OMG sslstrip is so freaking cool!!!
something i need help with. so i can kinda crack a wireless (WEP/WPA(2)) - im hit or miss on it still- and once i get the IP and run sslstrip and get the info. where i am having an issue is getting the target IP. right now i have to crack the wep/wpa, shut down my laptop and reboot into windows, run cain and able to sniff the network for IPs, pick one, reboot into ubuntu, then run the sslstrip. im looking for a way to find all the IP on a network via linux. any sugestions?
sslstrip
-
Lundis
- Distorter of Reality
- Posts: 543
- Joined: 22 Aug 2008, 16:00
- 15
- Location: Deadlock of Awesome
- Contact:
Re: sslstrip
I usually use the arp cache to find other computers. First use nmap to ping the local IP range to cause arp requests for all expected IPs (note that this works even if the targets don't respond to ping requests, since they must respond to arp requests in order to keep the network working 
)
You can use ifconfig to find out what IP you have, and thus what range you should use. "arp -a" is a bit slow the first time you run it, but just give it some time to complete...
)Code: Select all
nmap -sP 192.168.2.*
arp -a | grep ether # this only prints computers that actually responded
Re: sslstrip
I get how to use the first command. thats nice, but the second one Im kinda unsure of. can you give me a little more. maybe an example? when i use the command as you typed only my router comes back with a response. but i have more than that attached.
-
Lundis
- Distorter of Reality
- Posts: 543
- Joined: 22 Aug 2008, 16:00
- 15
- Location: Deadlock of Awesome
- Contact:
Re: sslstrip
Are you sure the device you're looking for is in the ip range you gave nmap?
Here's how it looks on my local network:
192.168.2.99 didn't reply to the ping request but it did respond to the arp request that was caused by the pinging. Now say if there was a device on the network with the IP 192.168.1.123 it wouldn't show up since no arp request was sent to it.
arp -a prints the contents of the arp cache, which is used to speed up network transmissions (if there wasn't a cache you'd have to ask what mac address was connected to what IP every time you wanted to send a network packet
). It also contains all "invalid" IPs, i.e. IPs that aren't owned by any computer on yor network, which is why I pipe the result to grep ether, to strip away all lines that doesn't contain the word ether.
Here's how it looks on my local network:
Code: Select all
lundis@laptop-ub:~$ arp -a | grep ether
? (192.168.2.1) at 00:1f:1f:6d:8e:f4 [ether] on eth0 # Your router should always be visible
lundis@laptop-ub:~$ nmap -sP 192.168.2.*
Starting Nmap 5.21 ( http://nmap.org ) at 2011-07-04 12:15 EEST
Nmap scan report for 192.168.2.1
Host is up (0.00082s latency).
Nmap scan report for 192.168.2.197 # this is my comp ^^
Host is up (0.00068s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 3.16 seconds
lundis@laptop-ub:~$ arp -a | grep ether
? (192.168.2.99) at 00:13:8f:a6:f7:0f [ether] on eth0
? (192.168.2.1) at 00:1f:1f:6d:8e:f4 [ether] on eth0
arp -a prints the contents of the arp cache, which is used to speed up network transmissions (if there wasn't a cache you'd have to ask what mac address was connected to what IP every time you wanted to send a network packet
). It also contains all "invalid" IPs, i.e. IPs that aren't owned by any computer on yor network, which is why I pipe the result to grep ether, to strip away all lines that doesn't contain the word ether.Re: sslstrip
Ok, thats the same thing im getting. I just know how to interpret the arp -a. i see it now. this is fantastic. this will save me a ton of time. thank you much.