Monday, April 7, 2008

Viewing AIM conversations on the same network

Two programs you will need for this are cain (http://oxid.it), and (http://www.wireshark.org/)wireshark. If you have trouble installing either you may need to uninstall and reinstall winpcap (a program they both come with), and you need to be an administrator. Any other troubleshooting questions you should look on the wireshark or oxid website or the help files. You will have to be on the same network. You will want to arp poision the network, you can be discreet and just arp poision the person that you want and the default gateway, or you can do the whole network.
Make sure the sniffer tab is selected at the top and the hosts tab is selected at the bottom. Make sure the sniffer is on it is the green circuit board button in the top left corner. Alternate click in the white space and click on scan mac addresses. This does an arp scan(different from an IP scan). It will show everyone on your network except for you.

Now switch to the arp poisoning tab. APR bottom tab next to hosts. Click the + icon on the top of the menu. This will give you a choice of Ip addresses to poison. The most interesting traffic is going to be between the default gateway(which you can find by typing ipconfig in the command prompt) and the other users on the network. Here is where you choose to either do the entire network or just your user.After the arp poisioning starts, open wireshark, choose the wireless interface.

In the filter type aim and hit enter. It will now only show aim packets, they are kind of difficult to read if you aren't used to them. So when you see a packet that is for sure a screen name or a bit of conversation right click on it and choose "Follow TCP stream". You will get something like this.
http://flickr.com/photos/bsdpunkblog/2396913514/

*.....*....H.........28475734...
Relatively 42....................This is a test....*..q.".........28475734...
Relatively 42*..r.$........Ej..........
Relatively 42..*..s.r........[.5253879...
Relatively 42..............C...............r.......W....G.of....................fail.........*..t.$........\5..........
Relatively 42..*.....*.....


Obviously this is a little garbled but you can clearly see that I told Relativity 42, this is a test, and he responded back with, fail. He has a sens of humour I suppose.

Posted by bsdpunk at 12:55 PM
Labels: , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)