Ethereal / Cain & Abel / ARP Poisoning

Status
Not open for further replies.
P

PoW

Limp Gawd
Joined
Mar 12, 2001
Messages
347
I have started to play around with ethereal and cain & able and have been blown away by the results. I am currently on a university network with a setup of extreme networks routers.

I am normally behind a linksys switch/router so i dont get to see much of the good stuff that goes down on the university network. I have been observing the differences in types of data I can observe when on my LAN and when connected directly to the university network. There is quite a difference! I am interested in playing with ARP poisoning on the university network however I would like a good location to read about it with guides on howto use a variety of pieces of software that make this possible.

I have come across a few but I was wondering if there were some good sites some of you folks are aware of that provide info in regarding how to perform these tasks. Thanks for any info!
 
holy shit don't play with arp poisoning on your campus network. your IT people will come and fucking rape you hard. like...real hard. :eek:


if you want to play with traffic sniffing tools, do it BEHIND your router, with other machines generating random traffic (throw up a default install of a winxp box and listen to that shit for a while :D )

doing the things that you say you want to do while connected directly to the campus network more than likely will get your access banned temporarily, if not permanently, or there could even be criminal charges depending on what you do and what data you see / sniff / access
 
1st thing. . . Cain & Abel rocks.

2nd thing. . . I'm with draconius on this one. Dont mess with the school network. Those IT guys think they're all hot stuff. They'll just ban you from internet priveleges for amusement. Talk to other people around the school and see what will happen and what kinda IT staff the school has.

Have fun but dont do something stupid.
 
Hehe I'm doin that now. I was a little blown away by how effective cain & able was. I'm gonna back off until I understand some of exactly what I am doing a bit better. I am interested in tracking down a laptop and trying it out at my local coffee shop on their wifi setup. Should be real interesting.

I was wondering if anybody had ideas on how to combine arp poisoning and then use the ethereal software along with it. Ethereal is incredibly nice as well as I can tell behind my own router, however when I was using it on the school network I was getting much less interesting info. Behind my linksys bfsr41 router i could see websites accessed, what i was searching for on google etc for example but on my school network the data only appiled to myself and the info that didn't was very uninteresting. Any futher thoughts?
 
ARP poisioning can/is noticable. I would expect that your school has some sensor setup to catch those types of things, ettercap includes plugins to do just that, even though it also does the posioning. I would suggest doing it on your own network if you want to learn about it and test it out. Never do that kind of thing on your schools network though, that would be a quick way to get arrested.

Also, most schools are probably using a switched network, which is why you would need to do arp posinioning just to see any one elses data. switches add a little security, but its not perfect.
 
if your school has any intrusion detection running, then odds are youre being monitored. i hope you spoof your mac address before doing all this. also dont leave any instant messaging clients or automatic email checking programs running either.

btw, i do the exact same thing at my college.
 
Why do you think this is 'ok' to do on someone else's network?

Were I your admin, I'd be tracking every fucking thing you did, then I'd turn it over to the FBI and say you are trying to get at my student records.

But then, I'm a dick and I'm sick of dealing with little turds.
 
acascianelli said:
if your school has any intrusion detection running, then odds are youre being monitored. i hope you spoof your mac address before doing all this. also dont leave any instant messaging clients or automatic email checking programs running either.

btw, i do the exact same thing at my college.
Click to expand...

and since you can only spoof your mac addy easily when using wireless, its kind of pointless because most colleges have separated the wired and wireless network segments, because the wireless segment is so inherently insecure and wide open. and like i said before, just wait for the letter in the mail that says 'hey 1337h4x0rd00d you fucked up bigtime on our network, your account has been banned, and you are blocked from all network services' and then keep runnin your mouth :(
 
draconius said:
and since you can only spoof your mac addy easily when using wireless,
Click to expand...
:confused:
You can do it pretty easily actually. with *nix its just needs one run of ifconfig, and in Windows you can do it with a registry edit. Some hardware (not alot though as far as I have found) don't let this work via forcing the mac at the hardware level, but most will let you do it without a problem. Heck some of the drivers for windows nic's actually have it as a driver setting.
 
I have always been under the impression that no matter what you do, you cannot spoof your mac on a hardware card, because it is hardcoded into the device...
at least i know that is true on 3com and most nice intel NICS...

bleh cheap nics that are cheap :p
 
draconius said:
and since you can only spoof your mac addy easily when using wireless, its kind of pointless because most colleges have separated the wired and wireless network segments, because the wireless segment is so inherently insecure and wide open. and like i said before, just wait for the letter in the mail that says 'hey 1337h4x0rd00d you fucked up bigtime on our network, your account has been banned, and you are blocked from all network services' and then keep runnin your mouth :(
Click to expand...

dude, im not selling passwords or trying to break shit, so whats the big deal. ive been doing it on their networks for 3 years now and i havent had any trouble. i know theres a ton of other people who do the same if not worse thing.

yes, i do it mostly on the wireless network but i have done it the wired network also. and yes i can spoof the mac address on my wired connection also.
 
draconius said:
I have always been under the impression that no matter what you do, you cannot spoof your mac on a hardware card, because it is hardcoded into the device...
at least i know that is true on 3com and most nice intel NICS...

bleh cheap nics that are cheap :p
Click to expand...
Actually, all the Intel nics I have used, have the hw address as a setting in the drivers so you can set it yourself.
 
Xipher said:
Actually, all the Intel nics I have used, have the hw address as a setting in the drivers so you can set it yourself.
Click to expand...

cain also has the option to spoof both mac and ip withing the program itself. i never had a chance to test it tho.
 
I know from my own experience, I was spoofing my mac with cain, im not sure if it was working or not however, im assuming so. Though I read in the cain faq that it is not terribly difficult to figureout spoofed mac addresses.

Related to this, My linksys router i mentioned before also serves as a switch yet without any arp poisoning my attempts to simply sniff the available packets was many times more successful than when connected to the school network. Is it possible that a piece of hardware on the school network is more effective than the switch i have at directing data and therefore preventing it from being sniffed as effectively?
 
PoW said:
Related to this, My linksys router i mentioned before also serves as a switch yet without any arp poisoning my attempts to simply sniff the available packets was many times more successful than when connected to the school network. Is it possible that a piece of hardware on the school network is more effective than the switch i have at directing data and therefore preventing it from being sniffed as effectively?
Click to expand...
I actually wouldn't be surprised. I don't think it would be to difficult to make a smart enough switch that it could detect arp poisioning. I mean if a host is sending out arp packets when it wasn't requested, I would see how they might block it then. Simply have a track system were if some one requests a arp let it through, other wise don't forward the arp reply packets. I don't see any one ever doing that with stuff for home use, but I wouldn't be surprised to see it in the higher end equipment.
 
XOR != OR said:
Why do you think this is 'ok' to do on someone else's network?

Were I your admin, I'd be tracking every fucking thing you did, then I'd turn it over to the FBI and say you are trying to get at my student records.

But then, I'm a dick and I'm sick of dealing with little turds.
Click to expand...

Hmm... This sounds exactly like something I described in this thread.

First and foremost, this sort of activity will get you into some SERIOUS hot water with the school if caught, and that's if you're lucky. Why this wasn't apparent to the thread creator (who created both threads) makes me question one's motives.

Second of all, MAC addresses can, and have been, spoofed. You can do it with 3rd party utilities, and some NICs are shipping with drivers that allow you to configure the MAC addresses yourself. Some OSes give you the option as well.

Lastly, its good that these discussions come up from time to time because otherwise people would just not know any better and could land themselves in trouble. However, I'm not going to continue what may be veiled attempts to learn more about hacking, especially if its admitted that its to be used for nefarious purposes. PoW, you've been warned.


Xipher said:
I actually wouldn't be surprised. I don't think it would be to difficult to make a smart enough switch that it could detect arp poisioning. I mean if a host is sending out arp packets when it wasn't requested, I would see how they might block it then. Simply have a track system were if some one requests a arp let it through, other wise don't forward the arp reply packets. I don't see any one ever doing that with stuff for home use, but I wouldn't be surprised to see it in the higher end equipment.
Click to expand...
IDS's already do this. Integrating the logic from one, while possible, wouldn't make much business sense since it'd dilute a vendor's product line, hence the unlikelyhood of one ever coming to market by one of the big boys. Then again, if there is enough demand for one I'm sure we'd eventually see someone offering it.
 
Status
Not open for further replies.
Back
Top