Motzart Posted June 18, 2014 Posted June 18, 2014 (edited) Hi!I am new to ettercap (although I am not new to security, and I am not a kiddy ). Because I am working on a mac I enabled the "quick and dirty fix" in etter.conf. I followed the standard tutorials to spoof arp (Added roter and victim to target 1 and 2, arp poisoning, start sniffing). What I expect: My victim is able to browse HTTP ordinarily. What I get: The arp is spoofed correctly (the cache got my attacker's mac instead of the router's), but I get request timeouts when pinging my router. I cannot open web pages anymore, nothing loads. Although the connections tab lists the victim's connections correctly. First I thought I needed a software that listens on my attacker in order to tunnel the traffic to the router (man in the middle). I found a thread saying it should listen on 8080. But after watching a video I guess that's already included when I select ARP poisoning? What point am I missing? I hope I provided enough information. Thanks for any help! Edited June 18, 2014 by Motzart Quote
digininja Posted June 18, 2014 Posted June 18, 2014 Have you enabled IP forwarding? sysctl -w net.inet.ip.forwarding=1 sysctl -w net.inet.ip.forwarding=1 Quote
digininja Posted June 18, 2014 Posted June 18, 2014 In which case start Wireshark on the victim, attacker and a target on the other side and see where the packets are getting to. Quote
Motzart Posted June 18, 2014 Author Posted June 18, 2014 (edited) I started wireshark on my victim ("weiss") and on my attacker ("tower") and pinged to my router ("speedport.ip"). I filtered for ICMP. Attacker: Victim: What I see:The ICMP requests are directed to my attacker (ofc I am not in promiscuous mode). My attacker sends them to the router, but the router does not answer. Thanks for your help! Edited June 18, 2014 by Motzart Quote
digininja Posted June 18, 2014 Posted June 18, 2014 ping another machine on your network rather than on the internet and run wireshark on that to see if it receives the pings. Quote
Motzart Posted June 19, 2014 Author Posted June 19, 2014 (edited) Pinging works, but I don't understand my captures. Same scenario as above, I just pinged my pi instead of my router. Victim: Attacker: Pi: What I don't understand: In my attacker I only monitor tower->weiss (attacker->victim), nothing else. Is this normal? Still: Pinging my router, or sending DNS requests to it does not work at all. Thanks for your help again! Edited June 19, 2014 by Motzart Quote
digininja Posted June 22, 2014 Posted June 22, 2014 Looks like it is working properly, the victim is sending ICMP requests and getting replies so ping is working find. The attacker is seeing redirects which may be right on OSX, I don't know what it's network stack looks like for IP forwarding. What exactly are you poisoning? I'm not an ettercap user but doesn't it show the command it is running if you use the GUI, send that in. Quote
Motzart Posted June 25, 2014 Author Posted June 25, 2014 (edited) The output is: Listening on: en2 -> ***** (My MAC) 192.168.2.146/255.255.255.0 ***** Privileges dropped to UID 65534 GID 65534... 33 plugins 40 protocol dissectors 54 ports monitored 16074 mac vendor fingerprint 1766 tcp OS fingerprint 2182 known services Randomizing 255 hosts for scanning... Scanning the whole netmask for 255 hosts... 7 hosts added to the hosts list... Host 192.168.2.1 added to TARGET1 Host 192.168.2.128 added to TARGET2 ARP poisoning victims: GROUP 1 : 192.168.2.1 **** (MAC Router) GROUP 2 : 192.168.2.128 (MAC victim) Starting Unified sniffing... DHCP: [192.168.2.1] ACK : 192.168.2.150 255.255.255.0 GW 192.168.2.1 DNS 192.168.2.1 "speedport.ip" I don't think this will be very helpful :( My terminal that is attached to ettercap shows ettercap 0.8.0 copyright 2001-2013 Ettercap Development Team 01000 fwd 127.0.0.1,59272 ip from any to any proto tcp dst-port 992 in via en2 01100 fwd 127.0.0.1,59273 tcp from any to any dst-port 465 in via en2 01200 fwd 127.0.0.1,59274 ip from any to any proto tcp dst-port 995 in via en2 01300 fwd 127.0.0.1,59275 ip from any to any proto tcp dst-port 563 in via en2 01400 fwd 127.0.0.1,59276 tcp from any to any dst-port 636 in via en2 01500 fwd 127.0.0.1,59277 tcp from any to any dst-port 994 in via en2 01600 fwd 127.0.0.1,59278 tcp from any to any dst-port 993 in via en2 01700 fwd 127.0.0.1,59279 tcp from any to any dst-port 8080 in via en2 01800 fwd 127.0.0.1,59280 tcp from any to any dst-port 443 in via en2 Edited June 25, 2014 by Motzart Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.