Re: ettercap help

From: Mike Brentlinger (mdbrentlinger@hotmail.com)
Date: 10/03/02


From: "Mike Brentlinger" <mdbrentlinger@hotmail.com>
To: rsharma@mahindrabt.com
Date: Thu, 03 Oct 2002 10:46:59 -0400

i think i got it figured out.... it seems that a known issue by developers
thats being updated to be addressed

http://ettercap.sourceforge.net/forum/viewtopic.php?t=843

----Original Message Follows----
From: Rohit Sharma <rsharma@mahindrabt.com>
To: Mike Brentlinger <mdbrentlinger@hotmail.com>
CC: pen-test@securityfocus.com
Subject: Re: ettercap help
Date: 03 Oct 2002 10:15:41 +0530

While compiling please make sure that you have ncurses libraries. It is
way much better to sniff using the ncurses GUI instead of the command
line.

Anyways have never tried Ettercap for VNC.
Choose the ip and press "a" for arp MITM (make sure dissection is on)
and Run ethereal on the same ethernet card on top of it for cross
refrencing and decode it yourself to see whatz going on.

or dig into the soure codes it's easy if you know the protocol

Actually some time back i was going through the source code and found
that the http based 64 decoding and web site monitoring is not done
properly. I wrote a sniffer for the same that is more like a GUI
http://www7.brinkster.com/rohit79/sniffer.tar.bz2 (Yahoo messenger,
http, smtp, ftp dissection enabled) the rpms are not updated yet. needs
qt3

On Tue, 2002-10-01 at 02:07, Mike Brentlinger wrote:
> Ok, based on http://ettercap.sourceforge.net/
>
> ettercap supposedly captures vnc passwords, ie
>
> Password collector for : TELNET, FTP, POP, ... VNC, ...
>
> I have the following setup but cannot for the life of me get it to work..
>
>
> ip : 10.0.0.1 (vnc client)
> mac: aa:aa:aa:aa:aa:aa ---------------|
> |
> ip : 10.0.0.2 (ettercap) |
> mac: bb:bb:bb:bb:bb:bb ------------- tried both hub & switch
> |
> ip : 10.0.0.3 (vnc server) |
> mac: cc:cc:cc:cc:cc:cc ---------------|
>
>
> I can get it to sniff telnet, ftp, pop, smb, but no vnc. I have the
> following default entry in my etter.conf file under the dissectors
section.
> VNC=ON # tcp 5900-5905
> and based on the etter.conf file it doesnt appear as though this password
> sniff requires any arp spoofing of any type.
>
> when i run it on my windows, trinux, or redhat machine i get similar
results
> such as below,
>
>
> C:\Program Files\ettercap>ettercap.exe -NCzds
> ettercap 0.6.7 (c) 2002 ALoR & NaGA
> List of available devices :
> --> [dev0] - [3Com EtherLink PCI]
> --> [dev2] - [3Com 3C90x Ethernet Adapter]
> Please select one of the above, which one ? [0]: 0
> Your IP: 172.18.2.10 with MAC: 00:B0:D0:7B:DD:15 on Iface: dev0
> Press 'h' for help...
> Sniffing (IP based): ANY:0 <--> ANY:0
> TCP + UDP packets... (default)
> Collecting passwords...
>
> 15:18:13 172.18.2.10:1600 <--> 172.18.3.100:139 netbios-ssn
> USER: blah
> PASS:
> LC 2.5 FORMAT: "blah":x:blah:blah
>
> 15:19:44 172.18.2.10:1605 <--> 172.18.1.10:110 pop3
> USER: blah
> PASS: pass
>
>
>
> what am i doing wrong? what would the proper command line start up be? Im
> not even sure I need to apr spoof since it I havent seen anywhere
> specifically that its needed for vnc... ive read the man and it has an
> example...
>
> "ettercap -NCza -D 100 192.168.0.1 192.168.0.2 55:23:A5:B4:C7:89
> 00:A3:56:FE:4F:6D
> Collect password to stdout on a switched LAN. this will poison the two
host
> 192.168.0.1 and 192.168.0.2 each other. "
>
> But thats not all that helpful, espicaily with out a diagram... are those
> the ips and macs of the 2 hosts? the dest and man in middle? the src and
man
> in middle?
>
> please help
>
> _________________________________________________________________
> MSN Photos is the easiest way to share and print your photos:
> http://photos.msn.com/support/worldwide.aspx
>
>
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/
>
>

*********************************************************
Disclaimer

This message (including any attachments) contains
confidential information intended for a specific
individual and purpose, and is protected by law.
If you are not the intended recipient, you should
delete this message and are hereby notified that
any disclosure, copying, or distribution of this
message, or the taking of any action based on it,
is strictly prohibited.

*********************************************************
Visit us at http://www.mahindrabt.com

_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/