ARP Spoof not working. It delivers a DoS instead. What am I doin' wrong?

[gfunkera]

I have installed dsniff on my linux laptop (linux mint 14, nadia) and have figured out how to use arpspoof/ettercap to deliver an ARP poison.

The problem: whenever I deliver the attacks to the devices that I am test-attacking (usually my other laptop or smart phone via wifi), their internet connections merely stop working! When I killall arpspoof, the internet on the test machines goes back to working. I cannot figure out what I am doing wrong!

For people who want more detail (arpspoof method I use):

1. set up port forwarding by editing the /proc/sys/net/ipv4/ip_forward file

2. change the iptables by issuing a really long command that i dont feel like entering here but starts with "iptables -t nat -p tcp ... "

3. ARP poison by saying "arpspoof -i wlan0 -t <target> <router>

*** THIS IS WHERE THE TEST MACHINES' INTERNET STOPS WORKING ***

4. ARP poison by saying "arpspoof - wlan0 -t <router> <target>

5. continue with attack using other tools.

Note: This sort of works when I do it through backtrack5 on virtualbox, but it only works if I attack my host machine, if I try to attack any other device on the network, it does the same thing as above: the internet stops working on the target machine until I stop arpspoofing.

How can I fix??

[Drei_Drachen]

This may be a silly question, but at this point in my tech career, I take nothing for granted. Are you doing step 4 in a separate window? That way step 3 and 4 are running at the same time?

[digip]

What is the router or switch hardware in question. Some devices, will stop responding. Especially switches with layer 3 capabilities that keep tabs on known hosts, and devices connected to each port. Wired arp spoofs and poisonings usually go south at some point and cause havoc. Wireless on the other hand, usually works a treat, except for when the router has AP isolation enabled. Very possible you missed a step, but could just be your setup and equipment. All else fails, get a copy of cain, and try it from a windows box, see what happens. If it works from there with no issue, then you foobared something somewhere using dsniff and ettercap. Also, ettercap, should be able to do the entire mitm for you as well as password harvesting if using the latest release 0.7.5.1 I believe. They've apparently added some plugins and a lot of it is automated now for credential harvesting from what I understand. At least, thats some of what they talked about on the last GrumpySec podcast about the latest version which came out I think 2 days ago.

http://sourceforge.net/projects/ettercap/files/ettercap/0.7.5-Assimilation/ettercap-0.7.5.1.tar.gz/download

Edited January 4, 2013 by digip

[vector]

ok you need to list your iptables chain that youre using. fisrt of all how do you expect help when you wont list exaclty what commands youre using?

also you should flush iptables before starting a new one and you should flush it when youre done.

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

you need to understand what iptables is and what it does.

youre not even listing any chains in your iptables. something like

iptables -t nat -A PREROUTING -p tcp --destination-port (whatever-port) -j REDIRECT --to-port (whatevr-port)

[gfunkera]

This may be a silly question, but at this point in my tech career, I take nothing for granted. Are you doing step 4 in a separate window? That way step 3 and 4 are running at the same time?

yes, different windows.

[gfunkera]

What is the router or switch hardware in question. Some devices, will stop responding. Especially switches with layer 3 capabilities that keep tabs on known hosts, and devices connected to each port. Wired arp spoofs and poisonings usually go south at some point and cause havoc. Wireless on the other hand, usually works a treat, except for when the router has AP isolation enabled. Very possible you missed a step, but could just be your setup and equipment. All else fails, get a copy of cain, and try it from a windows box, see what happens. If it works from there with no issue, then you foobared something somewhere using dsniff and ettercap. Also, ettercap, should be able to do the entire mitm for you as well as password harvesting if using the latest release 0.7.5.1 I believe. They've apparently added some plugins and a lot of it is automated now for credential harvesting from what I understand. At least, thats some of what they talked about on the last GrumpySec podcast about the latest version which came out I think 2 days ago.

http://sourceforge.net/projects/ettercap/files/ettercap/0.7.5-Assimilation/ettercap-0.7.5.1.tar.gz/download

the router is 192.168.1.1 and it is a netgear. the target machines are wifi on a laptop, wifi on another desktop, and wifi on an iphone.

trying to stay away from wired machines. this is just for my own curiosity.

im trying to get it to work with the dsniff suite first because i want to understand it more. I have ettercap on hand but havent ventured much yet. It also does not work properly yet so I guess maybe its something I messed up during set up.

[gfunkera]

ok you need to list your iptables chain that youre using. fisrt of all how do you expect help when you wont list exaclty what commands youre using?

also you should flush iptables before starting a new one and you should flush it when youre done.

iptables --flush

iptables --table nat --flush

iptables --delete-chain

iptables --table nat --delete-chain

you need to understand what iptables is and what it does.

youre not even listing any chains in your iptables. something like

iptables -t nat -A PREROUTING -p tcp --destination-port (whatever-port) -j REDIRECT --to-port (whatevr-port)

how do i list my iptables chain?

here is the command that I snarfed on earlier, please DO help me!!:

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

I have not flushed my iptables yet but I wil try that next. I will flush before and after I potty.

iptables keeps track of ip addresses and MAC addresses right?

Edited January 5, 2013 by gfunkera

[vector]

how do i list my iptables chain?

here is the command that I snarfed on earlier, please DO help me!!:

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

I have not flushed my iptables yet but I wil try that next. I will flush before and after I potty.

iptables keeps track of ip addresses and MAC addresses right?

when i said list your iptables chain i was referring to when you said

"2. change the iptables by issuing a really long command that i dont feel like entering here but starts with "iptables -t nat -p tcp ..."

i was trying to say you need to list what youre entering. THE WHOLE THING.

the iptables chains in the example line i listed are PREROUTING and REDIRECT

in the line you listed you arent even using any. this a problem. run iptables --help for some more info or google what iptables does. keeping track of ip addresses and mac addresses not really what iptables is for you might be thinking of arptables.

iptables provides packet filtering, network address translation NAT and other packet mangling.

arptables is used to set up, maintain, and inspect the tables of ARP rules in the kernel. so not really the same thing. oh and one more thing, when you say you edited the /proc/sys/net/ipv4/ip_forward file what kind of edit are we talking about here?

if you want help with something you need to start giving very specific details on what youre doing and what the result is. not listing kinda sorta and maybe mighta things.

[gfunkera]

oh and one more thing, when you say you edited the /proc/sys/net/ipv4/ip_forward file what kind of edit are we talking about here?

i did this as root:

cat /proc/sys/net/ipv4/ip_forwarding
0
echo "1" > /proc/sys/net/ipv4/ip_forwarding
cat /proc/sys/net/ipv4/ip_forwarding
1

Edited January 5, 2013 by gfunkera

[gfunkera]

if you want help with something you need to start giving very specific details on what youre** doing and what the result is. not listing kinda sorta and maybe mighta things.

**you're

The results, specifically, are that:

1. Target Machine Internet Drops Out

The target machines' internet stops working until I disable arpspoof, allowing the target machine to re-ARP. The target machine works per usual after disabling arpspoof.

I disable arpspoof like so (as root):

$ killall arpspoof

2. Information Interception Is Unsuccessful

Other utilities such as driftnet and urlsnarf do not pick up any information from the target machine.

- I was wondering if this has anything to do with the fact that once I do this, if I run driftnet or urlsnarf, I cannot see any activity from the other machine but I can see activity from my own machine.

- Im guessing that I see all my own activity because I am only telling drftnet/urlsnarf to just look at whatever is going through wlan0.

The command I use to run driftnet is like so (as root):

$ driftnet -i wlan0

The command I use to run urlsnarf is like so (as root):

$ urlsnarf -i wlan0

Love, Santa.

[GuardMoony]

You need to issue iptables -L to list your whole iptables. And like most poster think. its probaly a bad nat/forwarding setup in iptables

Also are you running a proxylike program that will forward the data on port 8080 back to internet/network.

Edited January 10, 2013 by GuardMoony