Re: webmitm

From: e247net (e247netat_private)
Date: Mon Aug 11 2003 - 23:38:08 PDT

Next message: Mike Craik: "Re: Driftnet + WEP + Kismet FIFO named pipe + pcap dumps!"

Previous message: Joe Skaboika: "Driftnet + WEP + Kismet FIFO named pipe + pcap dumps!"
In reply to: Christine Kronberg: "Re: webmitm"
Next in thread: van Aswegen, Marinus (ZA - Johannesburg): "RE: webmitm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Chris

first i must thanks you for your interest in helping me.

I before I check further on webmitm.. I think my dnsspoofing is not working
correctly.

The file /etc/dnsspoof.hosts is as below:

+++++++++++++++++++++++++
192.168.93.133    *.yahoo.com
192.168.93.133    *.hotmail.com
192.168.93.133    mail.yahoo.com
192.168.93.133    www.yahoo.com
+++++++++++++++++++++++++++

Where victim is 192.168.93.131
Where attacker is 192.168.93.133
Where gateway is 192.168.93.2

Something confuse me, from the trace captured (when dns spoof is not
working) when victim request for
www.yahoo.com or mail.yahoo.com both the spoofed gateway(attacker)
and the actual gateway replied and the final
result from the command prompt of "nslookup www.yahoo.com"
return the actual IP of yahoo and not the spoofed IP (attacker IP)
which suppose to be.

By right, the actual gateway should not receive the
DNS query from victim since the attacker has intecepted (arp spoofed)
From trace this seems not to be the case, the query went
to the spoofed gateway first and it perform a ICMP redirect
and tells victim the actual gateway IP and resulted both
spoofed and actual gateway replied. And, final result
pick the actual IP -- thus spoofing failed.

Any hints??

THanks





----- Original Message ----- 
From: "Christine Kronberg" <Christine_Kronbergat_private>
To: "e247net" <e247netat_private>
Cc: <pen-testat_private>
Sent: Monday, August 11, 2003 9:41 PM
Subject: Re: webmitm


>
>   Hi,
>
>
> > i started with webmitm -dd and see only all the GET requests from
"victim"
>
>   If I understand the source code correctly than this is exactly what
>   it is supposed to do (please correct me, if I'm wrong). webmitm is a
>   demonstration for sniffing sensitive data like passwords or similar
>   things. The victim is putting this data either in a GET request - so
>   you only need to read enough of the data to fetch the complete GET
>   request - or the data sits in the http header data when using a POST
>   request. I can get both working, but when submitting the data via POST,
>   I only see the data using lynx and forcing it to a hard exit. That
>   takes a lot of charm from a demonstration (well, usually the GET
>   part is enough ;-) ).
>
> > but no traffic from real site back .
> >
> > victim -- > attacker ---> real site
> >
> > Btw, i found out that my dnsspoof is working intermittently... thought i
put
> > www.hotmail.com and mail.yahoo.com in
> > the dnsspoof.hosts file but only mail.yahoo.com is being spoofed and not
> > www.hotmail.com.. any help plse
>
>   You entered both correctly into your spoofed-hosts file, I presume?!
>   What does dnsspoof say, wenn a request for hotmail.com comes by? Is
>   it ignored?
>
>   Regards,
>
>
>                                                       Chris Kronberg.
>
> -- 
> GeNUA mbH
>
>
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
--
>
>
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Mike Craik: "Re: Driftnet + WEP + Kismet FIFO named pipe + pcap dumps!"
Previous message: Joe Skaboika: "Driftnet + WEP + Kismet FIFO named pipe + pcap dumps!"
In reply to: Christine Kronberg: "Re: webmitm"
Next in thread: van Aswegen, Marinus (ZA - Johannesburg): "RE: webmitm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 07:49:03 PDT