Penetration Testing mailing list archives

Re: ettercap help

From: Rohit Sharma <rsharma () mahindrabt com>
Date: Thu, 03 Oct 2002 10:10:15 +0530
Date: 03 Oct 2002 10:15:41 +0530


While compiling please make sure that you have ncurses libraries. It is
way much better to sniff using the ncurses GUI instead of the command
line.

Anyways have never tried Ettercap for VNC.
Choose the ip and press "a" for arp MITM (make sure dissection is on)
and Run ethereal on the same ethernet card on top of it for cross
refrencing and decode it yourself to see whatz going on.

or dig into the soure codes it's easy if you know the protocol

Actually some time back i was going through the source code and found
that the http based 64 decoding and web site monitoring is not done
properly. I wrote a sniffer for the same that is more like a GUI
http://www7.brinkster.com/rohit79/sniffer.tar.bz2 (Yahoo messenger,
http, smtp, ftp dissection enabled) the rpms are not updated yet. needs
qt3

On Tue, 2002-10-01 at 02:07, Mike Brentlinger wrote:

Ok, based on http://ettercap.sourceforge.net/

ettercap supposedly captures vnc passwords, ie

   Password collector for : TELNET, FTP, POP, ... VNC, ...

I have the following setup but cannot for the life of me get it to work..


ip : 10.0.0.1 (vnc client)
mac: aa:aa:aa:aa:aa:aa  ---------------|
                                       |
ip : 10.0.0.2 (ettercap)               |
mac: bb:bb:bb:bb:bb:bb  ------------- tried both hub & switch
                                       |
ip : 10.0.0.3 (vnc server)             |
mac: cc:cc:cc:cc:cc:cc  ---------------|


I can get it to sniff telnet, ftp, pop, smb, but no vnc. I have the
following default entry in my etter.conf file under the dissectors section.
    VNC=ON               # tcp    5900-5905
and based on the etter.conf file it doesnt appear as though this password
sniff requires any arp spoofing of any type.

when i run it on my windows, trinux, or redhat machine i get similar results
such as below,


C:\Program Files\ettercap>ettercap.exe -NCzds
ettercap 0.6.7 (c) 2002 ALoR & NaGA
List of available devices :
  --> [dev0] - [3Com EtherLink PCI]
  --> [dev2] - [3Com 3C90x Ethernet Adapter]
Please select one of the above, which one ? [0]: 0
Your IP: 172.18.2.10 with MAC: 00:B0:D0:7B:DD:15 on Iface: dev0
Press 'h' for help...
Sniffing (IP based): ANY:0 <--> ANY:0
TCP + UDP packets... (default)
Collecting passwords...

15:18:13  172.18.2.10:1600 <--> 172.18.3.100:139         netbios-ssn
USER: blah
PASS:
LC 2.5 FORMAT: "blah":x:blah:blah

15:19:44  172.18.2.10:1605 <--> 172.18.1.10:110                pop3
USER: blah
PASS: pass



what am i doing wrong? what would the proper command line start up be? Im
not even sure I need to apr spoof since it I havent seen anywhere
specifically that its needed for vnc... ive read the man and it has an
example...

"ettercap -NCza -D 100 192.168.0.1 192.168.0.2 55:23:A5:B4:C7:89
00:A3:56:FE:4F:6D
Collect password to stdout on a switched LAN. this will poison the two host
192.168.0.1 and 192.168.0.2 each other. "

But thats not all that helpful, espicaily with out a diagram... are those
the ips and macs of the 2 hosts? the dest and man in middle? the src and man
in middle?

please help

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


*********************************************************
Disclaimer

This message (including any attachments) contains 
confidential information intended for a specific 
individual and purpose, and is protected by law. 
If you are not the intended recipient, you should 
delete this message and are hereby notified that 
any disclosure, copying, or distribution of this
message, or the taking of any action based on it, 
is strictly prohibited.

*********************************************************
Visit us at http://www.mahindrabt.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

ettercap help Mike Brentlinger (Sep 30)
- Re: ettercap help Rohit Sharma (Oct 04)
- <Possible follow-ups>
- Re: ettercap help Mike Brentlinger (Oct 04)