Re: packet sniffing help needed.

[Rodrigo Blanco <rodrigo.blanco.r () gmail com>]

Hello Mark,

IMHO, there are two possible scenarios:

1) LAN ACCESS - You have access to the IP local network where either
C1 or C3 are located: in this case, it really does not matter if you
are in a hub or switched envirnoment. Hub: sniffing (ethereal and
"follow TCP stream" option is just perfect) will do the job. Switch:
ARP spoofing and there you are (you can try ettercap, for instance)
optionally combined with Ethereal.

2) WAN ACCESS - You do not have a direct access to the IP local
network where either C1 or C3 are located. This one is more tricky,
and I think you would have to resort to either tapping a router in
between (no idea how to do this) or somehow spoof the DNS server that
C1 is using to point C1 to your host (or a host you control) - not
easy, either.

Best regards,
Rodrigo.

On 12/6/05, Mark Knowles <ghooti () googlemail com> wrote:
> Hi all,
>
>  I have been thinking about packet sniffing and packet capture - it is
> because of all of those alerts in IE - you know the ones - This page
> is not encrypted and a 3rd party might be listening.
>
>   I have been doing some googling and not really found much, but then
> I am not too sure what I am looking for.
>
>  This is the setup I want to explore.
>
> Comp1(victim1) = Windows xp box, Connected via dial up to a free ISP
> Comp2(attacker) = windows/*nix, connected via broadband to different
> ISP than comp1
> Comp3(webserver/victim2)
>
>  C1< ----- > C3
>
>  C2---¦
>
> The image above is my attempt at ascii art - I suppose it represents
> the old style wiretap method. where C1 and C3 communicate unaware that
> their data is being listened to by C2. C2 has no power to modify the
> information.
>
>  Is this sort of sniffing possible?  or would it have to be more like
>
>  C1 < --- > C2 < --- > C3
>
> Which is how i see MITM attacks working. - I suppose this would be
> akin to having the telephone operator relay the message, or a language
> interpreter changing the message between clients.
>
>  I am currently only looking for http data, although i am assuming
> that I will have to filter that after I have gotten it all.
>
>   I do not want to mess with the data, I would just like to view it.
> Would this still count as a MITM attack?
>
>   I know its all a bit Hollywood, but i am really curious to see what
> information i am transmitting (non https) - and what those warnings
> really mean, are they of the McDonald$ coffee "caution contents is
> hot" type thing? which i have to say is how i view them.  I understand
> how proxies cache and transmit data - are the warnings just about
> them?
>
> Any advice/ideas/whacking with a lart/etc, greatly received :)
>
>  Thanks,
>
>  Mark.