RE: packet sniffing help needed.

["Beauford, Jason" <jbeauford () EightInOnePet com>]

Mark,

If I understand you correctly, what you have described below is exactly
the way it can be done.  There are other methods such as port mirroring,
but what you have below will work perfectly.

Just make sure that C1 and C2 are on a HUB (not switch).  Setup C2 with
a copy of Ethereal or Windump.  You'll also need the WINPCAP Drivers for
either of those to work.  Fire it up and start your browsing from C1.
That's assuming you are using Windows on C2.  Another nice tool to
correlate all of the data is NTOP.  There is a Windows version of that
too called NTOP-XTRA.  If you want, you can save yourself the hastle and
download KNOPPIX STD and boot the ISO on C2.  I believe it has all the
above mentioned tools pre-installed. 

This is assuming you connect via a WIRED (LAN) connection.  If you are
connecting via a Dial-up, you'll need to install these tools on C1 and
need not worry about a hub.

Pertinent links:

Ethereal:       http://www.ethereal.com/
Windump:        http://www.winpcap.org/windump/
WINIPCAP:       http://www.winpcap.org/install/default.htm
NTOP-XTRA:      http://www.openxtra.co.uk/products/ntop-xtra.php
KNOPPIXSTD:     http://www.knoppix-std.org/

Hope this helps.

JMB

        |  -----Original Message-----
        |  From: Mark Knowles [mailto:ghooti () googlemail com] 
        |  Sent: Tuesday, December 06, 2005 5:39 AM
        |  To: security-basics () securityfocus com
        |  Subject: packet sniffing help needed.
        |  
        |  Hi all,
        |  
        |   I have been thinking about packet sniffing and 
        |  packet capture - it is because of all of those 
        |  alerts in IE - you know the ones - This page is not 
        |  encrypted and a 3rd party might be listening.
        |  
        |    I have been doing some googling and not really 
        |  found much, but then I am not too sure what I am looking for.
        |  
        |   This is the setup I want to explore.
        |  
        |  Comp1(victim1) = Windows xp box, Connected via dial 
        |  up to a free ISP
        |  Comp2(attacker) = windows/*nix, connected via 
        |  broadband to different ISP than comp1
        |  Comp3(webserver/victim2)
        |  
        |   C1< ----- > C3
        |  
        |   C2---|
        |  
        |  The image above is my attempt at ascii art - I 
        |  suppose it represents the old style wiretap method. 
        |  where C1 and C3 communicate unaware that their data 
        |  is being listened to by C2. C2 has no power to 
        |  modify the information.
        |  
        |   Is this sort of sniffing possible?  or would it 
        |  have to be more like
        |  
        |   C1 < --- > C2 < --- > C3
        |  
        |  Which is how i see MITM attacks working. - I suppose 
        |  this would be akin to having the telephone operator 
        |  relay the message, or a language interpreter 
        |  changing the message between clients.
        |  
        |   I am currently only looking for http data, although 
        |  i am assuming that I will have to filter that after 
        |  I have gotten it all.
        |  
        |    I do not want to mess with the data, I would just 
        |  like to view it. 
        |  Would this still count as a MITM attack?
        |  
        |    I know its all a bit Hollywood, but i am really 
        |  curious to see what information i am transmitting 
        |  (non https) - and what those warnings really mean, 
        |  are they of the McDonald$ coffee "caution contents 
        |  is hot" type thing? which i have to say is how i 
        |  view them.  I understand how proxies cache and 
        |  transmit data - are the warnings just about them?
        |  
        |  Any advice/ideas/whacking with a lart/etc, greatly 
        |  received :)
        |  
        |   Thanks,
        |  
        |   Mark.
        |