Arpsoofing from a vmware guest ... is this possible?

[moobius]

Usually on Hak5 or on videos around here or the web I usually see persons using BT from Vmware. And they seem to have no problems.

This is my Lab setup.

• Host: Karmic
• Guest (attacker): Jaunty -- physical usb adapter attached (RT2500USB) and made available to this guest.
• Guest (Victim): Karmic -- bridge to host
• Router: wrt54g

Goal
-----
To successfully arp poison the victim using one way poising then bi-directional poising.


That is i want to look at the traffic going from the victim to the router but still leave the victim with access to the Internet and look at the traffic going from victim to router and router to victim.

I would prefer to user ettercap strictly for arpspoofing (no sniffing) but I have used both ettercap and dnsniff arpspoof with the same poor result.

On the attacker I drop to root.

I turn on fowarding:

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

Then for arping from victim to router (oneway) i would

with arpspoof go

Code:

arpspoof -i wlan0 -t 192.168.1.6 192.168.1.1

OR

with ettercap go

Code:

ettercap -T -q -o -i wlan0 -M arp:remote,oneway /192.168.1.6/ /192.168.1.1/

Or Bidirectional

with arpspoof go

Code:

arpspoof -i wlan0 -t 192.168.1.6 192.168.1.1
arpspoof -i wlan0 -t 192.168.1.1 192.168.1.6

OR

with ettercap go

Code:

ettercap -T -q -o -i wlan0 -M arp:remote /192.168.1.6/ /192.168.1.1/

At this point one would think that now I am the man in the middle. But somehow not so, because the victim loses internet connection.

I have even tried arpspoofing the host machine but the host loses internet connection also.

NB: the vmware client attack has a physical USB wireless adapter attached to it. It is in no way bridged to the host.

I am wondering why its the case and if this is a vmware problem or am I missing a step.

I can't think of anymore information to add at the moment.

Has anyone successfully been able to arpspoof from a vmware based attacker?

[lupin]

Maybe I am missing something here, but where in the mix is your BackTrack system?

[moobius]

Maybe I am missing something here, but where in the mix is your BackTrack system?

It is the Jaunty guest. I have installed BT 4 two guides which I can't post as I don't have 15 post as yet. But one is found on this forum and the other at micksmix dot wordpress dot com


Thanks.

[lupin]

It is the Jaunty guest. I have installed BT 4 two guides which I can't post as I don't have 15 post as yet. But one is found on this forum and the other at micksmix dot wordpress dot com


Thanks.

Jaunty with BT4 tools installed on it is not BackTrack, and we only support BackTrack. Id suggest you actually put a proper copy of BT into that VM and try that out instead of a bodgied Ubuntu install. I personally have had issues with getting Ettercap to work properly on Ubuntu, especially with VMs.

[moobius]

Jaunty with BT4 tools installed on it is not BackTrack, and we only support BackTrack. Id suggest you actually put a proper copy of BT into that VM and try that out instead of a bodgied Ubuntu install. I personally have had issues with getting Ettercap to work properly on Ubuntu, especially with VMs.

You are perfectly correct.

After I saw your first post I fired up the BT4 Live CD and ran the commands, and the poising went like clockwork.

I am surprised and baffle that there could be such a difference between 8.10 and 9.04 where arpspoof/ettercap are concerned. As BT4 is built on ubuntu 8.10.

Thank you.

[moobius]

I just tried ettercap with Karmic and all works as it should.

If anyone out there has Jaunty installed can they run a arpspoof test to see if this is just Jaunty affected?

Thanks.

[Archangel-Amael]

Again we do not support Ubuntu here no matter what tools you may have installed on it.

[lupin]

I just tried ettercap with Karmic and all works as it should.

If anyone out there has Jaunty installed can they run a arpspoof test to see if this is just Jaunty affected?

Thanks.

As archangel.amael mentioned we don't support Ubuntu here so we try and stay away from any discussion of it. However since I did obliquely bring it up myself I will add this one final point on this matter - the troubles I mentioned getting Ettercap to work on Ubuntu were with Jaunty.