Ettercap ARP poisoning not working with XP SP3?
Hello!
I'm playing around with Ettercap on my LAN... everything is working so far, several workstations poisoned successfully. But 1 station doesn't work, no matter what I'm doing. It's a Win XP SP3... a workstation hanging on the same switch (I have several switches and hubs in my LAN) gets poisoned very well, but this fkn machine doesn't. Ettercap always says "No poisoning between 192.168.0.7 -> 192.168.0.1", where .0.1 is my GW.
Any suggestions what I'm doing wrong? Any further informations needed to answer this question?
Homer
I don't have any problems with a Swedish version of XP SP3. Some filters don't work. Think it is my crappy programing...not sure. Do you have some device/wall between that computer and ettercap? I have bumped into some that are "smart" and detect poisoning.
Can you one way poison? You using ettercap 0.7.3 on BT4 beta? Whats your command line look like?
onryo
Let me explain officer, I am not a hacker. I am a security tester of sorts!
Yes, I'm using BT4 with Ettercap 0.7.3 ...
I've just tried to poison one way, but it's still the same "chk_poison: No poisoning between 192.168.0.7 -> 192.168.0.1"...
As I said, I got several switches and hubs between me and that workstation. The only thing I just don't understand is why another workstation on the same switch (a dbox2) can be poisoned and that winxp machine cannot.
Could be a firewall on that machine the reason for it (I think it was ZoneAlarm)?
edit: No, I'm not using the command line, I'm using the GUI... but all the other workstations work well, so I don't think it's a problem with the ettercap settings
ZoneAlarm has built in ARP protection
Oh, okay, that would explain my problem
Hmm ettercap has dhcp spoofing too... that should work with ZoneAlarm as far as I know it from the man pages, right? What I haven't understood so far: Are the results of the several MITM attack methods the same? So am I able to read/modify packets from/to my GW?
I'm not sure tbh as I'm a n00b myself, but I've tinkered with Zone Alarm and I think that you can set a static dhcp server and dns which means it doesn't allow anyone else to act as thus.
Assuming it's your network the easiest thing to do is to just try.
Read the manual, it's really informative.
Hmm now I'm interested in that DHCP spoofing thing
Another workstation, without any firewall or something like that...
I set up DHCP spoofing in Ettercap with the following parameters:
IP pool: 192.168.0.44 (not used in my LAN)
Net mask: 255.255.255.0
DNS server IP: 192.168.0.1 (the IP of my real GW)
Is that the correct configuration?
Now I activate the autoadd plugin and boot my workstation, but it still gets the IP that my GW gives it. What am I doing wrong?
You started it right?
Try adding a larger ip range and then try releasing and renewing the ip at the victim. (I had a similar problem).
You should also note that the IP range should be working in conjunction with the router format.
Ie. many routers start adding IPs from 192.168.0.100 etc. if this is the case with yours try using an ip range in that spectrum.
If it works everything is good, if not - well then something is wrong.
Also it was recently pointed out to me that the GUI interface has problems on BT4, I havn't had a chance to get it confirmed, but maybe you should try to run it shell based?
Posting Permissions
