Results 1 to 1 of 1

Your favorite Apple, iPhone, iPad, iOS, Jailbreak, and Cydia site.


Thread: Toolchain on OS3.0 / Ettercap - iPhone advanced network sniffing

  1. #1
    Wink Toolchain on OS3.0 / Ettercap - iPhone advanced network sniffing
    Hello!

    Ettercap was running on OS2.2.1, you can find this information on some sites in the web. But I was not able to compile it. Has someone successfully compiled it? Who is interested to find this great tool in Cydia?

    Ettercap O
    http://www.mirrorservice.org/sites/f...G-0.7.3.tar.gz

    [ame=http://www.youtube.com/watch?v=9nJqb-zd3gM]YouTube - IEFD Ep. 20 - Ettercap - Part 1 of 6[/ame]

    Ettercap is a great and useful network tool. Ettercap is basically a suite of tools for sophisticated man in the middle attacks on LAN, VLAN, and WIFI-networks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones like SSL, SSH, and TLS) and includes many feature for network and host analysis.
    ---

    Toolchain on OS3.0
    I've successfully installed the com.bigboss.20toolchain on OS3.0 via Cydia. The solution was to install the following libgcc .deb file first:
    Search - iPod Touch ?????? ????????!

    Well, here we are now:

    iPhone:/private/var/root/ettercap-NG-0.7.3 root# CPP="/usr/bin/cpp" ./configure --host=arm-apple-darwin
    configure: WARNING: If you wanted to set the --build type, don't use --host.
    If a cross compiler is detected then cross compile mode will be used.
    checking whether to enable maintainer-specific portions of Makefiles... no

    Configuring ettercap NG-0.7.3...

    checking for a BSD-compatible install... /usr/bin/install -c
    checking whether build environment is sane... yes
    checking for gawk... gawk
    checking whether make sets $(MAKE)... yes
    checking for arm-apple-darwin-strip... no
    checking for strip... strip
    checking build system type... arm-apple-darwin10.0.0d3
    checking host system type... arm-apple-darwin
    checking for arm-apple-darwin-gcc... arm-apple-darwin-gcc
    checking for C compiler default output file name... a.out
    checking whether the C compiler works... yes
    checking whether we are cross compiling... yes
    checking for suffix of executables...
    checking for suffix of object files... o
    checking whether we are using the GNU C compiler... yes
    checking whether arm-apple-darwin-gcc accepts -g... yes
    checking for arm-apple-darwin-gcc option to accept ANSI C... none needed
    checking for style of include used by make... GNU
    checking dependency style of arm-apple-darwin-gcc... gcc3
    checking for arm-apple-darwin-gcc... (cached) arm-apple-darwin-gcc
    checking whether we are using the GNU C compiler... (cached) yes
    checking whether arm-apple-darwin-gcc accepts -g... (cached) yes
    checking for arm-apple-darwin-gcc option to accept ANSI C... (cached) none needed
    checking dependency style of arm-apple-darwin-gcc... (cached) gcc3
    checking for a BSD-compatible install... /usr/bin/install -c
    checking whether make sets $(MAKE)... (cached) yes
    checking how to run the C preprocessor... /usr/bin/cpp
    configure: error: C preprocessor "/usr/bin/cpp" fails sanity check
    See `config.log' for more details.
    iPhone:/private/var/root/ettercap-NG-0.7.3 root#
    Functions...........

    .SH DESCRIPTION
    Ettercap(8) supports loadable modules at runtime. They are called plugins and
    they come within the source tarball. They are automatically compiled if your
    system supports them or until you specify the --disable-plugins option to the
    configure script.
    .br
    Some of older ettercap plugins (roper, banshee, and so on) have not been ported
    in the new version.
    By the way, you can achieve the same results by using new filtering engine.
    .br
    If you use interactive mode, most plugins need to "Start Sniff" before using them.

    .TP
    To have a list of plugins installed in your system do that command:
    .Sp
    .I ettercap -P list

    .LP
    .LP
    The following is a list of available plugins:

    .TP
    .B arp_cop
    .Sp
    It reports suspicious ARP activity by passively monitoring ARP requests/replies.
    It can report ARP posioning attempts, or simple IP-conflicts or IP-changes.
    If you build the initial host list the plugin will run more accurately.
    .Sp
    .I example :
    .Sp
    ettercap -TQP arp_cop //


    .TP
    .B autoadd
    .Sp
    It will automatically add new victims to the ARP poisoning mitm attack when
    they come up. It looks for ARP requests on the lan and when detected it will
    add the host to the victims list if it was specified in the TARGET. The host is
    added when an arp request is seen form it, since communicating hosts are alive


    .TP
    .B chk_poison
    .Sp
    It performs a check to see if the arp poisoning module of ettercap was successful.
    It sends spoofed ICMP echo packets to all the victims of the poisoning
    pretending to be each of the other targets. If we can catch an ICMP reply with
    our MAC address as destination it means that the poisoning between those
    two targets is successful. It checks both ways of each communication.
    This plugin makes sense only where poisoning makes sense.
    The test fails if you specify only one target in silent mode.
    You can't run this plugin from command line because the poisoning process
    is not started yet. You have to launch it from the proper menu.


    .TP
    .B dns_spoof
    .Sp
    This plugin intercepts DNS query and reply with a spoofed answer. You can chose
    to which address the plugin has to reply by modifying the etter.dns file. The
    plugin intercepts A, PTR and MX request. If it was an A request, the name is
    searched in the file and the ip address is returned (you can use wildcards in
    the name). If if was a PTR request, the ip is searched in the file and the name
    is returned (except for those name containing a wildcard). In case of MX
    request a special reply is crafted. The host is resolved with a fake host 'mail.host'
    and the additional record contains the ip address of 'mail.host'. The first address
    or name that matches is returned, so be careful with the order.

    .TP
    .B dos_attack
    .Sp
    This plugin runs a d.o.s. attack against a victim IP address. It first "scans"
    the victim to find open ports, then starts to flood these ports with SYN
    packets, using a "phantom" address as source IP. Then it uses fake ARP replies
    to intercept packets for the phantom host. When it receives SYN-ACK from the
    victim, it replies with an ACK packet creating an ESTABLISHED connection.
    You have to use a free IP address in your subnet to create the "phantom" host
    (you can use find_ip for this purpose).
    You can't run this plugin in unoffensive mode.
    .br
    This plugin is based on the original Naptha DoS attack
    (http://razor.bindview.com/publish/ad...dv_NAPTHA.html)
    .Sp
    .I example :
    .Sp
    ettercap -TQP dos_attack

    .TP
    .B dummy
    .Sp
    Only a template to demonstrate how to write a plugin.


    .TP
    .B find_conn
    .Sp
    Very simple plugin that listens for ARP requests to show you all the targets an host
    wants to talk to. It can also help you finding addresses in an unknown LAN.
    .Sp
    .I example :
    .Sp
    ettercap -TQzP find_conn
    .Sp
    ettercap -TQu -i eth0 -P find_conn


    .TP
    .B find_ettercap
    .Sp
    Try to identify ettercap packets sent on the LAN. It could be useful to detect
    if someone is using ettercap. Do not rely on it 100% since the tests are only
    on particular sequence/identification numbers.


    .TP
    .B find_ip
    .Sp
    Find the first unused IP address in the range specified by the user in the target
    list. Some other plugins (such as gre_relay) need an unused IP address of the
    LAN to create a "fake" host.
    It can also be useful to obtain an IP address in an unknown LAN where there is
    no dhcp server. You can use find_conn to determine the IP addressing of the LAN,
    and then find_ip.
    You have to build host list to use this plugin so you can't use it in unoffensive
    mode. If you don't have an IP address for your interface, give it a bogus one
    (e.g. if the LAN is 192.168.0.0/24, use 10.0.0.1 to avoid conflicting IP), then
    launch this plugin specifying the subnet range.
    You can run it either from the command line or from the proper menu.
    .Sp
    .I example :
    .Sp
    ettercap -TQP find_ip //
    .Sp
    ettercap -TQP find_ip /192.168.0.1-254/


    .TP
    .B finger
    .Sp
    Uses the passive fingerprint capabilities to fingerprint a remote host. It
    does a connect() to the remote host to force the kernel to reply
    to the SYN with a SYN+ACK packet. The reply will be collected and the
    fingerprint is displayed. The connect() obey to the connect_timeout parameter
    in etter.conf(5). You can specify a target on command-line or let the plugin ask
    the target host to be fingerprinted. You can also specify multiple target with
    the usual multi-target specification (see ettercap(8)). if you specify multiple
    ports, all the ports will be tested on all the IPs.
    .Sp
    .I example :
    .Sp
    ettercap -TzP finger /192.168.0.1/22
    .br
    ettercap -TzP finger /192.168.0.1-50/22,23,25


    .TP
    .B finger_submit
    .Sp
    Use this plugin to submit a fingerprint to the ettercap website. If you found
    an unknown fingerprint, but you know for sure the operating system of the
    target, you can submit it so it will be inserted in the database in the next
    ettercap release. We need your help to increase the passive fingerprint
    database. Thank you very much.
    .Sp
    .I example :
    .Sp
    ettercap -TzP finger_submit

    .TP
    .B gre_relay
    .Sp
    This plugin can be used to sniff GRE-redirected remote traffic.
    The basic idea is to create a GRE tunnel that sends all the traffic on a router
    interface to the ettercap machine. The plugin will send back the GRE packets
    to the router, after ettercap "manipulation" (you can use "active" plugins
    such as smb_down, ssh decryption, filters, etc... on redirected traffic)
    It needs a "fake" host where the traffic has to be redirected to (to avoid
    kernel's responses). The "fake" IP will be the tunnel endpoint.
    Gre_relay plugin will impersonate the "fake" host.
    To find an unused IP address for the "fake" host you can use find_ip plugin.
    Based on the original Tunnelx technique by Anthony C. Zboralski published
    in http://www.phrack.org/show.php?p=56&a=10 by HERT.

    .TP
    .B gw_discover
    .Sp
    This plugin try to discover the gateway of the lan by sending TCP SYN packets
    to a remote host. The packet has the destination IP of a remote host and the
    destination mac address of a local host. If ettercap receives the SYN+ACK
    packet, the host which own the source mac address of the reply is the gatway.
    This operation is repeated for each host in the 'host list', so you need to
    have a valid host list before launching this plugin.
    .Sp
    .I example :
    .Sp
    ettercap -TP gw_discover /192.168.0.1-50/

    .TP
    .B isolate
    .Sp
    The isolate plugin will isolate an host form the LAN. It will poison the
    victim's arp cache with its own mac address associated with all the host it
    tries to contact. This way the host will not be able to contact other hosts
    because the packet will never reach the wire.
    .br
    You can specify all the host or only a group. the targets
    specification work this way: the target1 is the victim and must be a single
    host, the target2 can be a range of addresses and represent the hosts that will
    be blocked to the victim.
    .Sp
    .I examples :
    .Sp
    ettercap -TzqP isolate /192.168.0.1/ //
    .br
    ettercap -TP isolate /192.168.0.1/ /192.168.0.2-30/


    .TP
    .B link_type
    .Sp
    It performs a check of the link type (hub or switch) by sending a spoofed ARP
    request and listening for replies. It needs at least one entry in the host
    list to perform the check. With two or more hosts the test will be more
    accurate.
    .Sp
    .I example :
    .Sp
    ettercap -TQP link_type /192.168.0.1/
    .br
    ettercap -TQP link_type //

    .TP
    .B pptp_chapms1
    .Sp
    It forces the pptp tunnel to negotiate MS-CHAPv1 authentication instead of
    MS-CHAPv2, that is usually easier to crack (for example with LC4).
    You have to be in the "middle" of the connection to use it successfully.
    It hooks the ppp dissector, so you have to keep them active.

    .TP
    .B pptp_clear
    .Sp
    Forces no compression/encryption for pptp tunnels during negotiation.
    It could fail if client (or the server) is configured to hang off the tunnel
    if no encryption is negotiated.
    You have to be in the "middle" of the connection to use it successfully.
    It hooks the ppp dissector, so you have to keep them active.

    .TP
    .B pptp_pap
    .Sp
    It forces the pptp tunnel to negotiate PAP (cleartext) authentication.
    It could fail if PAP is not supported, if pap_secret file is missing,
    or in case windows is configured with "authomatic use of domain
    account". (It could fail for many other reasons too).
    You have to be in the "middle" of the connection to use it successfully.
    It hooks the ppp dissector, so you have to keep them active.

    .TP
    .B pptp_reneg
    .Sp
    Forces re-negotiation on an existing pptp tunnel.
    You can force re-negotiation for grabbing passwords already sent.
    Furthermore you can launch it to use pptp_pap, pptp_chapms1 or pptp_clear on
    existing tunnels (those plugins work only during negotiation phase).
    You have to be in the "middle" of the connection to use it successfully.
    It hooks the ppp dissector, so you have to keep them active.

    .TP
    .B rand_flood
    .Sp
    Floods the LAN with random MAC addresses. Some switches will fail open in
    repeating mode, facilitating sniffing. The delay between each packet is
    based on the port_steal_send_delay value in etter.conf.
    .br
    It is useful only on ethernet switches.
    .Sp
    .I example :
    .Sp
    ettercap -TP rand_flood


    .TP
    .B remote_browser
    .Sp
    It sends to the browser the URLs sniffed thru HTTP sessions. So you
    are able to see the webpages in real time. The command executed is configurable
    in the etter.conf(5) file. It sends to the browser only the GET requests and
    only for webpages, ignoring single request to images or other amenities.
    Don't use it to view your own connection


    .TP
    .B reply_arp
    .Sp
    Simple arp responder. When it intercepts an arp request for a host
    in the targets' lists, it replies with attacker's MAC address.
    .Sp
    .I example :
    .Sp
    ettercap -TQzP reply_arp /192.168.0.1/
    .br
    ettercap -TQzP reply_arp //

    .TP
    .B repoison_arp
    .Sp
    It solicits poisoning packets after broadcast ARP requests (or replies) from a posioned host.
    For example: we are poisoning Group1 impersonating Host2. If Host2 makes a broadcast
    ARP request for Host3, it is possible that Group1 caches the right MAC address for Host2
    contained in the ARP packet. This plugin re-poisons Group1 cache immediately after a
    legal broadcast ARP request (or reply).
    .br
    This plugin is effective only during an arp-posioning session.
    .br
    In conjuction with reply_arp plugin, repoison_arp is a good support for standard
    arp-poisoning mitm method.
    .Sp
    .I example :
    .Sp
    ettercap -T -M arp:remote -P repoison_arp /192.168.0.10-20/ /192.168.0.1/

    .TP
    .B scan_poisoner
    .Sp
    Check if someone is poisoning between some host in the list and us.
    First of all it checks if two hosts in the list have the same mac address.
    It could mean that one of those is poisoning us pretending to be the other.
    It could generate many false-positives in a proxy-arp environment.
    You have to build hosts list to perform this check.
    After that, it sends icmp echo packets to each host in the list and checks
    if the source mac address of the reply differs from the address we have
    stored in the list for that ip.
    It could mean that someone is poisoning that host pretending to have our ip
    address and forwards intercepted packets to us.
    You can't perform this active test in unoffensive mode.
    .Sp
    .I example :
    .Sp
    ettercap -TQP scan_poisoner //

    .TP
    .B search_promisc
    .Sp
    It tries to find if anyone is sniffing in promisc mode. It sends two different
    kinds of malformed arp request to each target in the host list and waits for
    replies. If a reply arrives from the target host, it's more or
    less probable that this target has the NIC in promisc mode. It could generate false-positives.
    You can launch it either from the command line or from the plugin menu.
    Since it listens for arp replies it is better that you don't use it while sending
    arp request.
    .Sp
    .I example :
    .Sp
    ettercap -TQP search_promisc /192.168.0.1/
    .br
    ettercap -TQP search_promisc //


    .TP
    .B smb_clear
    .Sp
    It forces the client to send smb password in clear-text by mangling protocol
    negotiation. You have to be in the "middle" of the connection to successfully
    use it. It hooks the smb dissector, so you have to keep it active.
    If you use it against a windows client it will probably result in a failure.
    Try it against a *nix smbclient


    .TP
    .B smb_down
    .Sp
    It forces the client to not to use NTLM2 password exchange during smb
    authentication. This way, obtained hashes can be easily cracked by LC4.
    You have to be in the "middle" of the connection to successfully use it.
    It hooks the smb dissector, so you have to keep it active.

    .TP
    .B stp_mangler
    .Sp
    It sends spanning tree BPDUs pretending to be a switch with the highest
    priority. Once in the "root" of the spanning tree, ettercap can receive
    all the "unmanaged" network traffic.
    .br
    It is useful only against a group of switches running STP.
    .br
    If there is another switch with the highest priority, try to manually
    decrease your MAC address before running it.
    .Sp
    .I example :
    .Sp
    ettercap -TP stp_mangler

    .SH "SEE ALSO"
    .I "ettercap(8)"
    .I "ettercap_curses(8)"
    .I "etterlog(8)"
    .I "etterfilter(8)"
    .I "etter.conf(5)"
    .LP

  2. The Following User Says Thank You to s0n1c For This Useful Post:

    lalafel (09-12-2010)

Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •