To make a very, very long story short: I was having trouble geting Metasploit's fakedns+arp_poison
working. After extensive troubleshooting with Metasploit and removing every variable I could
think of- including moving off VMware to two different machines connected via wifi-
here are the final results:
Platforms: Host: MacBook Pro running OSX 10.6.6 and VMWare Fusion 3.3.1
VM1: BT5R1, unmodified, all updates as of 11/4/11.
VM2: Win XP Pro no SPs, unmodified install
VMs sharing a host-only network. Network connectivity working fine for normal meatbag stuff.
I was trying to, of course, arpspoof with arp_poison and spoof DNS with fakedns.
I have had this working in previous versions of BT with ettercap and arp/dnsspoof.
In desperation, I shut off Metasploit, put a static (spoofed) arp entry on the XP vm,
and set up a netcat listener on udp/53 and sniffed the whole thing in NON-PROMISCUOUS
mode on the BT vm.
When I perform an nslookup on the XP VM, Wireshark shows the resolution request entering the BT5
VM, but it never gets to Netcat. Nothing happens. Eventually, XP gives up and goes away.
Here's the interesting thing: if I turn on IP forwarding in the kernel, the packet is forwarded
properly. So there's no firewall blocking it. (Unless forwarding turns something off, but I've
never heard of that, and ipchains or anything else that looks like a firewall isn't running).
Of course, netcat still doesn't see it. There's nothing strange in the logs, and even in
promiscuous mode things don't work properly.
The only conclusion I've been able to reach is that the kernel (or stack, or NIC driver) is
refusing to forward packets for non-native IP addresses to processes on the BT vm. As to why
Wireshark can see it, I suppose its tap in the NIC driver is at a low enough level that it
avoids this problem. Also, netcat, as well as arp_poison+fakedns works properly when
the XP nslookup is set to use DNS at the real IP of the BT vm- so I'm pretty sure I
have everything configured properly.
I've seen several other threads about this problem, but none that have pursued an answer
to this level of detail. And, unfortunately, no solutions. Help! And feel free to call me a
dumbass if I'm missing something obvious... I've looked all over this site and Google.