i think i got it figured out.... it seems that a known issue by developers thats being updated to be addressed http://ettercap.sourceforge.net/forum/viewtopic.php?t=843 ----Original Message Follows---- From: Rohit Sharma <rsharmaat_private> To: Mike Brentlinger <mdbrentlingerat_private> CC: pen-testat_private Subject: Re: ettercap help Date: 03 Oct 2002 10:15:41 +0530 While compiling please make sure that you have ncurses libraries. It is way much better to sniff using the ncurses GUI instead of the command line. Anyways have never tried Ettercap for VNC. Choose the ip and press "a" for arp MITM (make sure dissection is on) and Run ethereal on the same ethernet card on top of it for cross refrencing and decode it yourself to see whatz going on. or dig into the soure codes it's easy if you know the protocol Actually some time back i was going through the source code and found that the http based 64 decoding and web site monitoring is not done properly. I wrote a sniffer for the same that is more like a GUI http://www7.brinkster.com/rohit79/sniffer.tar.bz2 (Yahoo messenger, http, smtp, ftp dissection enabled) the rpms are not updated yet. needs qt3 On Tue, 2002-10-01 at 02:07, Mike Brentlinger wrote: > Ok, based on http://ettercap.sourceforge.net/ > > ettercap supposedly captures vnc passwords, ie > > Password collector for : TELNET, FTP, POP, ... VNC, ... > > I have the following setup but cannot for the life of me get it to work.. > > > ip : 10.0.0.1 (vnc client) > mac: aa:aa:aa:aa:aa:aa ---------------| > | > ip : 10.0.0.2 (ettercap) | > mac: bb:bb:bb:bb:bb:bb ------------- tried both hub & switch > | > ip : 10.0.0.3 (vnc server) | > mac: cc:cc:cc:cc:cc:cc ---------------| > > > I can get it to sniff telnet, ftp, pop, smb, but no vnc. I have the > following default entry in my etter.conf file under the dissectors section. > VNC=ON # tcp 5900-5905 > and based on the etter.conf file it doesnt appear as though this password > sniff requires any arp spoofing of any type. > > when i run it on my windows, trinux, or redhat machine i get similar results > such as below, > > > C:\Program Files\ettercap>ettercap.exe -NCzds > ettercap 0.6.7 (c) 2002 ALoR & NaGA > List of available devices : > --> [dev0] - [3Com EtherLink PCI] > --> [dev2] - [3Com 3C90x Ethernet Adapter] > Please select one of the above, which one ? [0]: 0 > Your IP: 172.18.2.10 with MAC: 00:B0:D0:7B:DD:15 on Iface: dev0 > Press 'h' for help... > Sniffing (IP based): ANY:0 <--> ANY:0 > TCP + UDP packets... (default) > Collecting passwords... > > 15:18:13 172.18.2.10:1600 <--> 172.18.3.100:139 netbios-ssn > USER: blah > PASS: > LC 2.5 FORMAT: "blah":x:blah:blah > > 15:19:44 172.18.2.10:1605 <--> 172.18.1.10:110 pop3 > USER: blah > PASS: pass > > > > what am i doing wrong? what would the proper command line start up be? Im > not even sure I need to apr spoof since it I havent seen anywhere > specifically that its needed for vnc... ive read the man and it has an > example... > > "ettercap -NCza -D 100 192.168.0.1 192.168.0.2 55:23:A5:B4:C7:89 > 00:A3:56:FE:4F:6D > Collect password to stdout on a switched LAN. this will poison the two host > 192.168.0.1 and 192.168.0.2 each other. " > > But thats not all that helpful, espicaily with out a diagram... are those > the ips and macs of the 2 hosts? the dest and man in middle? the src and man > in middle? > > please help > > _________________________________________________________________ > MSN Photos is the easiest way to share and print your photos: > http://photos.msn.com/support/worldwide.aspx > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > > ********************************************************* Disclaimer This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ********************************************************* Visit us at http://www.mahindrabt.com _________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Oct 04 2002 - 08:56:54 PDT