10 replies to this topic

[thepcdude]

Let's say you get on a router physically, you can ARP spoof the net and grab passwords, and any other info. But let's say you're doing this on a WiFi network. You can still ARP-Spoof on it, but I have a question. Can you simply set your card in "monitor" mode and then just start sniffing out of the air? Then later you can run the capture file through some software that can decrypt it, given you have the password, and then seperate the packets from what specific router they were on, and then just pluck out the passwords from there? Or just make it simpler and actually connect to the WiFi zone, but sniff all the packets being transferred on it. That way, it's completely untraceable, unlike ARP-spoofing the whole network.

[WhatChout]

You lack some understanding of WiFi.
Since WiFi is Wireless, you can put your card into promiscuous mode and just see all the traffic, since it's radio waves.

Then later you can run the capture file through some software that can decrypt it, given you have the password, and then seperate the packets from what specific router they were on, and then just pluck out the passwords from there?

Here you seem to have some misconceptions again. If the traffic is unencrypted, then you have just packets. If the traffic is encrypted, then you have to know the key and then you use it as if you were connected to any other network and sniff the traffic in the same way, with the decryption being done on the fly. I really have no idea what you mean by "separate the packets from what specific router they were on", or "pluck the passwords from there"? The router question makes no sense and I don't know what passwords you're talking about.

Or just make it simpler and actually connect to the WiFi zone, but sniff all the packets being transferred on it. That way, it's completely untraceable, unlike ARP-spoofing the whole network.

Only by asking for a DHCP lease you do actually leave traces.

[thepcdude]

Ok, thanks, and let me explain myself a little more. You answered my question about the sniffing of packets, but technically, won't it sniff all the packets from all the SSIDs around you? That's a shitload of crap I don't need. And what I meant by the software is that, let's say I don't know the key yet, and I come back home with a huge .cap file with encrypted data. Can I run it through something (with the key of course) to output a .cap full of meaningful data?

[WhatChout]

Most sniffing software (like Wireshark) will allow you to only capture packets that interest you, like ones transmitted to or from a specific MAC address.

[Cryptik Hex]

If you're talking about .cap files then I suggest you use aircrack. But maybe thats not what you mean, because aircrack only works for decrypting a WEP key from a capture file. Do you mean setting up a sniffer without being connected to any network and simply sniffing out of the air from all surrounding AP's? While this can be done (kinda), the point of ARP poisoning is so that all traffic is run through you first, and that's how you capture passwords and other info. I may be wrong about this though, because without being connected to any network, you only see outgoing traffic, and that's usually where passwords are.

Anyway, I am not too sure what your idea is, but I'll tell you this: Just connect to an AP, ARP poison, and then start a sniffer (best for password capturing is ettercap). To make sure that their is actually traffic, I suggest you use something like kismet or airodump to check the data flow.

[thepcdude]

Yes, that is essentially what I do. But the point is that I do not want to ARP spoof. Good system admins can see when their network is being ARP spoofed. Thus, sniffing the radio waves right out of the air would be the thing for me. Ah! Wireshark can filter the stuff out. I should have thought of that *face palms self* Thanks WhatChout.

Edited by thepcdude, 08 March 2009 - 06:40 PM.

[phr34kc0der]

The problem with arp poisoning is that it leaves traces. Sometimes it's better to just capture everything passively (such as open networks at a train station and such) however the only problem with this is that packets cannot be modified so tools such as sslstrip wont work.

[thepcdude]

The problem with arp poisoning is that it leaves traces. Sometimes it's better to just capture everything passively (such as open networks at a train station and such) however the only problem with this is that packets cannot be modified so tools such as sslstrip wont work.

Exactly!

[TheFunk]

Yes, that is essentially what I do. But the point is that I do not want to ARP spoof. Good system admins can see when their network is being ARP spoofed. Thus, sniffing the radio waves right out of the air would be the thing for me.

Where do you find these good admins? Cuz there certainly aren't any in my town, especially at my local library, high school, etc. Besides so long as your not attempting to steal credit card numbers and do stupid stuff like that I'd say you've got nothing to worry about...well almost nothing anyway.

[Ohm]

Yes, that is essentially what I do. But the point is that I do not want to ARP spoof. Good system admins can see when their network is being ARP spoofed. Thus, sniffing the radio waves right out of the air would be the thing for me.

Where do you find these good admins? Cuz there certainly aren't any in my town, especially at my local library, high school, etc. Besides so long as your not attempting to steal credit card numbers and do stupid stuff like that I'd say you've got nothing to worry about...well almost nothing anyway.

An IDS can pick that up no problem. But that all depends on who's monitoring the IDS and what they're doing about it.

[phr34kc0der]

Maybe the admins wouldnt notice, but i'd be more worried about other hackers (but saying that, you'd hope other hackers wouldnt do anything secure over and unsecured network)

Edited by phr34kc0der, 08 March 2009 - 09:06 PM.