ARP Spoofing Clarification Needed

A place where newbies can post without (much) fear of reprisal. All mission posts should still go in the applicable forum.
Forum rules
Older HTS users: Be nice to the new people.

NEW USERS: This is NOT the place to post about missions! Refer to "Missions" category.

ARP Spoofing Clarification Needed

Post by lolliver on Tue Sep 18, 2012 11:37 am
([msg=69444]see ARP Spoofing Clarification Needed[/msg])

Hi all,

In my n00b pentest lab I have a PC running Windows 7 and a laptop running Backtrack 5, both of which are connected directly to my router via ethernet cables. Is it possible to arp spoof the PC with this configuration? and if not does this mean that it's impossible to sniff my PC's traffic?

I've also noticed that if I set up Backtrack/Windows VM's on my PC (which is connected directly to the router via cable) then I can't arpspoof the target VMs from the Backtrack VM either, regardless of whether or not I use host only/bridged network card types.
//' or '1' = 'donkey
lolliver
New User
New User
 
Posts: 6
Joined: Tue Dec 13, 2011 5:46 am
Blog: View Blog (0)


Re: ARP Spoofing Clarification Needed

Post by limdis on Wed Sep 19, 2012 9:11 am
([msg=69462]see Re: ARP Spoofing Clarification Needed[/msg])

Absolutely. But we'll need a bit more information on how you are attempting the spoof before we can really help you. Such as what tools are you using and if you are getting any errors vs simply freezing up your network.
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1388
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: ARP Spoofing Clarification Needed

Post by lolliver on Thu Sep 20, 2012 12:10 pm
([msg=69482]see Re: ARP Spoofing Clarification Needed[/msg])

Thanks for the response.

So on the laptop I'm running arpspoof using the command "arpspoof -i eth0 -t 192.168.0.3 192.168.0.1", where 192.168.0.3 is the Windows 7 PC and 192.168.0.1 is the router.

Upon performing this command, I've then tried each of the other tools in the dsniff suite and gotten no results. For example with urlsnarf, I get no URLs listed on screen when I navigate to a site on the Windows 7 box.

Does arp-spoofing even work with a pc -> router, attacker -> router configuration?
//' or '1' = 'donkey
lolliver
New User
New User
 
Posts: 6
Joined: Tue Dec 13, 2011 5:46 am
Blog: View Blog (0)


Re: ARP Spoofing Clarification Needed

Post by limdis on Thu Sep 20, 2012 12:53 pm
([msg=69483]see Re: ARP Spoofing Clarification Needed[/msg])

You need to spoof the traffic in both directions (incoming/outgoing). So open up two terminal windows:

arpspoof -i eth0 -t [target router] [target IP]
*let run*

arpspoof -i eth0 -t [target IP] [router IP]
*let run*

urlsnarf is alright if you are piping to a text file. But it can be a little hard to follow if you are trying to view live feed. For that try this setup:

*new terminal*
webspy -i eth0 [target IP]
*new terminal*
firefox &

This will force redirect your firefox browser to the webpages that the target is connecting to. It's not perfect and has issues if tabs are being used but it's pretty cool to see in action.

One more thing, if you are spoofing your MAC before hand make sure to take your card out of monitor mode.
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1388
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: ARP Spoofing Clarification Needed

Post by lolliver on Thu Sep 20, 2012 1:05 pm
([msg=69484]see Re: ARP Spoofing Clarification Needed[/msg])

Thanks for the comprehensive reply, I'll go and try all of that in a second. I didn't realise that you had to spoof in both directions, I thought that by enabling IP_forward'ing that'd be done automagically!

Regarding monitor mode, I'm connected via a wire from both the laptop and the PC so I don't think that monitor mode applies? (not being sarky, I don't know much about networking.. I'm a programmer by day)

Edit > I realise now that enabling IP forwarding just sends the packet on to the router from the attacker, rather than intercepting it. They call this nzone for a reason I guess! Cheers again
//' or '1' = 'donkey
lolliver
New User
New User
 
Posts: 6
Joined: Tue Dec 13, 2011 5:46 am
Blog: View Blog (0)


Re: ARP Spoofing Clarification Needed

Post by limdis on Thu Sep 20, 2012 1:40 pm
([msg=69486]see Re: ARP Spoofing Clarification Needed[/msg])

Sorry I default to working with wireless since that is what I primarily do. You're right, but if did decide to try this via wireless the mode of the card would be something to check. Let us know how the testing goes. I can talk about this all day. :geek:
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1388
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: ARP Spoofing Clarification Needed

Post by lolliver on Thu Sep 20, 2012 2:04 pm
([msg=69488]see Re: ARP Spoofing Clarification Needed[/msg])

So! Testing is complete.

Results:

arpspoofing both ways was definitely what was needed, so thanks for that.

urlsnarf and webspy still don't yield any results for some reason (blank terminals after "listening on eth0 etc. etc...") however wireshark and dnsspoof both show that the target's being MITM'd properly so I'm a happy camper.

Thanks very much for your help! If you've got any ideas why urlsnarf and webspy aren't working then I'm all ears, but I can always use Wireshark if I want to know what sites the target machine's visiting.
//' or '1' = 'donkey
lolliver
New User
New User
 
Posts: 6
Joined: Tue Dec 13, 2011 5:46 am
Blog: View Blog (0)



Return to NZone

Who is online

Users browsing this forum: No registered users and 0 guests