Hello guys and welcome to this video tutorial about sniffing.
If you find anything helpful in this post or funny, will you please leave a like because you will feel great helping other people find it?
Hacker Sniffing Tutorial! Netsniff-ng Commands and Ettercap Wireshark for Poisoning & Spoofing
In this video, we’ll go quickly through Netsniff-ng. I’ll show you how to use it and some commands with it and also how to get around with ‘help‘.
Then we’ll move on to Ettercap. I will show you how to use Ettercap’s interface, some additional features of Ettercap, how to start poisoning and actually spoofing with Ettercap and then a great combination of Ettercap with Wireshark.
Then we are going to try to make a little demonstration and how traffic between two machines on the network is getting captured by a third one and how it could also be read.
So stick with me and let’s start.
First of all, to start Netsniff-ng you usually go to Applications, Sniffing & Spoofing and then just click on the Netsniff-ng.
It will load a terminal window and it will already have the help preloaded for you.
So if you get up in the window, you can see all the help you need here as well as some examples of commands. We can go through these examples.
I can at least go through one of them and give you some brief information on what it does.
So this is the interface.
This is the output file.
This means silent.
This is choosing a type of the pcap file to be created after that.
This is the actual type.
I will get into details about that later.
This is the information about how to bind it to a CPU and what kind of packet to capture.
So for example, if you type netsniff-ng -D it will give you additional information about that hex value that we found.
The hex value should be found here.
So this hex value will actually be ‘0xa1b2c3d4′.
Basically, what it says is that the packet capture will be TcpDump capable. You can read it with TcpDump and these are some specifics about the capture.
There are different types of capture so you can go around to all of them and play with them.
But for now we are going to use this example here just to give you a brief overview of how to use Netsniff-ng which is pretty much similar to TcpDump.
When we started out, since it’s silent, it’s running but it doesn’t give us any information.
If we quit with Ctrl + C it will give us the statistics of that capture. So let’s just try and quit it.
I think this is enough.
It has captured 51 packets for roughly about 17 seconds.
And now if I want to read these packets I can do tcpdump -tttt -r./ and then the file name is dump.pcap.
And there it is.
If I want to ‘pipe’ it to less I will be able to read it a little bit easier and I can move around going up and down.
There aren’t too many packets so that’s okay.
Okay, as you see here it doesn’t try to do any particular changes to the capture so I will have to use -nn, because I can see here it tried to resolve the machines and the machine names based on the IP address.
So let me just type that -nn.
Now we have only IP addresses and ports as well as flags for the packet which is sync, reset and so on.
Okay, for Netsniff-ng that’s pretty much it.
So we can move to Ettercap.
I’ll just close the window quickly and start Ettercap. Again, from spoofing there we will find Ettercap.
As you can see the interface is at the moment pretty simple. There are only a few options. This is because we haven’t really started anything. Ettercap is just waiting for us to start.
And to start using Ettercap what you need to do is first click on ‘unified sniffing’.
Next you will choose the interface you want to sniff on and here are all the interfaces that Ettercap is able to see here on this machine.
Next, click on ‘Okay’.
It gives us some sort of statistic about the actual software, the version, the IP address and the MAC address, all the modules loaded and everything and then it started to populate the menus.
As you can see here we have targets, hosts, man in the middle(Mitm) already and things like that.
So our next step would be looking for targets or looking for hosts.
So go to ‘Hosts‘ and click on ‘Scan for hosts’.
It will fill up pretty quick. And now when you go to ‘Host‘, if you click on ‘Hosts list’ we’ll have all the hosts in my network.
So there it is. This is the gateway and these are some machines connected to the network.
For our test, we will try to sniff the traffic between the machine with an IP address .1.2 and the machine with an IP address .1.6. As you see I added first one to a target 1 and the other one to target 2.
If you go to current targets, in order to do man in the middle you have to be in the middle of two machines. And in this case we will be here in the middle sitting between 1.2 and .1.6 machines.
You can add as many targets as you like.
Some other information that might be useful, if you go to ‘View’ and ‘Connections’ you have what is similar to a Wireshark statistics with some predefined filters here that, for example, you can exclude everything but UDP or everything but the TCP.
So you can also filter by yourself for a host which could be an IP address as well and if you are only interested in active connections, you can filter by active connections.
So at the moment we are actually listening, but let me start a man in the middle attack or actual ARP poisoning.
When I start this, it will start poisoning the ARP tables for these two targets, 1.2 and .1.6. I should start seeing more connections between them if there are any, of course.
At the moment there isn’t a connection going on between those two machines, but I’m going to start one and I’m going to try and show it to you in Wireshark.
So let’s just go to Applications, sniffing and start Wireshark as well.
It started listening as you can see.
We’re going to apply a filter here which would be IP address .1.2 and IP address .1.6.
Currently, we don’t see any traffic going on between those two, but hopefully something will show up.
Okay, let’s start some traffic between those two machines and see if it will show up in our Wireshark.
Let me just go to my other machine and here we can start an NC to that machine on port 23.
“This is test. Please reply. I reply.”
Okay, that should be enough and we’re moving on to our Wireshark. As you see, there is traffic between those two machines on a TCP as well as the Telnet port.
So if I follow the TCP stream, I can see that I already captured “This is test” and if I keep sniffing, I will capture other packets that are exchanged between those two machines and not intended for me.
And as you see, the source is .1.6, the destination is .1.2, and of course we can also verify that our IP is .1.6.
So this is a practical ‘man in the middle‘ with ARP cache poisoning using Ettercap.
You can also use Ettercap to kill connections by modifying packets and sending them to the actual source and destination. It will destroy the connection.
So let’s try to kill a connection using Ettercap.
Okay, this one. This is the one we’re looking for.
So at the moment it is still going on. It should show up here as well.
Yeah. “Telnet.” “This is another test.” You can see that here.
So it’s still going on. It says “idle” because currently there is no data being transmitted, but the connection is there.
Let me try and “kill the connection”.
Connection was killed.
It says it’s killed. It doesn’t show it here in the list.
So let me see what will happen if I go to the terminal of my other machine. Yep, it is killed.
And I can confirm that this happened on the other machine as well.
So that proves that you can also not only listen to connections, but you can prevent a connection or you can just intermit it or you can destroy a connection between hosts.
If you want to prevent someone from talking to another one, you can do that as well.
And now when I select, ‘killed’, there it is.
I can also see how this connection formed, packets, number of bytes and so on and so forth.
So pretty much that’s it about Ettercap and Wireshark and I hope you like it. I hope you found something interesting and I’ll catch you in the next video.
Thank you very much and goodbye.
More from Jerry Banfield.
Thank you very much for watching all the way to the end of this tutorial.
The video you’ve seen is a part of How to Hack in 2019: Noob to Certified Ethical Hacker with CEH Version 10!
This is a video course with 30-plus hours of video in it, hundreds of lectures that covers each individual module that is in the Certified Ethical Hacking exam for version 10.
Now, this course will not give you a certification. It prepares you to take the CEH Version 10 exam. You can see this course has a ton of videos in it.
I’m imagining since you made it to the end of this tutorial, you will love this course. It’s $27.81 on uthena.com which is a platform. I’m Jerry Banfield, the founder of this platform.
You can also get this course within the Ethical Hacking Forever course bundle for $48.81. You buy this bundle once. We will add new Ethical Hacking courses forever to it.
For example we have a Python Hacking course coming out now that will be added to this bundle very shortly. This bundle has six courses currently in it and a hundred plus hours of video. It’s one of the best options in the world to learn ethical hacking.
Three courses right here are all from 2019 and we will keep this bundle updated forever for you.
If you check the links in the description of the video, you will also find some additional coupons. You may be able to get to take the course for less, to take different courses, to subscribe, and even find different stores that may have the same course.
I appreciate you watching here with us today. I imagine if this is helpful you’ll leave a like on it, because you will feel good about leaving a like on the video and giving something back.
If you subscribe, you will have the chance to watch more videos like this every day.
If you take a look in the description of the video you’ll find playlists related to this video with more videos for free on YouTube.
I love you.
I hope you have a wonderful day today.
If you’ve got this far in I imagine you will love seeing the videos we keep creating for you each day.
Will you please subscribe on YouTube and like on Facebook, because that will give you two ways to see the same videos every single day and you will be like, “Oh, my god, stop spamming my newsfeed. Oh, I’m sick of you. I’m not subscribing and I am not liking.”
I mean, you’re going to have a great time. You’re going to love the videos we put out every single day. It’s going to be a blast.
We’re going to do a journey together of a lifetime starting or continuing today.