Re: packet sniffing help needed.

Hello Mark,

IMHO, there are two possible scenarios:

1) LAN ACCESS - You have access to the IP local network where either
C1 or C3 are located: in this case, it really does not matter if you
are in a hub or switched envirnoment. Hub: sniffing (ethereal and
"follow TCP stream" option is just perfect) will do the job. Switch:
ARP spoofing and there you are (you can try ettercap, for instance)
optionally combined with Ethereal.

2) WAN ACCESS - You do not have a direct access to the IP local
network where either C1 or C3 are located. This one is more tricky,
and I think you would have to resort to either tapping a router in
between (no idea how to do this) or somehow spoof the DNS server that
C1 is using to point C1 to your host (or a host you control) - not
easy, either.

Best regards,
Rodrigo.

On 12/6/05, Mark Knowles <ghooti@xxxxxxxxxxxxxx> wrote:
> Hi all,
>
> I have been thinking about packet sniffing and packet capture - it is
> because of all of those alerts in IE - you know the ones - This page
> is not encrypted and a 3rd party might be listening.
>
> I have been doing some googling and not really found much, but then
> I am not too sure what I am looking for.
>
> This is the setup I want to explore.
>
> Comp1(victim1) = Windows xp box, Connected via dial up to a free ISP
> Comp2(attacker) = windows/*nix, connected via broadband to different
> ISP than comp1
> Comp3(webserver/victim2)
>
> C1< ----- > C3
>
> C2---¦
>
> The image above is my attempt at ascii art - I suppose it represents
> the old style wiretap method. where C1 and C3 communicate unaware that
> their data is being listened to by C2. C2 has no power to modify the
> information.
>
> Is this sort of sniffing possible? or would it have to be more like
>
> C1 < --- > C2 < --- > C3
>
> Which is how i see MITM attacks working. - I suppose this would be
> akin to having the telephone operator relay the message, or a language
> interpreter changing the message between clients.
>
> I am currently only looking for http data, although i am assuming
> that I will have to filter that after I have gotten it all.
>
> I do not want to mess with the data, I would just like to view it.
> Would this still count as a MITM attack?
>
> I know its all a bit Hollywood, but i am really curious to see what
> information i am transmitting (non https) - and what those warnings
> really mean, are they of the McDonald$ coffee "caution contents is
> hot" type thing? which i have to say is how i view them. I understand
> how proxies cache and transmit data - are the warnings just about
> them?
>
> Any advice/ideas/whacking with a lart/etc, greatly received :)
>
> Thanks,
>
> Mark.
>

Relevant Pages

  • [REVS] Detection of Promiscuous Nodes Using ARP Packets
    ... Detection of Promiscuous Nodes Using ARP Packets ... In the local network, the act of sniffing has become a serious threat. ...
    (Securiteam)
  • RV: packets in my network
    ... Subject: RV: packets in my network ... while i was sniffing in my local network, i saw that my computer was ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)