Hi Everyone,
I want to clear my doubts on arp-posioning. Following is the situation described where I tried to perform this attack :-
Every Host in the LAN segment uses proxy for accessing internet .
Attacker : IP = 10.101.25.100 [running linux mint with all required tools installed]
Victim : Virtual m/c running linux mint using proxy to access internet (using bridged mode in virtual box) IP = 10.101.25.200 / can be any other host in the LAN
Switch (Gateway) : IP = 10.101.25.2 [Cisco IOS 12.x ]
ON ATTACKER M/c:
* edited /etc/etter.conf [
ec_uid = 0
ec_gid = 0
port_steal_send_delay = 1 # microseconds
remote_browser = "firefox -remote openurl(http://%host%url)"
# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
] (read from http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_603839.html)
* started ettercap successfully
# selected promisc mode then unified sniffing
# selected GATEWAY (10.101.25.2) as TARGET1
# selected VICTIME (10.101.25.200) as TARGET2
# started sniffing
# selected arp-posioning from the mitm menu
# enabled plugins repoison_arp and remote_browser
# opened connections tab from view menu
ON VICTIM m/c :
Before ARP poisoning :
ALL fine internet web browsing was working smoothly remember it is using proxy for accessing internet
After ARP Poisoning :
arp table successfully changed
10.101.25.2 <ATTACKER's MAC ADDR>
But no web page is loading now ....whether google.com facebook.com
Q: IS IT EVER POSSIBLE TO DO ARP-POISONING CORRECTLY IN THIS KIND OF SITUATUION ?
ANY ADVICES/SUGGESTION ARE APPRECIATED !
THANK YOU