Wednesday, January 23, 2008

Sniffing for passwords

Sniffing for passwords.

Download and install Cain and Abel ( If you have nmap or wireshark installed you probably won’t have to install winpcap(which comes with the installation.)

Run the program.

Make sure the sniffer tab is selected at the top and the hosts tab is selected at the bottom. Make sure the sniffer is on it is the green circuit board button in the top left corner. Alternate click in the white space and click on scan mac addresses. This does an arp scan(different from an IP scan). It will show everyone on your network except for you.

Now switch to the arp poisoning tab. APR bottom tab next to hosts. Click the + icon on the top of the menu. This will give you a choice of Ip addresses to poison. The most interesting traffic is going to be between the default gateway(which you can find by typing ipconfig in the command prompt) and the other users on the network. Select the default gateway on the left and all the other users on the right. **Optional fun Now if computers are sharing files, to snag their passwords you need to select all the ip’s to all the ip’s you have to do this one ip at the time on the left. **

If it is a large network you are going to want to monitor your resources on your computer to make sure you aren’t hitting 100% processor consumption or maxing out your ram. If this happens it will DDOS the network and people will start losing connections which is no good for password sniffing.

So now is the hard part….wait. Wait for people to log on to forums and myspace and all those great sites and wait for them to get in their vpns and telnets and such. One thing you can do while you wait is periodically check your internet connection to make sure you haven’t DDOSed the network. Ok so now time for the boon, click on the password tab at the bottom and see how many passwords you have racked up. If they are encrypted alt click on them and send them to the cracker built in to cain and abel.


On networks with a hub you don’t have to arp poison, but most modern networks are switched. So what is actually happening when you do this, is your computer answers every arp query as though it is the computer the packet is destined for. So your computer has all data from the network sent to it. I then routes(it doesn’t really route because that would be a layer three thing it would be more correct to say, it sends) the packets to the correct computer. So Cain has a bunch of prebuilt lists of stuff to look for, sometimes cain doesn’t catch all the passwords because of trixy web developers so if you have time you could run wireshark at the same time and manually comb through that data yourself. Etherflood is another program that will arp poison on a windows network. And if you’re a linux guy there is dsniff package with includes an arp spoofing tool.

No comments: