# Sniffing a switched LAN using arpspoof, fragrouter, + dsniff

## khermans

I have been having trouble sniffing our home DSL based switched LAN using arpspoof, fragrouter, and dsniff.  The setup is like most people out there for our home network.  We have a DSL modem and a Linksys router (the switch) that routes four computers to the internet.  We want to try sniffing packets coming from other machines on our network for fun and then try to prevent it afterwards using other tools.  We did lots of googling, but have had some small problems.  Here's what we did to test it out:

1) Set eth0 to promiscuous mode on attacking PC

# ifconfig eth0 promisc

2) Start poisoning the network (all hosts) from atacking PC:

# arpspoof -i eth0 192.168.1.1

3) Allow for userland IP forwarding on attacking PC (avoid kernel IP forwarding)

# fragrouter -i eth0 -B1

4) Start sniffing for passwords from attacking PC

# dsniff -i eth0

This still only captures passwords sent from our local attacking machine, but it seems that arpspoofing is going (see action in command line) and that fragrouter is re-routing packets and other machines can get onto websites etc...  We also tried "dsniff -c -i eth0" for half duplex, but that didn't work either.  Also tried "dsniff -c -m -i eth0", which actually caused dsniff to seg fault (vulnerability?)!!!  Anyways, we would like some pointers if anyone has done this sort of thing before because it seems that we are having trouble.  Any help is appreciated.  Thanks guys!!!   :Smile: 

Kristian Hermansen

----------

## jwj

You dont need all this spoofing stuff, thats for snooping a local switched net. BTW, nobody from outside will send pakets to your 192.168.1.0/24 net, at least they wont be routed. The only interface, that might catch interesting data is the outer interface of your router.

----------

## khermans

 *jwj wrote:*   

> You dont need all this spoofing stuff, thats for snooping a local switched net. BTW, nobody from outside will send pakets to your 192.168.1.0/24 net, at least they wont be routed. The only interface, that might catch interesting data is the outer interface of your router.

 

Yes, I understand this and that is EXACTLY what I am trying to do!  I am trying to sniff local 192.168.1.xxx traffic on our own internal network.  The point is that I want to learn how all of this works and then extrapolate that to much more complicated networks and how to prevent these types of attacks.

AGAIN, I want to be able to sniff local passwords on our own local internal SWITCHED home network!!!  Please let me know why my settings may be failing or my options are incorrect!?!?  Does anyone have some good advice on this?  I know it is possible and have seen many articles on the subject.  I followed a few of them to no avail.  Somebody on here must know what I'm doing wrong...

Kristian Hermansen

----------

## revertex

what about ettercap? it's pretty easy to do what you want with this tool, and their forums are fantastic.

----------

## khermans

 *revertex wrote:*   

> what about ettercap? it's pretty easy to do what you want with this tool, and their forums are fantastic.

 

Are you thinking it is a problem with dsniff?  I would think that it was some underlying hardware/software configuration problem?  Did I issue the correct commands and options to accomplish that?  The point was to see if we could capture passwords flying over our local network.  The problem is that we now have a wireless access point with a broad range (long antenna and modified firmware for maximum distance), and this may allow people to crack our network ket rather easily and then start sniffing for passwords.  I know there are several steps we can take to prevent this activity like blocking MAC's etc (still hackable anyway), but we are really just concerned about the arpspoofing stuff and want to know how someone WILL do it if they have the chance and how we can prevent it...  Any ideas what I did wrong up in the first post?

Kristian Hermansen

----------

## jherm

I don't think that it is a problem with dsniff itself.  It must be in your configuration and execution of the previous commands and options.  Someone else on here should know a little bit more about this

----------

## jherm

I don't think that it is a problem with dsniff itself.  It must be in your configuration and execution of the previous commands and options.  Someone else on here should know a little bit more about this

----------

## machinelou

I don't have a solution but I do share your concern with respect to our wireless lan.  I'd also be interested to see if you can get it to work.

----------

## khermans

Are there no security experts among us?  We have at least two people looking for the answer to this question now!!!  All security gurus come hither...

Kristian Hermansen

----------

## revertex

hummm, i've found a interesting docs at shorewall site if someone care about. 

it seems there is no way to warrant a 100% secure wireless lan.

----------

