Duplicate thread deleted.
Ettercap ARP poisoning question
hello everyone!
when i got to work today my boss told me that he had installed some kind of new security program for our router and he wanted me to test if it could be hacked.
So i started with the technique that is the nightmare of all networks... sniffing it.
I started an unified sniffing in Ettercap using ARP poisoning and to my bosses disappointment it worked but the program also detected it (of course) but the weird thing is that it ID the point of origin to be another computer that another employee was working on and also when i started the poisoning some peoples connections were cut off.
My question is why it didn't find the real host of the attack and why some computers lost there connection. I ran the attack in VMware (BT2 ofc =)) if it matters
thx... nitras
Duplicate thread deleted.
"\x74\x68\x65\x70\x72\x65\x7a\x39\x38";
It sounds as though this should be a question for whomever made the program that your boss installed on the router.Originally Posted by nitras
A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
/me thinks you should read up on ARP poisoningalso when i started the poisoning some peoples connections were cut off.
You're question is basically: "If I hi-jack someone's phone number why do they stop getting calls?" The answer should be obvious.
http://www.watchguard.com/infocenter...ial/135324.asp
I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.
I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.
indeed but i just thought that it was weird that only a couple of the computers lost there connection and not the whole bunch. i read that paper you linked and from what i understand the arp poisoning simple screws up all assosiated mac and ip adresses which would mean that the program caught my colleges computer because it was "tricked" to belive that it was my computer... am i right?
and my boss. or well truth be told hes not my boss... more like the system administrator wouldnt tell me the name of the program (or monitoring device) since well an outside attacker wouldnt know that from the start either.
Ya basically you told the network that your system was one (or more) of the other systems on the network so all the traffic was routed to/from you instead of the true source/destination.
I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.
I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.
ok thank you thorin
my question has been answered
also if you are going to do arp/arp cache poisoning, its a good rule to make sure that the attacking machine is forwarding traffic:
echo 1 > /proc/sys/net/ipv4/ip_forward
form windows:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\
IPEnableRouter
REG_DWORD
Value: 1
Present by Default: Yes
dd if=/dev/swc666 of=/dev/wyze
I recall reading somewhere in the man pages of ettercap that you should
not enable port forwarding because ettercap does that by itself.
Ergo doing so, will forward all the packets twice which isn't the best idea.
ettercap NG has a new unified sniffing method. This implies that ip_forwarding in the kernel is always disabled and the forwarding is done by ettercap. Every packet with destination mac address equal to the host's mac address and destination ip address different for the one bound to the iface will be forwarded by ettercap. Before forwarding them, ettercap can content filter, sniff, log or drop them. It does not matter how these packets are hijacked, ettercap will process them. You can even use external programs to hijack packet.
You have full control of what ettercap should receive. You can use the internal mitm attacks, set the interface in promisc mode, use plugins or use every method you want. IMPORTANT NOTE: if you run ettercap on a gateway, remember to re-enable the ip_forwarding after you have killed ettercap. Since ettercap drops its privileges, it cannot restore the ip_forwarding for you.
- Poul Wittig
Posting Permissions