Re: webmitm

From: e247net (e247netat_private)
Date: Mon Aug 11 2003 - 23:38:08 PDT

  • Next message: Mike Craik: "Re: Driftnet + WEP + Kismet FIFO named pipe + pcap dumps!"

    Hi Chris
    
    first i must thanks you for your interest in helping me.
    
    I before I check further on webmitm.. I think my dnsspoofing is not working
    correctly.
    
    The file /etc/dnsspoof.hosts is as below:
    
    +++++++++++++++++++++++++
    192.168.93.133    *.yahoo.com
    192.168.93.133    *.hotmail.com
    192.168.93.133    mail.yahoo.com
    192.168.93.133    www.yahoo.com
    +++++++++++++++++++++++++++
    
    Where victim is 192.168.93.131
    Where attacker is 192.168.93.133
    Where gateway is 192.168.93.2
    
    Something confuse me, from the trace captured (when dns spoof is not
    working) when victim request for
    www.yahoo.com or mail.yahoo.com both the spoofed gateway(attacker)
    and the actual gateway replied and the final
    result from the command prompt of "nslookup www.yahoo.com"
    return the actual IP of yahoo and not the spoofed IP (attacker IP)
    which suppose to be.
    
    By right, the actual gateway should not receive the
    DNS query from victim since the attacker has intecepted (arp spoofed)
    From trace this seems not to be the case, the query went
    to the spoofed gateway first and it perform a ICMP redirect
    and tells victim the actual gateway IP and resulted both
    spoofed and actual gateway replied. And, final result
    pick the actual IP -- thus spoofing failed.
    
    Any hints??
    
    THanks
    
    
    
    
    
    ----- Original Message ----- 
    From: "Christine Kronberg" <Christine_Kronbergat_private>
    To: "e247net" <e247netat_private>
    Cc: <pen-testat_private>
    Sent: Monday, August 11, 2003 9:41 PM
    Subject: Re: webmitm
    
    
    >
    >   Hi,
    >
    >
    > > i started with webmitm -dd and see only all the GET requests from
    "victim"
    >
    >   If I understand the source code correctly than this is exactly what
    >   it is supposed to do (please correct me, if I'm wrong). webmitm is a
    >   demonstration for sniffing sensitive data like passwords or similar
    >   things. The victim is putting this data either in a GET request - so
    >   you only need to read enough of the data to fetch the complete GET
    >   request - or the data sits in the http header data when using a POST
    >   request. I can get both working, but when submitting the data via POST,
    >   I only see the data using lynx and forcing it to a hard exit. That
    >   takes a lot of charm from a demonstration (well, usually the GET
    >   part is enough ;-) ).
    >
    > > but no traffic from real site back .
    > >
    > > victim -- > attacker ---> real site
    > >
    > > Btw, i found out that my dnsspoof is working intermittently... thought i
    put
    > > www.hotmail.com and mail.yahoo.com in
    > > the dnsspoof.hosts file but only mail.yahoo.com is being spoofed and not
    > > www.hotmail.com.. any help plse
    >
    >   You entered both correctly into your spoofed-hosts file, I presume?!
    >   What does dnsspoof say, wenn a request for hotmail.com comes by? Is
    >   it ignored?
    >
    >   Regards,
    >
    >
    >                                                       Chris Kronberg.
    >
    > -- 
    > GeNUA mbH
    >
    >
    >
    > --------------------------------------------------------------------------
    -
    > --------------------------------------------------------------------------
    --
    >
    >
    >
    
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 07:49:03 PDT