Jump to content

Victim does not establish connections after arp poisoning (ettercap)


Recommended Posts

Hi!

I am new to ettercap (although I am not new to security, and I am not a kiddy :wink: ).

Because I am working on a mac I enabled the "quick and dirty fix" in etter.conf.

I followed the standard tutorials to spoof arp (Added roter and victim to target 1 and 2, arp poisoning, start sniffing).

What I expect: My victim is able to browse HTTP ordinarily.

What I get:

The arp is spoofed correctly (the cache got my attacker's mac instead of the router's), but I get request timeouts when pinging my router. I cannot open web pages anymore, nothing loads.

Although the connections tab lists the victim's connections correctly.

First I thought I needed a software that listens on my attacker in order to tunnel the traffic to the router (man in the middle). I found a thread saying it should listen on 8080. But after watching a video I guess that's already included when I select ARP poisoning?

What point am I missing?

I hope I provided enough information. Thanks for any help!

Edited by Motzart
Link to post
Share on other sites

I started wireshark on my victim ("weiss") and on my attacker ("tower") and pinged to my router ("speedport.ip").

I filtered for ICMP.

Attacker:

post-47786-0-65820800-1403114318_thumb.p

Victim:

post-47786-0-73460500-1403114305_thumb.p

What I see:
The ICMP requests are directed to my attacker (ofc I am not in promiscuous mode). My attacker sends them to the router, but the router does not answer.

Thanks for your help!

Edited by Motzart
Link to post
Share on other sites

Pinging works, but I don't understand my captures.

Same scenario as above, I just pinged my pi instead of my router.

Victim:

Victim.jpg

Attacker:

Attacker.jpg

Pi:

image.jpg

What I don't understand: In my attacker I only monitor tower->weiss (attacker->victim), nothing else. Is this normal?

Still: Pinging my router, or sending DNS requests to it does not work at all.

Thanks for your help again!

Edited by Motzart
Link to post
Share on other sites

Looks like it is working properly, the victim is sending ICMP requests and getting replies so ping is working find. The attacker is seeing redirects which may be right on OSX, I don't know what it's network stack looks like for IP forwarding.

What exactly are you poisoning? I'm not an ettercap user but doesn't it show the command it is running if you use the GUI, send that in.

Link to post
Share on other sites

The output is:

Listening on:
   en2 -> ***** (My MAC)
	  192.168.2.146/255.255.255.0
	  *****

Privileges dropped to UID 65534 GID 65534...

  33 plugins
  40 protocol dissectors
  54 ports monitored
16074 mac vendor fingerprint
1766 tcp OS fingerprint
2182 known services
Randomizing 255 hosts for scanning...
Scanning the whole netmask for 255 hosts...
7 hosts added to the hosts list...
Host 192.168.2.1 added to TARGET1
Host 192.168.2.128 added to TARGET2

ARP poisoning victims:

 GROUP 1 : 192.168.2.1 **** (MAC Router)

 GROUP 2 : 192.168.2.128 (MAC victim)
Starting Unified sniffing...

DHCP: [192.168.2.1] ACK : 192.168.2.150 255.255.255.0 GW 192.168.2.1 DNS 192.168.2.1 "speedport.ip"

I don't think this will be very helpful :(

My terminal that is attached to ettercap shows

ettercap 0.8.0 copyright 2001-2013 Ettercap Development Team

01000 fwd 127.0.0.1,59272 ip from any to any proto tcp dst-port 992 in via en2
01100 fwd 127.0.0.1,59273 tcp from any to any dst-port 465 in via en2
01200 fwd 127.0.0.1,59274 ip from any to any proto tcp dst-port 995 in via en2
01300 fwd 127.0.0.1,59275 ip from any to any proto tcp dst-port 563 in via en2
01400 fwd 127.0.0.1,59276 tcp from any to any dst-port 636 in via en2
01500 fwd 127.0.0.1,59277 tcp from any to any dst-port 994 in via en2
01600 fwd 127.0.0.1,59278 tcp from any to any dst-port 993 in via en2
01700 fwd 127.0.0.1,59279 tcp from any to any dst-port 8080 in via en2
01800 fwd 127.0.0.1,59280 tcp from any to any dst-port 443 in via en2
Edited by Motzart
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...