Vmware and arpspoofing

[bowler]

Hi all,

I need an explanation of why I can't get arpspoofing to work. I think it is because of the particular setup but you can tell me.

--=Particulars=--

Host: Ubuntu 9.10 with 1 wireless adapter

Guest #1 (Attacker): Ubuntu 9.04 bridged

Guest #2 (Victim): Ubuntu 9.10 bridged

Vmware Workstation v7

Now when I begin arpsoofing the victim I check its arp table and see that it's cache is being poisoned correctly. I have turned on forwarding on the Attacker.

I have used both ettercap and arpspoof but the results are the same.

The Victim looses internet connectivity.

Usually how I would set up is like this but I am replacing a physical wireless adapter with one on order

--=Particulars=--

Host: Ubuntu 9.10 with 1 wireless adapter

Guest #1 (Attacker): Ubuntu 9.04 (physical wireless adapter)

Guest #2 (Victim): Ubuntu 9.10 bridged

Vmware Workstation v7

Is it because both guest are bridged to the same host that the victim looses connectivity to the net when the arp poisoning begins?

Thanks.

[Netshroud]

did you set /proc/sys/net/ipv4/ip_forward to 1?

[bowler]

did you set /proc/sys/net/ipv4/ip_forward to 1?

Yes I have turned on forwarding on the attacker.

attaker# echo 1 > /proc/sys/net/ipv4/ip_forward

[digip]

I beleive a vmware Bridged nic shares the hosts adapter for connections, as where the NAT option gives them their own ip and mac's.

[bowler]

I beleive a vmware Bridged nic shares the hosts adapter for connections, as where the NAT option gives them their own ip and mac's.

In a bridged set up each vm do have their "own mac addresses sort of.

When I look into the arp table of the host (no spoofing going) the mac address of all vm's are the same as the host. So yes in that you are correct. Each vm though see's each other with distinct mac addresses. It's just that the host sees all vm's with the same mac address. That of it's own, and probably uses some wizardry to route traffic to the various vm's.

I was wondering if it is because of this that the spoofing will not work as expected.

[Netshroud]

Probably. I know that whenever I try to ARP spoof a system on my network from a VM, their net and mine drops out as well, because both systems think the router is <my MAC address here>.

I still dont know why my computer responds to 'its own' ARP poisoning.

[bowler]

Probably. I know that whenever I try to ARP spoof a system on my network from a VM, their net and mine drops out as well, because both systems think the router is <my MAC address here>.

I still dont know why my computer responds to 'its own' ARP poisoning.

My usual setup is to have 2 usb wireless adapters, one for the host machine and guest bridging. The second is usually attached directly to the vm (attacker) so that the vm (attacker) can access it as a usb wireless device. That works for me. But I did not have one at the moment so I was trying this until a new one arrives.

But now that I think of it. I wonder if I add a third adapter to the host (wired) where the host can use the wired for internet. I can use the host wireless adapter as the bridge for the vm's.

I will try that and see what the results are.

[bowler]

I figured out what was causing me so much problems. I had the ubuntu firewall enabled (ufw). Once I disabled this firewall before I begin to do anything, ettercap/arpspoof works as is expected. No more lost internet on the target.

sudo ufw status
sudo ufw disable