mercoledì 14 dicembre 2011

Sniff switched network with ettercap-ng for windows

Hi all,
a quick guide about one (there are other) way to sniff network traffic in a switched lan.

The enviroment is:

monitoring-PC (os: win xp, 2 NICs installed)

my monitoring pc is a laptop with only 1 nic, so I used a DLINK external USB NIC (name: DUB-E100) as second NIC.

PCA is connecting to PCB

on your "monitoring-PC" you want to see(sniff) the traffic between A and B but you cannot install anything on them and they are connected using a switch.

The problem is that in a switched enviroment you usually cannot sniff packets like you do using an HUB.
If you have an hub you can connect it in the middle, else if you have a way to setup a monitoring port on the switch, ok, but else it's a problem.

You could ARP poisoning the devices to then sniff (or also do a mac flooding to put the switch in a failed open state), but in my experience this could be dangerous sometimes and it often doesn't work very well.


A solution I found today is to use ETTERCAP-NG for windows.
You can install it on your monitoring pc, using 2 network card, configure it for a "bridged sniffing" and then run a sniffer like "Wireshark".
You simply need to disconnect A or B and put your monitoring pc in the middle using the 2 NICs.


A--- (nic1)monitoringPC(nic2) ---- switch ----B

A--- switch ---(nic1)monitoringPC(nic2) ------B
...etc (exchange nic1 and nic2)

This way the monitoringPC is acting as a bridge and the packets between A and B are visible on the monitoringPC.

open "unofficial binaries", then "windows", then download "ettercap-NG-0.7.3-win32.exe"


INSTRUCTIONS (on the monitoring pc with 2 nics installed, in my case XP operating system)

Download and install ettercap-ng, then download and install wireshark.

Start Ettercap-ng
from the "Sniff" menu select "Bridged sniff"

Then from the windows that appear select the nics to be used for creating the bridge

Now from the "Start" menu select "Start sniffing"

Now you can open "Wireshark" (or other sniffing tool) to see the traffic

The red arrows indicate what I changed from the default.
Important is to select "promiscuous" else you'll not see all the packets as they are not directed to you (the monitorinc pc), then I changed the nic to the USB one (but also the other is ok).
Unflagged "Automatic scrolling" because I prefere this way, but this is up to you.

That's all, at this point you should see all the packets between the 2 machines.


Nessun commento:

Posta un commento