for nasa.gov
    [*] [email protected]
    [*] [email protected]
    [*] [email protected]
    [*] [email protected]
    [*] [email protected]
    [*] debbie.l.thoma[email protected]
    [*] [email protected]
    [*] [email protected]
    [*] [email protected]
    [*] [email protected]
    [*] [email protected]
    [*] [email protected]
    [*] [email protected]
    [*] [email protected]
    [*] [email protected]
    [*] [email protected]
    [*] [email protected]
    [*] [email protected]
    [*] [email protected]
    [*] [email protected]
    [*] [email protected]
    [*] [email protected]
    [*] [email protected]
    [*] Auxiliary module execution completed
    msf auxiliary(search_email_collector) > one Interrupt: use the ‘exit’ command to quit
    msf auxiliary(search_email_collector) >

    Congratulations!!! we have successfully harvested the email from the desired domain.


    This guy is win.
  • bornkillerbornkiller Administrator In your girlfriends snatch
    edited August 2012
    Imagine how long a gmail.com search would take. :eek:
Sign In or Register to comment.