Question about MITM Attack.

[FurqanHanif]

have a question about MITM attack (or Whatever This attack is Called).
Let's say i am connected to a Router and three more users are connected to it, router address is 192.168.0.1. Now i don't know the Login Credentials of the Router , so i use Ettercap and Some DNS poisoning etc Stuff and i do attack on an User "A" , now whenever User "A" type www.google.com it auto redirects to original Router Page whose address is 192.168.0.1 , now User type it's Login User and Pass (Because Router Page Not Using HTTPS so it's easy to Read data in PlainText) , now i am using Wireshark to read all Trafic and Filter all Requests related to 192.168.0.1 and i get the user name and Pass.
So is this Possible ?? if yes Then How i do it ?? if NO then Why ??
Thanks in advance..

[Toqu82]

There is a Tool called "Xplico" ... an browser based sniffing tool and for your purposes it would be better than wireshark cause its sorts the sniffed Data in Categorys.
apt-get install Xplico
Start Ettercap and do an ARP Poisoning, then start Xplico and choose the proper Interface. Now Xplico would show you wich websites the Test Victim (hope you have the permission to test) visits. Also it shows you Login Credentials for all websites in Plaintext, Images, Emails, Videos and so on (depends on encryption).

To get Router Login Credentials try hydra. An nice Bruteforce Tool for your purpose. In the matter that you are allready connectet to the router it this should be enough

Further i hope you have the permissions to run such Attacks an more in this network.
If you need any help send a pm

Have fun tryin this tools

[FurqanHanif]

hmm , never Heard of Xplixo , i'll Check ......
And i How i Do this Attack Exactly ?? Any Tutorial or guidance etc ??
Tried Xhydra , good tool , But it Not Gonna Works if Password is Like "AgbAHbh^5%6!2mN11 " .....
Ofcourse i have Permission , i am The Admin of that Network (means Gonna test on My own Router ... )

[Toqu82]

Do u have any knowledge about network protocols like ARP or services like DNS? I guess it would be really difficult for you to learn such things without any basic understanding how computers communicate in a network. However for Tutorials visit securitytube(dot)net or youtube but be careful, penetrationtesting can be very destructive for your network.

For Hydra is a good password list recommended. U can find one on youre Kali System it should be ok for purpose

[i, dementia]

Hey there. Have an MITM-issue about ettercap-NG-0.7.4.2 with Kali.

I'm trying to (at least) detect with ettercap ICMP (ping) or TCP (telnet) traffic between hosts 20.160 and 20.161. The attacker Kali is 20.165.
The actual goal is modifying packets with filters. So I try to do it with ARP-poisoning.
My actions:
1. IP forwading (console): echo 1 > /proc/sys/net/ipv4/ip_forward
2. Uncommenting in etter.conf (don't know if this is needed):
redir_command_on="iptables -t ...
redir_command_off="iptables -t ...
3. Creating and compiling filter: etterfilter CRC.filter -o CRC.ef
4. (console): ettercap -T -i eth0 -F CRC.ef:1 -M ARP /192.168.20.160/

After this i check (tracert) routes at 20.160 and 20.161 and ARP-tables actually really change to 20.165. So ARP-poisoning is successful. But i am fighting with those filters for several hours and they refuse to work.

I tried different approaches for CRC.filter text. The simpliest is:
if (ip.src=='192.168.20.160') then {
drop();
}

It doesn't work when i run ettercap from command line neither from graphical mode.

What's weird is that using wireshark (with MITM-mode running) when pinging ICMP-packets from 20.160-->20.161 wireshark doesn't indicate packets 20.160-->20.165 and 20.165-->20.161. But when i use tracert i see in wireshark these so called "redirect" ICMP-packets 20.160-->20.165 and 20.165-->20.161.
So i am suspicious if my packets of any types 20.160-->20.161 go through Kali at all (except when i "tracert" through it), and so ettercap doesn't capture anything.
Or maybe it is simply the difference between "ping" and "tracert", that "ping" doesn't indicate his route in sniffer. Then my filters don't work at some different reason.

I'll be really glad if anyone helps. Completing this task is a small part of my graduation work, so it's pretty important to me
Seems to me like for today I already went through totally all ettercap internet material, so i can't find solution anywhere.
Sad thing ettercap project doesn't have its own forum.

[Toqu82]

I guess its simply the different between ping an tracert. Not sure but u can test this with the ping option -N or -R?!
-R shows the route and -N shows the nodes. just try a bit around with the ping command.

[mmusket33]

Suggest you avoid hydra for router passwords. You will get too many false positives. The only tool that seems to work for us is Burpsuitepro. There is a version of Burpsuite in kali BUT it is throttled back and too slow. Look around on the net you will find Burpsuitepro.
Doing a MITM attack and disrupting the traffic thru tuxcut a linux version of netcut may cause the user to access the router and give you the password etc.
And before you waste time doing all this read

https://forums.kali.org/showthread.p...hlight=tp-link

We have found some non tp-link routers also have this flaw and it only takes seconds to see if the flaw exists.


MTeam

[Toqu82]

nice to know. Thanks