Username: Save?
Password:
Home Forum Links Search Login Register*
    News: Keep The TechnoWorldInc.com Community Clean: Read Guidelines Here.
Recent Updates
Three-year-olds groomed o...
by Saniya Abraham
[April 24, 2024, 11:48:22 AM]
How robots are taking ove...
by Saniya Abraham
[April 24, 2024, 11:48:22 AM]
Australia PM calls Elon M...
by Saniya Abraham
[April 24, 2024, 11:48:22 AM]
US Senate passes bill tha...
by Saniya Abraham
[April 24, 2024, 11:48:22 AM]
Google to delete records ...
by Saniya Abraham
[April 03, 2024, 06:11:00 PM]
UK and US sign landmark d...
by Saniya Abraham
[April 03, 2024, 06:11:00 PM]
Will Truth Social solve T...
by Saniya Abraham
[April 03, 2024, 06:11:00 PM]
Billie Eilish and Nicki M...
by Saniya Abraham
[April 03, 2024, 06:11:00 PM]
Musk attacks 'dumb eco-te...
by Saniya Abraham
[March 06, 2024, 02:45:27 PM]
Bitcoin price briefly top...
by Saniya Abraham
[March 06, 2024, 02:45:27 PM]
Facebook and Instagram re...
by Saniya Abraham
[March 06, 2024, 02:45:27 PM]
iPhone China sales slide ...
by Saniya Abraham
[March 06, 2024, 02:45:27 PM]
Three apologises again as...
by Saniya Abraham
[February 14, 2024, 02:00:39 PM]
Subscriptions
Get Latest Tech Updates For Free!
Resources
   Travelikers
   Funistan
   PrettyGalz
   Techlap
   FreeThemes
   Videsta
   Glamistan
   BachatMela
   GlamGalz
   Techzug
   Vidsage
   Funzug
   WorldHostInc
   Funfani
   FilmyMama
   Uploaded.Tech
   MegaPixelShop
   Netens
   Funotic
   FreeJobsInc
   FilesPark
Participate in the fastest growing Technical Encyclopedia! This website is 100% Free. Please register or login using the login box above if you have already registered. You will need to be logged in to reply, make new topics and to access all the areas. Registration is free! Click Here To Register.
+ Techno World Inc - The Best Technical Encyclopedia Online! » Forum » THE TECHNO CLUB [ TECHNOWORLDINC.COM ] » Ethical Hacking / Security / Viruses
 Obtain Passwords
Pages: [1]   Go Down
  Print  
Author Topic: Obtain Passwords  (Read 1567 times)
Mark David
Administrator
Super Elite Member
*****



Karma: 185
Offline Offline

Posts: 1624

!!!Techno King!!!

fabulous_designer
View Profile WWW
Obtain Passwords
« Posted: January 04, 2007, 11:01:35 PM »

Obtaining other peoples passwords can sometimes be extremely difficult, but with the tools available today... it is usually trivial. This paper will cover various tools and techniques for getting those passwords. While passwords can be obtained by brute force using software such as L0phtcrack, John the Ripper, Guess, Merlin, etc. this paper documents a less intrusive style of obtaining passwords.



Introduction:

Obtaining other peoples passwords can sometimes be extremely difficult, but with the tools available today... it is usually trivial. This paper will cover various tools and techniques for getting those passwords. While passwords can be obtained by brute force using software such as L0phtcrack, John the Ripper, Guess, Merlin, etc. this paper documents a less intrusive style of obtaining passwords. The reason for this paper is not to teach script-kiddies how to obtain the passwords of others, but to teach network admin just how insecure a network can be...




Disclaimer:

The standard disclaimer applies. You do what you will and I am not responsible. If you can read this, you obviously have some form of intellect, and as such; your actions are controlled by you. Not me. This document was written under the influence of many many Corona's (with lime), as such, please do not flame me for not covering enough details, poor grammar, etc.



Concepts:

This paper mainly deals with the Data-Link layer of the OSI Model.



Data-Link Important terms and information:

MAC address (Hardware address): a 48-bit number which is supposed to be unique to each network adapter (ex. John's 3com network adapter does not have the same MAC address as Dave's 3com adapter).

Note: In Linux, you can change your adapters MAC address with the ifconfig hw class address command.

ARP (Address Resolution Protocol): Ethernet IP uses ARP to locate the hardware address of a given IP address (RFC 826). For example, a router would use an ARP request to determine the MAC address of a host with the IP address of 69.69.69.69. This would be a broadcast (sent to all hosts on the network) and only the NIC with the IP address of 69.69.69.69 would respond by sending an ARP reply to the aforementioned router. The router would then pass all traffic destined to 69.69.69.69 to that MAC address.

Example:

Router- "Who is 69.69.69.69?"

69.69.69.69 Host- "That would be me and my hardware (MAC) address is 00:XX:DB:27:XX:10"

Router- "Ok. I will add you to my ARP table and send all traffic destined to 69.69.69.69 to MAC address 00:XX:DB:27:XX:10"



ARP Table/cache: Internal database containing IP address to MAC address mappings (dynamic or static).
To view ARP tables, enter the following commands:

Cisco IOS: show arp

Linux: arp

Windows: arp -a



Switch: Works at the data-link layer (layer 2). Switches listen to network traffic and learn which MAC address/addresses reside off which ports, the switch then adds the entries to its ARP table. If a switch does not have the MAC address in it's ARP table, it will send the traffic (frame) to all ports (ie. broadcast).



Network Layer Important Terms and Information:

IP address: I'm going to assume you know what it is.



Important General terms and Information:

Man-in-the-middle (MiM): When a third-party or host relays or observes information not intended for it. By placing a computer in between communication endpoints, we see all data that passes between those endpoints. This is useful for not only observing and relaying traffic, but also for injecting commands or information into the communication channel, and for session hijacking. For example, if I installed a proxy server on a network and configured every client web browser to direct HTTP traffic to me, I could observe you trading on-line and get your username and password, etc. I may also be able to wait for you to log in and then steal that connection from you and sell off your Cisco stock to buy shares of netflood.net

While that's not likely because your not going to allow me to come in and set up a proxy server on your network and because netflood isn't a publicly traded company, all it takes is someone with the correct tools to logically (if not physically) do that on your network. This is referred to as a man-in-the-middle attack.



Details:

There are numerous man-in-the-middle attack tools, this article will only focus on tools capable of ARP spoofing/poisoning with the sole intention of obtaining passwords. ARP spoofing/poisoning is the act of pretending to be someone else by falsely sending non-requested ARP replies or by answering ARP requests regardless of what host (IP address) the communication is intended for, strictly for observing or relaying* the data that passes between the two hosts. ARP is stateless (or unreliable). It doesn't matter if a host sent an ARP request or not, it will usually accept your reply ARP (with the bogus information) regardless. ARP spoofing/poisoning can only be done on local area networks (even switched LAN's). Obviously you cannot spoof a MAC address of a host on a different network because that traffic would never be routed to you.

Note: ARP requests/replies, RARP requests/replies, etc are simply indicators in the Operation portion of an ARP packet, all we need to spoof MAC addresses is a tool which can modify the Operation portion. 1 = ARP Request, 2 = ARP Reply, 4 = RARP Request, etc.

* make sure you are forwarding the traffic if you are going to spoof the gateway. Otherwise you could hose your entire network segment (subnet).



The Tools:



Ettercap (v0.4.3) -download RPM here or TAR

An Excellent tool for sniffing networks (and password discovery). Collects passwords for the following protocols: TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, Napster, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC (other protocols coming soon...).


That means that if I am on a non-switched network and I have ettercap installed, I will get almost every password from every user on my segment (network), including MS share passwords.. A scary proposition for administrators with Linux/*BSD boxes on their network. If I am on a switched network I can poison the switch's ARP table, so that I will receive all traffic destined for the victim.



Using Ettercap:

Ettercap is relatively easy to use, in fact; I don't know how they could have made it any easier.



Synopsis:

ettercap [Option] [host:port] [host:port] [MAC] [MAC]

See man page for available options/variables



#ettercap - If you just start ettercap with no variables (options), ettercap will build a list of all hosts on your network via an ARP storm.



Choose a source and destination.



You will then be able to select the following options by typing the h key:

ARP poison for man-in-the-middle attack

IP based sniffing for sniffing traffic between IP addresses

MAC based sniffing for sniffing traffic between hardware addresses

Run a plugin to enhance ettercap functionality

check for other (ARP) Poisoner

Fingerprint an OS which is actually pretty powerful and usually correct.



Running ettercap with variables/options such as -za will cause ettercap to start in silent mode (no ARP storms) = z, ARP sniff = a and allow you to perform MiM attacks, sniffing through gateways and switches.



Dsniff: Download RPM here or Tar

Written by Dug Song

dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active "monkey-in-the-middle attacks" against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.



As mentioned in a previous netflood article:

dsniff -w Filename.txt will write all sniffed passwords to Filename.txt

dsniff -r Filename.txt will read the file and list sniffed passwords



To arp poison, after installing dsniff:

#arpspoof -i [interface] -t [target] host

Choose interface, if necessary. Choose target, for example if I wanted to poison the ARP table on just the switch I would enter the IP address of the switch using the -t variable (it's my target). If I do not use the -t variable, I will attempt to poison all hosts on the LAN. The host is whose traffic you want to see.



Detecting ARP spoofing/poisoning:

Use the Ettercap "Detect Poisoner" option



Use Arpwatch:

Arpwatch is a tool that monitors ethernet activity and keeps a database of ethernet/ip address pairings. It also reports certain changes via email. Arpwatch requires tcpdump and libpcap. Includes FDDI support, updated ethercodes, uses autoconf.



RARP a MAC address and watch for a return of multiple IP addresses.
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Copyright © 2006-2023 TechnoWorldInc.com. All Rights Reserved. Privacy Policy | Disclaimer
Powered by SMF 1.1.4 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks
Page created in 0.103 seconds with 23 queries.