MitM / Listening and Forwarding

Short Version - I have physical access to a machine. I want to intercept packets coming out to find the password to a router in the HTTP headers, I have no idea how to go about this. Should I setup my laptop as a router that will act as the first hop from that machine, and then it simply listens to all the packets before passing them along to the actual router?

Long Version - Alright, here's what I'm trying to do. My dad had 2 ports forworded for my use, I was running a minecraft server on one, and a webserver on the other. Anyway, old router crapped out after 10 years, and we got a new one (Linksys E3000, if you care). I also recently got my own laptop, instead of using the communal PC. Linux Mint, if you care. Anyway, I asked him to forward the ports again, and he told me to do it myself. Of course, the thing is password protected. My dad is a pretty cool guy, he only helps me out when I really need it, forcing me to learn on my own. So, here is what I came up with to try and get the password: After a bit of social engineering, I'll get him to access the router, sending in the username and password along as part of the HTTP authentation. I want to capture those packets. I tried simply using wireshark, but I'm not getting all the traffic from the network. I need a listener somewhere between him, and the router. This gave me an idea, setup my laptop as a router and have it be the first hop between him and the router. Is this feasible? Are there better ways? I'm not too adverse to hacking together something in C that simply listens and passes on packets, but I'm betting that would be the hardest way to go about it ;)

Thanks

Google 'ARP Poisoning'. Stuff becomes harder when the router uses SSL for logging in.

You have physical access??

Use a keylogger..preferably one that you compile yourself..

Theres an ok one in the codebank..but its uses loads of memory.

As for making a C program to catch and send packets..Whoa..Thats over my head..I need to learn up I suppose.:)

Added: Forgot to mention..you can set the priority to idle class on the keylogger in the codebank…that would prevent it from grabbing ALL possible resources.:)

If his dad won't even allow him to access their router, I doubt he will allow him to run his own software on his dad's pc. Or were you going to make him type the password on your own laptop? In either case, a keylogger is certainly easier. If you can't access your dad's pc and he's making the connection from his own pc, then ARP poisoning/spoofing is the way to go.

You're on Mint you said?

sudo ettercap -M arp -i <interface> -w packets.pcap -T "/<RouterIP>,<DadsIP>/"
# Get him to login to the router (not over HTTPS)
# Press "q" in the terminal to close ettercap
wireshark packets.pcap

Problem solved. If you actually care to learn from this experience, then (like already mentioned) research ARP poisoning and how it works, and then read the ettercap manual to see what exactly the command does. It's really pretty simple.

Just starting up Wireshark and running it isn't doing a MitM attack. That's just sniffing, which will only show you your own traffic if you are on a switch. On a hub, you'll see other's traffic, but switches are more common these days. ARP spoofing is generally the easiest way to achieve a LAN MitM, and then tools like ettercap will do both the capturing and Man In The Middle setup. You can later review the packets captured with ettercap in a program you are more comfortable with (eg: Wireshark).

ARP Poisoning, I'll look into that. I knew Wireshark was only a sniffer, but it was all I had at the time. Yes, I have physical access, but I do not, however, have logical access to his computer. A keylogger is out of the question, it's inelegant and dirty when other things will work. I'll resort to a keylogger if I have to, but I'd rather not. I'll look into ettercap. Thanks guys!

Edit: Just read up on ARP and the ettercap man pages, it's exactly what I was looking for. Once again, thanks.

Arbolito wrote: ARP Poisoning, I'll look into that. I knew Wireshark was only a sniffer, but it was all I had at the time. Yes, I have physical access, but I do not, however, have logical access to his computer. A keylogger is out of the question, it's inelegant and dirty when other things will work. I'll resort to a keylogger if I have to, but I'd rather not. I'll look into ettercap. Thanks guys!

Edit: Just read up on ARP and the ettercap man pages, it's exactly what I was looking for. Once again, thanks.

Just get on the HBH IRC if you need help. - Fritzo

Are you sure it's not just the default password and user?

fashizzlepop wrote: Are you sure it's not just the default password and user?

I may be uninitiated, but I'm not stupid :P