Hello,
Did anyone managed to sniff through a cisco router using a gre tunnel?
Full Version: Sniff Through A Cisco Router
Ettercap, atleast the linux version, has a plugin for that. I havent tried it yet, havent found the environment for it... Also, for the password sniffing, i prefer to use a tool like dsniff that i can control easier, and if it goes to shite, doesnt kill the lan till the next arp request reply tournament.
http://www.phrack.org/show.php?p=56&a=10 <- Check that link, quiet a good how-to, was of interest to me...
QUOTE
Remote traffic sniffing through tunnels and route mangling: You can play with
linux cooked interfaces or use the integrated plugin to sniff tunneled or route-
mangled remote connections and perform mitm attacks on them.
linux cooked interfaces or use the integrated plugin to sniff tunneled or route-
mangled remote connections and perform mitm attacks on them.
CODE
[0] gre_relay 1.0 Tunnel broker for redirected GRE tunnels
QUOTE
gre_relay
This plugin can be used to sniff GRE-redirected remote traffic. The basic
idea is to create a GRE tunnel that sends all the traffic on a router
interface to the ettercap machine. The plugin will send back the GRE pack-
ets to the router, after ettercap "manipulation" (you can use "active"
plugins such as smb_down, ssh decryption, filters, etc... on redirected
traffic) It needs a "fake" host where the traffic has to be redirected to
(to avoid kernel's responses). The "fake" IP will be the tunnel endpoint.
Gre_relay plugin will impersonate the "fake" host. To find an unused IP
address for the "fake" host you can use find_ip plugin. Based on the
original Tunnelx technique by Anthony C. Zboralski published in
http://www.phrack.org/show.php?p=56&a=10 by HERT.
This plugin can be used to sniff GRE-redirected remote traffic. The basic
idea is to create a GRE tunnel that sends all the traffic on a router
interface to the ettercap machine. The plugin will send back the GRE pack-
ets to the router, after ettercap "manipulation" (you can use "active"
plugins such as smb_down, ssh decryption, filters, etc... on redirected
traffic) It needs a "fake" host where the traffic has to be redirected to
(to avoid kernel's responses). The "fake" IP will be the tunnel endpoint.
Gre_relay plugin will impersonate the "fake" host. To find an unused IP
address for the "fake" host you can use find_ip plugin. Based on the
original Tunnelx technique by Anthony C. Zboralski published in
http://www.phrack.org/show.php?p=56&a=10 by HERT.
http://www.phrack.org/show.php?p=56&a=10 <- Check that link, quiet a good how-to, was of interest to me...
One more plus point is that it can skim throught all those SSH packets too.
QUOTE
http://www.phrack.org/show.php?p=56&a=10 <- Check that link, quiet a good how-to, was of interest to me...
I`ve been testing this.. and others..but when you launch the sniff on the linux end after a few seconds you can`t sniff no more..the linux server gets ddosed..I couldn`t use that tunnelx program.. you need a very stable server and bandwidth as well. The problem with this kind of attack is to redirect only a specific kind of traffic not all..and when it gets to the linux/freebsd/netbsd server to redirect it back to the cisco.. or to other server which is a little bit difficult to do neither source routing or iptables tricks worked for me..I`ll take a look at the gre_relay program..
Thx for the tips..
i didnt try it but ive read about that in some hacking book.... basically you make a GRE tunnel between the cisco you want to sniff and another cisco at your place wired up with a hub and a machine with ethereal...
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
