Arp poisoning / Redirecting to my own machine?

**The Dan** · 01-07-2009, 11:41 PM

Hi

I need to arp poisoning / redirect clients in some how the traffic from the LAN goes to my own machine (not forward to just sniff). Let me explain, I'm inside a network and I want to setup a fake custom service (it's part from a ERP) to steal authentication.

What's the problem?

They do not use DNS queries to arrive at this server (they use direct IP).
They do not use DHCP in this LAN.

Is there a way I can impersonate local users (a kind of arp poison, etc) to make all requests that should go to server 10.0.0.2 (MAC 01:02:03:04:05:06) goes to my machines 10.0.0.26 (MAC 66:66:66:66:66:66) ? Yes, I do not want to forward the traffic, I want to bind a port and myself response to this services.

Any ideas about how to do it in Windows or Linux?

Thanks mates.

**KMDave** · 01-08-2009, 12:35 AM

Originally Posted by The Dan

Hi

I need to arp poisoning / redirect clients in some how the traffic from the LAN goes to my own machine (not forward to just sniff). Let me explain, I'm inside a network and I want to setup a fake custom service (it's part from a ERP) to steal authentication.

What's the problem?

They do not use DNS queries to arrive at this server (they use direct IP).
They do not use DHCP in this LAN.

Is there a way I can impersonate local users (a kind of arp poison, etc) to make all requests that should go to server 10.0.0.2 (MAC 01:02:03:04:05:06) goes to my machines 10.0.0.26 (MAC 66:66:66:66:66:66) ? Yes, I do not want to forward the traffic, I want to bind a port and myself response to this services.

Any ideas about how to do it in Windows or Linux?

Thanks mates.

Are you authorized to do so? Just wondering because stealing usernames and password sounds strange in the first place.

**The Dan** · 01-08-2009, 10:51 AM

Hi KMDave

How are you?

Sure, I work for a security company and one of my jobs are internal penetration tests, as I already had explained it here in another post I was believing it was clear.

Some evidences goes here:

http://forums.remote-exploit.org/sho...t=16469&page=3

http://forums.remote-exploit.org/showthread.php?t=17010

Sorry if it was not clear since the first post.

Related with the thread, someone have some suggestion for me?

Thank you

**imported_cybrsnpr** · 01-08-2009, 11:11 AM

If you are on the same network segment as the victim, try using arpspoof.

Good Luck...

**The Dan** · 01-08-2009, 12:46 PM

Hi cybrsnpr

Thank you for reply.

I did think in use dsniff package (arpspoof) but I got no sucess. In theory I should only setup a one way arp spoof and disable ip_forward, not?

Like this:

arpspoof -t VictimIP IPofMachineIWantToBe
echo 0 > /proc/sys/net/ipv4/ip_forward

However in my tests it do not work, it poison (the arp entry in VictimIP is forged), but if I setup a service in my attacker machine and try to connect from the VictimIP it gives connection refused.

off: Is there a way to use arpsoof to poison a entire segment (like a class C network) instead of a machine? I did look at man page and it do not say anything.

Thank you in advance.

**ipndrmath** · 01-08-2009, 11:19 PM

Originally Posted by The Dan

off: Is there a way to use arpsoof to poison a entire segment (like a class C network) instead of a machine? I did look at man page and it do not say anything.

Thank you in advance.

Of course. Just don't supply a target with arpspoof.

Edit: Forgot to mention: A segment arpspoof WILL set off a IDS if there is one on the network. Not sure of your contract terms, but can you be caught/blatantly obvious or do you need to remain stealthy? An arpspoof that big is a dead give away.

BackTrack Linux - Penetration Testing Distribution

Thread: Arp poisoning / Redirecting to my own machine?

Thread Tools

Search Thread

Display

Arp poisoning / Redirecting to my own machine?

Posting Permissions