Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[niemand]

The problem when using a network switch (or even an early generation of dumb network hub) is that the computer's own Ethernet NIC will also "vocalise" in response to the data flowing between the two devices.

Here is the "Enigma Curry" Ethernet Tap which is good for 10/100 Mbps but not for 1000 Mbps. ("Enigma Curry" is an anagram of "Ryan McGuire".)

Unless you're running a PPP server on the machine it won't.

[niemand]

Interesting. Do you have links (URLs) for any suitable devices, please?

http://www.tp-link.com/us/business-networking/switches/easy-smart-switches

Though as mentored above a hub is perfectly fine. The Ethernet card on the receiving machine won't respond to the traffic as:

1) It's not addressed to it,
2) Unless there's a PPP server running on it the machine won't respond to the broadcast carrying the PADI datagram.

[psychopomp1]

Nope. A hub, like this:
http://www.ebay.co.uk/itm/Netgear-DS104-4-Port-Dual-Speed-Hub-Supplied-with-PSU-/322550041551?hash=item4b197b0bcf:g:CD8AAOSwz71ZPB0t

Thanks but I would prefer to 'buy it now' on ebay....otherwise knowing my luck I will get outbid at the last moment   

 I guess this tplink smart switch would also do the job?
https://www.amazon.co.uk/TP-LINK-TL-SG105E-Gigabit-Smart-Switch/dp/B00N0OHEMA

[burakkucat]

If it helps you, I'm sure we have some old ho procurve 2524 or 2512 (2500 series L2 full management switches - the 24 or 12 signify the number of ports available)

<snip>

If you would like one sending to you, please pm me . . .

Thank you for that generous offer John. However I will not be performing the task, it will be psychopomp1. 

[burakkucat]

I guess this tplink smart switch would also do the job?
https://www.amazon.co.uk/TP-LINK-TL-SG105E-Gigabit-Smart-Switch/dp/B00N0OHEMA

From my reading of everyone's advice, so far, the TP-LINK TL-SG105E would be an appropriate device.

b*cat performs one of his best Japanese bows towards d2d4j, u*zone and i*net in acknowledgement of their helpful contributions.

[bishbashbosh]

Or possibly one of these.

https://greatscottgadgets.com/throwingstar/

I bought one to use for exactly that reason before I worked out how to achieve using the ISPs own router. If you have limited access to the SX300 you might be able to do the same.

[burakkucat]

Looking toward the future and after a successful Wireshark capture of the relevant information, the next step would be to read the "login" half of the credentials (in my case, passed in plain-text) and then use either Hashcat or dechap to recover the "password" half of the credentials.

Here are three lines from a Wireshark capture that I performed some months ago --

Code: [Select]

No.   Time        Source               Protocol    Length    Info

10    1.055028    JuniperN_ea:28:52    PPP CHAP    66        Challenge (NAME='nge001.ips', VALUE=0x86351c587caed0e81ca62cbf0b4dafcd6cf83237c2)
12    1.057853    Dell_c1:20:9e        PPP CHAP    69        Response  (NAME='burakkucat@talktalk', VALUE=0xf025510d4a8c1c1bc69f4a907e0163bb)
13    1.307018    JuniperN_ea:28:52    PPP CHAP    66        Success   (MESSAGE='')

Of the two techniques, I suspect that dechap may prove to be the easier as both the size of the password (i.e. its "width") and the character set that is used are unknowns.

Code: [Select]

[Duo2 ~]$ dechap
dechap: a dictionary attack for captured PPPoE, RADIUS, L2TP, OSPF and BGP traffic.
Version v0.4 alpha, October 2013

Usage:
dechap -c capfile -w wordfile

Where capfile is a tcpdump-style .cap file containing PPPoE, RADIUS
or L2TP CHAP authentications or MD5 authenticated OSPF / BGP packets and
wordfile is a plain text file containing password guesses. VLAN tags
and MPLS labels are automatically stripped.
[Duo2 ~]$
If required, I have some code that will generate all permutations of a "password" of a specified "width" (i.e. size) using the full 95 character-set from " " (space) to "~" (tilda). So a sequence of wordfiles, of widths 1, 2, . . . , n-1, n, could be pre-computed for eventual supply to the dechap utility.


How much disk space will such wordfiles occupy? Let's derive the formula required . . .

Let C be the character set size and W be the width of a password.

Then the number of passwords, P = C^W          [1]

Assuming that the wordfiles are generated on a Unix or Linux kernel-using system then there will be a new-line character at the end of each password.

Thus the size of the resultant file, T = P(W + 1) bytes.          [2]

Substituting equation [1] for P into equation [2] . . .

T = C^W(W + 1) bytes.

So using a character-set size of 95 . . .

 a wordfile containing passwords of width one would occupy 95¹(1 + 1) = 190 bytes

 a wordfile containing passwords of width five would occupy 95⁵(5 + 1) ~= 4.64 x 10¹⁰ bytes

 a wordfile containing passwords of width ten would occupy 95¹⁰(10 + 1) ~= 6.58 x 10²⁰ bytes

[burakkucat]

Or possibly one of these.

https://greatscottgadgets.com/throwingstar/

I bought one to use for exactly that reason before I worked out how to achieve using the ISPs own router. If you have limited access to the SX300 you might be able to do the same.

Interesting in its simplicity. However one will need to monitor both directions, simultaneously, to capture the full CHAP dialogue. Or am I just a little bit confused? 

How about taking two Ethernet patch leads, cutting each one in half and then wiring the four halves to emulate the Throwing Star LAN Tap?

[psychopomp1]

From my reading of everyone's advice, so far, the TP-LINK TL-SG105E would be an appropriate device.

b*cat performs one of his best Japanese bows towards d2d4j, u*zone and i*net in acknowledgement of their helpful contributions.

Ok have ordered the TP Link TL-SG105E from Amazon. Once it arrives, I will hook everything up as described earlier & run Wireshark in Windows 7.

[bishbashbosh]

Interesting in its simplicity. However one will need to monitor both directions, simultaneously, to capture the full CHAP dialogue. Or am I just a little bit confused? 

How about taking two Ethernet patch leads, cutting each one in half and then wiring the four halves to emulate the Throwing Star LAN Tap?

I have to admit I never assembled the device because I could use the router. I think I'll check out what is achievable.

From the description on the site you'd need to connect a cat 5 to each of the passive ports to capture in both directions. Exactly as you say B*cat.

[burakkucat]

From the description on the site you'd need to connect a cat 5 to each of the passive ports to capture in both directions. Exactly as you say B*cat.

So one would need a computer with two Ethernet ports, which would be bonded together, software wise. The bond interface would then be the subject of the Wireshark session.

[bishbashbosh]

So one would need a computer with two Ethernet ports, which would be bonded together, software wise. The bond interface would then be the subject of the Wireshark session.

That's how I read it too. I might have to assemble and find out now. Begs the question, why not just use two usb ethernet adapters and bridge. Sniff the bridge.

Academic now as psychopomp1 has a TP-Link device winging it's way.

[d2d4j]

Hi

Sorry I may not have remembered correctly, but if using a dumb hub, wire shark or sniffer may show all from all ports, including your pc, as it floods all ports

Only a port mirror with all protocols disabled on the mirror would only show the full capture from the correct port (or device attached to the port)

I could be wrong sorry and I have not looked at the tp link link sorry, so this maybe capable of full mirroring

Many thanks

John

[bishbashbosh]

Hi d2d4j,

A hub does forward all traffic to all ports as it does not "remember" which MAC is on which port. A switch with a port mirror facility "should" forward all send/receive packets seen on the monitored port to the designated mirror port. Looking at the TP-Link docs this switch should be just the ticket.

[psychopomp1]

Looking at page 25 (mirroring instructions) for the TP Link SG105E here:

http://static.tp-link.com/Easy%20Smart%20Switch_User%20Guide.pdf

I just need to mirror 2 ports, 1 going to the Openreach ONT (both ingress & outgress) and 1 going to the SRX300 (again both ingress & outgress) and the results going to the mirroring port which is the port connected to my PC. Wireshark would then have the necessary data.

I guess no further config would be required on the TP Link? (other than making sure the firmware is up to date)