Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Backtrack 4 Arpspoof Within VMWare Player

  1. #1
    Just burned his ISO
    Join Date
    Nov 2009
    Posts
    4

    Default Backtrack 4 Arpspoof Within VMWare Player

    I'm having problems using arpspoof in backtrack 4 from within VMWare player. I was trying out sslstrip which i found from episode 610 from hak5. All of my settings are correct, i have ip forwarding on and everything. I have backtrack 4 running in vmware player on windows 7, and the victim is a windows xp vm running in vmware workstation on ubuntu 9.04. My problem occurs when I try to arpspoof using backtrack and the victim computer loses their internet connection. Is this a problem with running it from VMWare? I have the vm's connection setup as bridged replicating the physical network, and i believe the same on the victim too. Any help would be greatly appreciate!! Thanks so much!

  2. #2
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default

    Quote Originally Posted by xander787 View Post
    My problem occurs when I try to arpspoof using backtrack and the victim computer loses their internet connection. Is this a problem with running it from VMWare?
    Normally this happens when you try to poison more than 2 victims. Anyway, I never managed to get arpspoof to work (Well, I never tried that hard, so...).

    I currently have bt4pf installed on a vm machine and I obtained best results by using ettercap as the arp poisoning program (and sniffer, of course), thus eliminating the need for the extra program (arpspoof) while performing the attack. Try that out and post your results.

  3. #3
    Just burned his ISO
    Join Date
    Nov 2009
    Posts
    4

    Default

    well this stinks, basically got the same result as i got with arpspoof. I started ettercap with:
    Code:
    ettercap -T -M ARP -i eth0 /192.168.1.50/ /192.168.1.1/
    and it seemed to work because when i went to the victim pc and pinged 192.168.1.1 i saw the ping request and reply in wireshark, but the problem remains that it drops the victim's internet connection! I have no idea what could be causing this, could it be because its running in VMWare player? Thanks for any and all help!

  4. #4
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by xander787 View Post
    well this stinks,
    Do not double post. Check the rules, that you agreed to.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  5. #5
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default

    Quote Originally Posted by xander787 View Post
    well this stinks, basically got the same result as i got with arpspoof. I started ettercap with:
    Code:
    ettercap -T -M ARP -i eth0 /192.168.1.50/ /192.168.1.1/
    and it seemed to work because when i went to the victim pc and pinged 192.168.1.1 i saw the ping request and reply in wireshark, but the problem remains that it drops the victim's internet connection! I have no idea what could be causing this, could it be because its running in VMWare player? Thanks for any and all help!
    Have you enabled ip tables? Post the commands you are using.

  6. #6
    Just burned his ISO
    Join Date
    Nov 2009
    Posts
    4

    Default

    Yes I have enabled IP Tables. Here are all the commands i used from start to finish:

    1. Turn on IP Forwarding:
    Code:
    echo "1" > /proc/sys/net/ipv4/ip_forward
    2. Modify IP Tables:
    Code:
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
    3. Start ettercap arpspoof
    Code:
    ettercap -T -M ARP -i eth0 /192.168.1.50/ /192.168.1.1/
    And thats basically it, but it always seems to make the victim lose their connection. I don't know if i'm missing a step, mistyping a step, or if it's because i'm in a VM. Thanks again for all your help!

  7. #7
    Just burned his ISO
    Join Date
    Sep 2006
    Posts
    16

    Default

    Edit:
    Looks like the arp poison is taking on the physical adapter mac. The arp poison needs to have the virtual mac
    Verified by doing arp -n on the host (arp -a if windows).
    Also nmap -sP to the attacker ip from the victim.

    Anyone know how to have the arp from the virtual machine use the virtual mac ?
    I hit a wall...
    Can it be done with a static arp entry(would it go in the virtual host or physical I tried to play with this but so many options) ?
    proxy Arp ?
    tap interface in the virtual environment ?

    Answer has to be in getting the arp correct.... Anyone get this working ?
    I like the concept of running backtrack in a seemless virtualbox so I can use winders and still do pen/audit testing and not have to reboot.
    Thought my only limitation would be wireless testing.....


    #############
    info below is before I figure out above
    #############

    I'm having a hard time with this as well using virtual box and backtrack 4.
    I think I understand the concept of arp poisoning my theory is it's a virtual issue.

    Has anyone successfully arp poisoned a test physical box from a virtual attacker ?

    I can successfully attack from my physical eee laptop and the internet works on the victim. When I make the virtual box the attacker the physical has no internet access.

    From the victim I can ping the virtual attacker. I did an arp -n (linux) from the victim and the gateway mac and attacker mac are the same (successful poison). I can't ping/trace route anything external (using a verified pingable wan dns ip).

    I did the same procedure from the physical box as an attacker (using backtrack 4 and it works) then repeated the same procedure in a virtual backtrack 4 and it doesn't work (virtual is actually an image of the physical).

    I've played with ip forwarding and ip tables and doesn't seem to matter. I think the issue is the data is hitting the virtual box and not getting forwarded to the gateway to make it out the internet.

    Any tools/commands I can use to troubleshoot the attacker box to verify correct ip forwarding and traffic when mitm ?

    I've read all of the following, with the same issue and none seem to have a solution. I wish someone would just say you can't do mitm with virtual so I can stop banging my head

    forums.remote-exploit.org/newbie-area/29183-backtrack-4-arpspoof-within-vmware-player.html
    forums.remote-exploit.org/wireless/29028-problem-ettercap-sslstrip-wlan-network-very-strange-my-internet-network-down.html
    forums.remote-exploit.org/newbie-area/29053-arpsoofing-vmware-guest-possible.html
    macshadows.com/forums/index.php?showtopic=8158]Ettercap: ARP poisoning does not allow victim to have internet - TSF - Mac Security Forums
    # talks about not doing ip forwarding (echo "1" > /proc/sys/net/ipv4/ip_forward) because ettercap does (last post)
    forums.remote-exploit.org/pentesting/9231-ettercap-arp-poisoning-question.html
    # ettercap manual says this as well
    linux.die.net/man/8/ettercap]ettercap(8) - Linux man page

  8. #8
    Just burned his ISO
    Join Date
    Aug 2008
    Posts
    11

    Default

    Just a thought, have you checked the network interface of your virutal box.. I know with VM you can set you network card as host, Bridge and NAT.. try setting it to Bridge, I have been able to using backtrack with Ettercap gui to sniff and poison the ARP.. but to be 100% honest I have mix results.

  9. #9
    Just burned his ISO
    Join Date
    Nov 2009
    Posts
    4

    Default

    read my first post, i have it setup as bridged replicating physical network.

  10. #10
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default

    Quote Originally Posted by xander787 View Post
    Code:
    ettercap -T -M ARP -i eth0 /192.168.1.50/ /192.168.1.1/
    Forgot to ask what interface you were using... It works for me on a VM because i use a usb wireless adapter, you are using your internal adapter bridged to vm. You should try out WickedClown's advice to try other configurations. And just to be sure, have you uncommented iptables lines in etter.conf?

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •