ettercap help

From: Mike Brentlinger (mdbrentlingerat_private)
Date: Mon Sep 30 2002 - 13:37:32 PDT

Previous message: nadat_private: "Re[2]: NGSEC's penetration test sniffer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ok, based on http://ettercap.sourceforge.net/

ettercap supposedly captures vnc passwords, ie

   Password collector for : TELNET, FTP, POP, ... VNC, ...

I have the following setup but cannot for the life of me get it to work..


ip : 10.0.0.1 (vnc client)
mac: aa:aa:aa:aa:aa:aa  ---------------|
                                       |
ip : 10.0.0.2 (ettercap)               |
mac: bb:bb:bb:bb:bb:bb  ------------- tried both hub & switch
                                       |
ip : 10.0.0.3 (vnc server)             |
mac: cc:cc:cc:cc:cc:cc  ---------------|


I can get it to sniff telnet, ftp, pop, smb, but no vnc. I have the 
following default entry in my etter.conf file under the dissectors section.
    VNC=ON               # tcp    5900-5905
and based on the etter.conf file it doesnt appear as though this password 
sniff requires any arp spoofing of any type.

when i run it on my windows, trinux, or redhat machine i get similar results 
such as below,


C:\Program Files\ettercap>ettercap.exe -NCzds
ettercap 0.6.7 (c) 2002 ALoR & NaGA
List of available devices :
  --> [dev0] - [3Com EtherLink PCI]
  --> [dev2] - [3Com 3C90x Ethernet Adapter]
Please select one of the above, which one ? [0]: 0
Your IP: 172.18.2.10 with MAC: 00:B0:D0:7B:DD:15 on Iface: dev0
Press 'h' for help...
Sniffing (IP based): ANY:0 <--> ANY:0
TCP + UDP packets... (default)
Collecting passwords...

15:18:13  172.18.2.10:1600 <--> 172.18.3.100:139         netbios-ssn
USER: blah
PASS:
LC 2.5 FORMAT: "blah":x:blah:blah

15:19:44  172.18.2.10:1605 <--> 172.18.1.10:110                pop3
USER: blah
PASS: pass



what am i doing wrong? what would the proper command line start up be? Im 
not even sure I need to apr spoof since it I havent seen anywhere 
specifically that its needed for vnc... ive read the man and it has an 
example...

"ettercap -NCza -D 100 192.168.0.1 192.168.0.2 55:23:A5:B4:C7:89 
00:A3:56:FE:4F:6D
Collect password to stdout on a switched LAN. this will poison the two host 
192.168.0.1 and 192.168.0.2 each other. "

But thats not all that helpful, espicaily with out a diagram... are those 
the ips and macs of the 2 hosts? the dest and man in middle? the src and man 
in middle?

please help

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Previous message: nadat_private: "Re[2]: NGSEC's penetration test sniffer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 30 2002 - 20:35:54 PDT