davywavy Posted February 16, 2012 Posted February 16, 2012 Hello I have recently started using linux and I'm no expert. I use Puppy linux from a live cd and have downloaded Ettercap. I have used the following 2 methods to use Ettercap for MITM monitoring of a second device on my WLAN, both methods have stalled as described and I would like to know how to progress from either or preferably both methods. No.1 - GUI. I have used GUI, scanned for hosts, allocated target device as TARGET 1 and router as TARGET 2, ARP poisoned and started sniffing. But then nothing else happens when I use target device. The GUI screen simply states that sniffing has begun but nothing more. No.2 - Text. From a terminal I enter the command sudo ettercap -T -M arp -i wlan0 /192.target/ /192.router/ -w test.cap . When I use the target PC I get a lot of data appear in the terminal. But when I view it using cat test.cap | grep -a http most of it is nonsense to me. I would like, using text or GUI, to see in plain english text the websites visited and the passwords entered. I believe this is possible with Ettercap but I can't quite get there. Thanks. Quote
Infiltrator Posted February 17, 2012 Posted February 17, 2012 Use wireshark for viewing the Pcap files, and network miner for assembling files. Quote
davywavy Posted February 17, 2012 Author Posted February 17, 2012 Thanks for replies. I will try to find a Puppy version of Wireshark. Is there no way to just use Ettercap? The YouTube tutorials show passwords being revealed but my set-up must be missing something. I'm not very knowledgeable about libraries and plug-ins and wonder if that's where I'm going wrong. Quote
digip Posted February 17, 2012 Posted February 17, 2012 cap and pcap files are raw packets of data. You need something that can read them and put into plain text, like wireshark. Network miner can reassemble certain file types automatically for you from raw pcap files, such as images, web pages, exe's, etc. Quote
davywavy Posted February 17, 2012 Author Posted February 17, 2012 Thanks for that. I have installed Wireshark but am unable to find passwords or visited websites. I captured packets with Ettercap (including logging in on Google and Ebay) then opened the test.cap file in Wireshark but it's a bit daunting. I tried applying a filter - http.request.method = = POST - which I read would show entries including logins. But when I try "Folow TCP Stream" I don't get any plain text user ID or passwords. What do I need to do? When I start Wireshark I get the following error message: Lua: Error during loading: [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled Is this the cause of my difficulties? Quote
davywavy Posted February 19, 2012 Author Posted February 19, 2012 When using the GUI I have arp poisoned then used chk-poisoning and get a message telling me there is "no poisoning at all". Does anyone no how to fix this. And can anyone tell me how I use Wireshark to decipher packets captured in text mode (or point me to a simple, basic tutorial) as I'm still struggling to make sense of it. Thanks Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.