ARP Spoofing Clarification Needed

[lolliver]

Hi all,

In my n00b pentest lab I have a PC running Windows 7 and a laptop running Backtrack 5, both of which are connected directly to my router via ethernet cables. Is it possible to arp spoof the PC with this configuration? and if not does this mean that it's impossible to sniff my PC's traffic?

I've also noticed that if I set up Backtrack/Windows VM's on my PC (which is connected directly to the router via cable) then I can't arpspoof the target VMs from the Backtrack VM either, regardless of whether or not I use host only/bridged network card types.

[limdis]

Absolutely. But we'll need a bit more information on how you are attempting the spoof before we can really help you. Such as what tools are you using and if you are getting any errors vs simply freezing up your network.

[lolliver]

Thanks for the response.

So on the laptop I'm running arpspoof using the command "arpspoof -i eth0 -t 192.168.0.3 192.168.0.1", where 192.168.0.3 is the Windows 7 PC and 192.168.0.1 is the router.

Upon performing this command, I've then tried each of the other tools in the dsniff suite and gotten no results. For example with urlsnarf, I get no URLs listed on screen when I navigate to a site on the Windows 7 box.

Does arp-spoofing even work with a pc -> router, attacker -> router configuration?

[limdis]

You need to spoof the traffic in both directions (incoming/outgoing). So open up two terminal windows:

arpspoof -i eth0 -t [target router] [target IP]
*let run*

arpspoof -i eth0 -t [target IP] [router IP]
*let run*

urlsnarf is alright if you are piping to a text file. But it can be a little hard to follow if you are trying to view live feed. For that try this setup:

*new terminal*
webspy -i eth0 [target IP]
*new terminal*
firefox &

This will force redirect your firefox browser to the webpages that the target is connecting to. It's not perfect and has issues if tabs are being used but it's pretty cool to see in action.

One more thing, if you are spoofing your MAC before hand make sure to take your card out of monitor mode.

[lolliver]

Thanks for the comprehensive reply, I'll go and try all of that in a second. I didn't realise that you had to spoof in both directions, I thought that by enabling IP_forward'ing that'd be done automagically!

Regarding monitor mode, I'm connected via a wire from both the laptop and the PC so I don't think that monitor mode applies? (not being sarky, I don't know much about networking.. I'm a programmer by day)

Edit > I realise now that enabling IP forwarding just sends the packet on to the router from the attacker, rather than intercepting it. They call this nzone for a reason I guess! Cheers again

[limdis]

Sorry I default to working with wireless since that is what I primarily do. You're right, but if did decide to try this via wireless the mode of the card would be something to check. Let us know how the testing goes. I can talk about this all day.

[lolliver]

So! Testing is complete.

Results:

arpspoofing both ways was definitely what was needed, so thanks for that.

urlsnarf and webspy still don't yield any results for some reason (blank terminals after "listening on eth0 etc. etc...") however wireshark and dnsspoof both show that the target's being MITM'd properly so I'm a happy camper.

Thanks very much for your help! If you've got any ideas why urlsnarf and webspy aren't working then I'm all ears, but I can always use Wireshark if I want to know what sites the target machine's visiting.