Ettercap

[mdbrentlinger]

Ok, i know someone will burn me and say RTFM, and i did... i apologize if this is totally stupid to ask but it doesnt seem appearant to me so I must have missed something somewhere in the dox.

anway
ettercap supposedly captures vnc passwords, ie

Password collector for : TELNET, FTP, POP, ... VNC, ...

I have the following setup but cannot for the life of me get it to work..


ip : 10.0.0.1 (vnc client)
mac: aa:aa:aa:aa:aa:aa ---------------|
|
ip : 10.0.0.2 (ettercap) |
mac: bb:bb:bb:bb:bb:bb ------------- tried both hub & switch
|
ip : 10.0.0.3 (vnc server) |
mac: cc:cc:cc:cc:cc:cc ---------------|

I can get it to sniff telnet, ftp, pop, smb, but no vnc. I have the following default entry in my etter.conf file under the dissectors section.
VNC=ON # tcp 5900-5905
and based on the etter.conf file it doesnt appear as though this password sniff requires any arp spoofing of any type.

when i run it on my windows, trinux, or redhat machine i get similar results such as below,


C:\Program Files\ettercap>ettercap.exe -NCzds
ettercap 0.6.7 (c) 2002 ALoR & NaGA
List of available devices :
--> [dev0] - [3Com EtherLink PCI]
--> [dev2] - [3Com 3C90x Ethernet Adapter]
Please select one of the above, which one ? [0]: 0
Your IP: 172.18.2.10 with MAC: 00:B0:D0:7B:DD:15 on Iface: dev0
Press 'h' for help...
Sniffing (IP based): ANY:0 <--> ANY:0
TCP + UDP packets... (default)
Collecting passwords...

15:18:13 172.18.2.10:1600 <--> 172.18.3.100:139 netbios-ssn
USER: blah
PASS:
LC 2.5 FORMAT: "blah":x:blah:blah

15:19:44 172.18.2.10:1605 <--> 172.18.1.10:110 pop3
USER: blah
PASS: pass



what am i doing wrong? what would the proper command line start up be? Im not even sure I need to apr spoof since it I havent seen anywhere specifically that its needed for vnc... ive read the man and it has an example...

"ettercap -NCza -D 100 192.168.0.1 192.168.0.2 55:23:A5:B4:C7:89 00:A3:56:FE:4F:6D
Collect password to stdout on a switched LAN. this will poison the two host 192.168.0.1 and 192.168.0.2 each other. "

But thats not all that helpful, espicaily with out a diagram... are those the ips and macs of the 2 hosts? the dest and man in middle? the src and man in middle?

please help , many thanks in advance

[Zero_Chaos]

as long as you are on a hub with the vnc client or vnc server ettercap *should* see and extract the vnc password. If it doesn't, check the ports. you may be using a vnc port outside the specified range. Check your port, and that the vnc isn't being tunneled through ssl or ssh or something, and try again.

-Zero_Chaos

PS> OH yeah, RTFM
_________________
_____________________________________
www.kismetwireless.net Wardrive the world!

[mdbrentlinger]

good try.. but nope standard ports. the server listens on 5800 and when i use something like ethereal to sniff or netstat -an all i see is the connection of my client to the server ie...

C:\>netstat -an | grep -i :5
TCP 0.0.0.0:5800 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5900 0.0.0.0:0 LISTENING
TCP 172.18.2.10:3995 172.18.1.5:5900 ESTABLISHED

ive tried the vncview client (v3.3.3.3) and IE as a client http://server:5800. i log on successfully to the vnc server eaisly but no password capture.

the vnc server is v 3.3.3.9. would that matter?

all have come from the vnc fast push distribution
http://www.darkage.co.uk/index.htm
http://www.darkage.co.uk/vnc/downloads.htm

[ALoR]

perhaps the password exchange schema is changed...

bye

[Guest]

perhaps, do the dox say anywhere what the last known supported vnc version is? I havent seen anything on that topic in my searches.

forgive me if im just blind

[NaGA]

Updated!
Soon in the CVS

thanks for reporting