does anyone have a good command-line password sniffer to tell me ? i want to sniff the logon password to get all windows users's password of a network but i can t find any good command line sniffer... passed about 2 hours to search and test all sort of sniffers on google but without success
yeah, thank you very much man, but with what can I compile that ?
nuorder
Jun 26 2004, 08:48 AM
two other command line sniffers - already compiled
tethereal, which is part of the ethereal package www.ethereal.com
dsniff www.datanerds.net/~mike/dsniff.html
XeLoRy
Jun 26 2004, 09:44 AM
thx nuorder, i ve download ethereal and installed it but it s a GUI program but i suppose there is a command line executable included when it is installed so i want to know if it is tethereal.exe ??? when i start it there is a dos window mentionning it :
Capturing on \Device\NPF_GenericNdisWanAdapter 0.000000 50:bd:20:52:41:53 -> Locate-Directory-Server LLC U, func=UI; DSAP LLC Sub-Layer Management Group, SSAP LLC Sub-Layer Management Command
and then hold on... what i have to do with my lan to sniff ? just start this executable and wait ? where are stored the password finded ?
yeh probly better off with ettercrap it supports password sniffing, the other sniffers are good but you have to extract the data manually - its fun! but time consuming lol
edit: just had a better look at ettercap features its got a nice set of password features.. this requires time
it doesnt do anything, is it normal ? and when i list my process i can t find ettercap running
what s the problem ?
FiNaLBeTa
Jun 26 2004, 08:46 PM
cain and abel ,oxit.it
XeLoRy
Jun 26 2004, 08:52 PM
but cain and abel are GUI snifferz, and i want a command line sniffer
FiNaLBeTa
Jun 26 2004, 09:12 PM
QUOTE (XeLoRy @ Jun 26 2004, 08:52 PM)
but cain and abel are GUI snifferz, and i want a command line sniffer
cain is, abel is te remote version. never tested it myself, but if it works like cain, it's a winner.
XeLoRy
Jun 26 2004, 09:35 PM
hum, dont know that, why not, i will test and tell you what
strasharo
Jun 26 2004, 10:58 PM
Xelory,i had the same problem with ettercap,and in mine case,the problem was in winpcap.I had the latest WinPcap installed (>3.0) and ettercap just doesn`t started without any error.If you have the latest winpcap installed just uninstall it,reboot and then install winpcap 2.3 that is provided with ettercap.Think that this will fix the issues. Have a nice day.
XeLoRy
Jun 27 2004, 12:02 AM
thx strasharo !!! I ve just deinstalled wincap 3.1 beta and installed 2.3 without a reboot and it works
Now i run a :
CODE
C:\TOOLZ\ettercap>ettercap -NCsz
ettercap 0.6.b (c) 2002 ALoR & NaGA
List of available devices :
--> [dev1] - [NdisWan Adapter] --> [dev2] - [VIA Rhine II Fast Ethernet Adapter]
Please select one of the above, which one ? [0]: 2 Your IP: 10.0.0.1 with MAC: 00:10:DC:97:CC:E4 on Iface: dev2
Loading plugins... Done. Building host list for netmask 255.255.255.0, please wait...
to collect all the passwords of all the ips on the LAN, but may i have to let it run as it a few time to wait for some passwords ?
i ve done this to log the sniffed traffic to a file :
CODE
[qQ] - quit [lL] - log all trafic to file(s) space - stop/cont sniffing
Logging to file(s)...
but when are the windows logon session password are sniffed ??? when anybody logon a workstation on the LAN or else ?? need to know it...
edit : well i logon a workstation on my LAN while ettercap was in password mode sniffing and i ve got a result in the log file like that :
CODE
decoder Decodedata_MakeConnectionList - new node ! 40 ! T 10.0.0.2:1046 - 10.0.0.1:139 illithid Dissector_StateMachine_SetStatus - (3)! T 10.0.0.1:139 - 10.0.0.2:1043 -- [A250EB921240BB85] illithid Dissector_StateMachine_SetStatus - (2)! T 10.0.0.2:1043 - 10.0.0.1:139 -- [(null)] decoder Decodedata_MakeConnectionList - new node ! 41 ! T 10.0.0.1:4343 - **.**.90.88:26999 illithid Dissector_StateMachine_SetStatus - (3)! T 10.0.0.1:139 - 10.0.0.2:1043 -- [AB1C24A794FFCCCC] decoder Decodedata_MakeConnectionList - new node ! 42 ! T 10.0.0.2:1048 - 10.0.0.1:445 illithid Dissector_StateMachine_SetStatus - (2)! T 10.0.0.2:1043 - 10.0.0.1:139 -- [(null)]
where 10.0.0.1 is the ettercap pc, and 10.0.0.2 is the just logon(ed) pc...
WHERE IS THE PASS ?
and second BIG question, how can i install wincap discretely (not by a remote viewer, too lame) on a remote box ? THX FOR HELP
nuorder
Jun 27 2004, 03:30 AM
works fine with winpcap version 3.0 (not 3.1) for me run "ettercap -NCLzs" to sniff for passwords thay are going to/from your machine from anyone. the L is for a logfile, which is stored in the ettercap directory
read the pdf that came with ettercap for instructs on how to arp poison if you need to do that eg: "ettercap -NCza -D 100 192.168.0.1 192.168.0.2 55:23:A5:B4:C7:89 00:A3:56:FE:4F:6D"
when testing make sure that the host that is try to connect to you doesnt already have the login password cached otherwise it may not send it so you wont see anything.
as for installing winpcap silently there is one you can download off their site winpcap.polito.it/install/default.htm
QUOTE
Transparent installation
This file installs WinPcap silently, without making the installation screen appearing and without any user intervention
XeLoRy
Jun 27 2004, 10:22 AM
QUOTE
when testing make sure that the host that is try to connect to you doesnt already have the login password cached otherwise it may not send it so you wont see anything.
how can i know which one adapter is the ethernet one activated in the control panel of network connections???
i ve been into and seen a Realtek adapter... but which one of this five is the good ?
nuorder
Jun 27 2004, 02:44 PM
QUOTE
what do you mean by "cached login" ???
if you are accessing resources remotely and tick the "save password" box then next time it may not pick up on the credentials as windows already knows about the login
QUOTE
how can i know which one adapter is the ethernet one activated in the control panel of network connections???
try them all, start at 0 as thats the most probable
XeLoRy
Jun 27 2004, 03:17 PM
yes, thx, the 0 is the good one
i ve run a ettercap -NCLsz
and now i m waiting for a logon password in the log file
edit2 : how can i active the ACTIVE PROTOCOL DISSECTION in a ARPBased sniff ?? to spy the SSL traffic ? i read it in the doc but they don t show how to active it ...
edit3 : SHIT ! i have this msg in log file since few minutes :
CODE
ettercap Buffer_Put -- 0 BUFFER FULL !! buff len [100000] byte lost [60] ettercap Buffer_Put -- 0 BUFFER FULL !! buff len [100000] byte lost [4] ettercap Buffer_Put -- 0 BUFFER FULL !! buff len [100000] byte lost [4] ettercap Buffer_Put -- 0 BUFFER FULL !! buff len [100000] byte lost [4] ettercap Buffer_Put -- 0 BUFFER FULL !! buff len [100000] byte lost [1494] ettercap Buffer_Put -- 0 BUFFER FULL !! buff len [100000] byte lost [1494] ettercap Buffer_Put -- 0 BUFFER FULL !! buff len [100000] byte lost [1494]
and it s continue like that about 100 lines what must i do ? restart the sniffing ?
edit4 : well i ve restarted that shit and now i ve got a new sniffed password but i can t understand where is the user login and where is the pass :
yes i ve understand it but i don t know this format of hash, it appears that it s the format of LC 2.5 ... possible ? but we are at the 4 and 5 version ...
my question is : what s the LC4 format of this hash ? and then i will crack it as usual O:-)
strasharo
Jun 27 2004, 04:51 PM
There is a file called lc-converter.c in the dir share,which comes with ettercap.It`s a converter that converts these hashes in LC 4.0 format.
QUOTE
/* ettercap -- L0pht crack converter form ettercap log to LC 4.0
That`s it. Have a nice day.
Metathron
Jun 27 2004, 04:56 PM
Wow nice thanks
hmm my system is fresh and i must find first the Visual Basic CD
can you upload please if it is possible the compiled version ?
Meta
edit1:\\ already compiled now
but im not able as trial member to upload files
sorry
edit2:\\
ive tested the compiler
my input file was ----------------------------- USER: \FALCON\IPC$ PASS:
output file was then : ----------------------------- \FALCON\IPC$:"":"& quot;:0000574A504C454D4F4E530057696E646F777320342E3000:57696E646F777320342E30000 4FF00000002000100130000:479EE3535736FACB -----------------------------
well but what i must choose in lc5 ... Import from PWDump file ? when i choose PWDump file ... it brute only some secons not the right bruteforcing and when i choose Unix shadow file it want to brute 650 Days
so please what should i do
strasharo
Jun 27 2004, 05:40 PM
Here is the compiled converter.
XeLoRy
Jun 27 2004, 06:14 PM
well, i ve put this line in a txt file called 1.txt :
well but what i must choose in lc5 ... Import from PWDump file ? when i choose PWDump file ... it brute only some secons not the right bruteforcing and when i choose Unix shadow file it want to brute 650 Days
so please what should i do
XeLoRy
Jun 27 2004, 08:35 PM
hum, i ve done what you said but in my 2.txt i ve got this line :
and when i import the file in LC4 by import pwdump file option, the username to crack is \FALCON\IPC$ .... it s not the login to crack ? isn't it ?
anyone to explain me ?
g33k
Jun 28 2004, 06:49 AM
hi all, how about using DaSniff? It works well with WinPCAP and well as Win2K native interface. You can use expressions in rules to capture the traffic.
Try Goodgle to get it.
Also try Natas. the sniffer for Win2k
regards, g33k
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
(sorry for bad english)
