Results 1 to 8 of 8

Thread: Question about MITM Attack.

  1. Question about MITM Attack.

    have a question about MITM attack (or Whatever This attack is Called).
    Let's say i am connected to a Router and three more users are connected to it, router address is 192.168.0.1. Now i don't know the Login Credentials of the Router , so i use Ettercap and Some DNS poisoning etc Stuff and i do attack on an User "A" , now whenever User "A" type www.google.com it auto redirects to original Router Page whose address is 192.168.0.1 , now User type it's Login User and Pass (Because Router Page Not Using HTTPS so it's easy to Read data in PlainText) , now i am using Wireshark to read all Trafic and Filter all Requests related to 192.168.0.1 and i get the user name and Pass.
    So is this Possible ?? if yes Then How i do it ?? if NO then Why ??
    Thanks in advance..

  2. #2
    Join Date
    2015-Apr
    Location
    Germany
    Posts
    9
    There is a Tool called "Xplico" ... an browser based sniffing tool and for your purposes it would be better than wireshark cause its sorts the sniffed Data in Categorys.
    apt-get install Xplico
    Start Ettercap and do an ARP Poisoning, then start Xplico and choose the proper Interface. Now Xplico would show you wich websites the Test Victim (hope you have the permission to test) visits. Also it shows you Login Credentials for all websites in Plaintext, Images, Emails, Videos and so on (depends on encryption).

    To get Router Login Credentials try hydra. An nice Bruteforce Tool for your purpose. In the matter that you are allready connectet to the router it this should be enough

    Further i hope you have the permissions to run such Attacks an more in this network.
    If you need any help send a pm

    Have fun tryin this tools
    Last edited by Toqu82; 2015-04-19 at 13:53.

  3. hmm , never Heard of Xplixo , i'll Check ......
    And i How i Do this Attack Exactly ?? Any Tutorial or guidance etc ??
    Tried Xhydra , good tool , But it Not Gonna Works if Password is Like "AgbAHbh^5%6!2mN11 " .....
    Ofcourse i have Permission , i am The Admin of that Network (means Gonna test on My own Router ... )
    Last edited by FurqanHanif; 2015-04-19 at 14:27.

  4. #4
    Join Date
    2015-Apr
    Location
    Germany
    Posts
    9
    Do u have any knowledge about network protocols like ARP or services like DNS? I guess it would be really difficult for you to learn such things without any basic understanding how computers communicate in a network. However for Tutorials visit securitytube(dot)net or youtube but be careful, penetrationtesting can be very destructive for your network.

    For Hydra is a good password list recommended. U can find one on youre Kali System it should be ok for purpose
    Last edited by Toqu82; 2015-04-20 at 12:30.

  5. #5
    Join Date
    2015-Apr
    Posts
    1
    Hey there. Have an MITM-issue about ettercap-NG-0.7.4.2 with Kali.

    I'm trying to (at least) detect with ettercap ICMP (ping) or TCP (telnet) traffic between hosts 20.160 and 20.161. The attacker Kali is 20.165.
    The actual goal is modifying packets with filters. So I try to do it with ARP-poisoning.
    My actions:
    1. IP forwading (console): echo 1 > /proc/sys/net/ipv4/ip_forward
    2. Uncommenting in etter.conf (don't know if this is needed):
    redir_command_on="iptables -t ...
    redir_command_off="iptables -t ...

    3. Creating and compiling filter: etterfilter CRC.filter -o CRC.ef
    4. (console): ettercap -T -i eth0 -F CRC.ef:1 -M ARP /192.168.20.160/

    After this i check (tracert) routes at 20.160 and 20.161 and ARP-tables actually really change to 20.165. So ARP-poisoning is successful. But i am fighting with those filters for several hours and they refuse to work.

    I tried different approaches for CRC.filter text. The simpliest is:
    if (ip.src=='192.168.20.160') then {
    drop();
    }


    It doesn't work when i run ettercap from command line neither from graphical mode.

    What's weird is that using wireshark (with MITM-mode running) when pinging ICMP-packets from 20.160-->20.161 wireshark doesn't indicate packets 20.160-->20.165 and 20.165-->20.161. But when i use tracert i see in wireshark these so called "redirect" ICMP-packets 20.160-->20.165 and 20.165-->20.161.
    So i am suspicious if my packets of any types 20.160-->20.161 go through Kali at all (except when i "tracert" through it), and so ettercap doesn't capture anything.
    Or maybe it is simply the difference between "ping" and "tracert", that "ping" doesn't indicate his route in sniffer. Then my filters don't work at some different reason.

    I'll be really glad if anyone helps. Completing this task is a small part of my graduation work, so it's pretty important to me
    Seems to me like for today I already went through totally all ettercap internet material, so i can't find solution anywhere.
    Sad thing ettercap project doesn't have its own forum.

  6. #6
    Join Date
    2015-Apr
    Location
    Germany
    Posts
    9
    I guess its simply the different between ping an tracert. Not sure but u can test this with the ping option -N or -R?!
    -R shows the route and -N shows the nodes. just try a bit around with the ping command.
    Last edited by Toqu82; 2015-04-21 at 10:58.

  7. #7
    Join Date
    2013-Jul
    Posts
    844
    Suggest you avoid hydra for router passwords. You will get too many false positives. The only tool that seems to work for us is Burpsuitepro. There is a version of Burpsuite in kali BUT it is throttled back and too slow. Look around on the net you will find Burpsuitepro.
    Doing a MITM attack and disrupting the traffic thru tuxcut a linux version of netcut may cause the user to access the router and give you the password etc.
    And before you waste time doing all this read

    https://forums.kali.org/showthread.p...hlight=tp-link

    We have found some non tp-link routers also have this flaw and it only takes seconds to see if the flaw exists.


    MTeam
    Last edited by mmusket33; 2015-04-22 at 04:35.

  8. #8
    Join Date
    2015-Apr
    Location
    Germany
    Posts
    9
    nice to know. Thanks

Similar Threads

  1. BadUSB MITM attack - Help
    By onemantwo in forum NetHunter General Questions
    Replies: 1
    Last Post: 2016-01-11, 03:07

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •