[giany]

Hello,

Did anyone managed to sniff through a cisco router using a gre tunnel?

[myth]

Ettercap, atleast the linux version, has a plugin for that. I havent tried it yet, havent found the environment for it... Also, for the password sniffing, i prefer to use a tool like dsniff that i can control easier, and if it goes to shite, doesnt kill the lan till the next arp request reply tournament.

Quote

      Remote  traffic  sniffing  through  tunnels and route mangling: You can play with
      linux cooked interfaces or use the integrated plugin to sniff tunneled or  route-
      mangled remote connections and perform mitm attacks on them.

[0]       gre_relay  1.0  Tunnel broker for redirected GRE tunnels

Quote

      gre_relay

              This plugin can be used to sniff GRE-redirected remote traffic.  The basic
              idea  is  to  create  a  GRE tunnel that sends all the traffic on a router
              interface to the ettercap machine. The plugin will send back the GRE pack-
              ets  to  the  router,  after ettercap "manipulation" (you can use "active"
              plugins such as smb_down, ssh decryption, filters,  etc...  on  redirected
              traffic)  It needs a "fake" host where the traffic has to be redirected to
              (to avoid kernel's responses). The "fake" IP will be the tunnel  endpoint.
              Gre_relay  plugin  will impersonate the "fake" host.  To find an unused IP
              address for the "fake" host you can use  find_ip  plugin.  Based  on  the
              original  Tunnelx  technique  by  Anthony  C.  Zboralski  published  in
              http://www.phrack.or...w.php?p=56&a=10 by HERT.

http://www.phrack.or...w.php?p=56&a=10 <- Check that link, quiet a good how-to, was of interest to me...

[easternerd]

One more plus point is that it can skim throught all those SSH packets too.

[giany]

Quote

http://www.phrack.or...w.php?p=56&a=10 <- Check that link, quiet a good how-to, was of interest to me...

I`ve been testing this.. and others..but when you launch the sniff on the linux end after a few seconds you can`t sniff no more..the linux server gets ddosed..I couldn`t use that tunnelx program.. you need a very stable server and bandwidth as well. The problem with this kind of attack is to redirect only a specific kind of traffic not all..and when it gets to the linux/freebsd/netbsd server to redirect it back to the cisco.. or to other server which is a little bit difficult to do neither source routing or iptables tricks worked for me..I`ll take a look at the gre_relay program..

Thx for the tips..

[skydance]

i didnt try it but ive read about that in some hacking book.... basically you make a GRE tunnel between the cisco you want to sniff and another cisco at your place wired up with a hub and a machine with ethereal...

[320X]

that will depends of the network, if is a extended star or a cherarchical network,bus,ring... and so ... protocols the access lists/access groups and the pix security, politics... etc...