edpr Posted January 28, 2014 Share Posted January 28, 2014 Would a setup like this work in theory? Original setup [LAN]-[GATEWAY] Hack setup [LAN]-[THROWINGSTAR]-[GATEWAY] with [THROWINGSTAR]-[PINEAPPLE] Where... The Pineapple has Apache, listening to *:80 .htaccess ports all requests to dump.php dump.php script captures all $_REQUEST (this includes _POST of course) and dumps them in a textfile Will this do what it's supposed to do; get a dump of all outgoing http requests to any host (~browser url bar content including form submissions)? Quote Link to comment Share on other sites More sharing options...
digininja Posted January 28, 2014 Share Posted January 28, 2014 No. The tap is a passive device which will give you a copy of all the network traffic but you can't interact with it. You can't complete TCP handshakes so tools that interact with traffic,such as Apache, won't work. What you need is to bring the two feeds together into a bridged interface then run something to extract HTTP traffic and pull out the information you want. There are tools which will do this but can't remember any names off the top of my head. Quote Link to comment Share on other sites More sharing options...
edpr Posted January 28, 2014 Author Share Posted January 28, 2014 I rather don't bridge and stay with my original hw setup. Is it safe to assume tcpdump trimmed down to :80 eventually get what I want (be it with post processing in wireshark of course)? Quote Link to comment Share on other sites More sharing options...
digininja Posted January 28, 2014 Share Posted January 28, 2014 I think you didn't understand the bridge comment, you bridge the two interfaces that come out of the tap to give you a single feed, otherwise you see two interfaces, one going one direction and one the other. Capturing traffic with tcpdump and a filter will get you the pcap which you can then post-process. Quote Link to comment Share on other sites More sharing options...
edpr Posted January 28, 2014 Author Share Posted January 28, 2014 I do understand bridging concept - but I rather stay working with 1 cable and 1 physical interface if possible. I don't need anything from the destination server, I only need the outgoing http requests from the source client. I'm interested in the visited urls and the form post from the browser. I'm not interested in the stuff the webserver returns. Therefore I thought that my initial apache setup would have done the trick. If Apache needs to do some handshaking before accepting a request, of course that path won't work. Quote Link to comment Share on other sites More sharing options...
digininja Posted January 28, 2014 Share Posted January 28, 2014 Fair enough, just tap the outgoing line and do a packet capture. You'll probably be able to just run strings on the pcap to extract visited URLs. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.