Results 1 to 9 of 9

Thread: Ettercap ARP poisoning question

  1. #1
    Just burned his ISO
    Join Date
    Oct 2007
    Posts
    6

    Default Ettercap ARP poisoning question

    hello everyone!

    when i got to work today my boss told me that he had installed some kind of new security program for our router and he wanted me to test if it could be hacked.

    So i started with the technique that is the nightmare of all networks... sniffing it.

    I started an unified sniffing in Ettercap using ARP poisoning and to my bosses disappointment it worked but the program also detected it (of course) but the weird thing is that it ID the point of origin to be another computer that another employee was working on and also when i started the poisoning some peoples connections were cut off.

    My question is why it didn't find the real host of the attack and why some computers lost there connection. I ran the attack in VMware (BT2 ofc =)) if it matters

    thx... nitras

  2. #2
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Duplicate thread deleted.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  3. #3
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by nitras View Post
    hello everyone!

    when i got to work today my boss told me that he had installed some kind of new security program for our router and he wanted me to test if it could be hacked.

    So i started with the technique that is the nightmare of all networks... sniffing it.

    I started an unified sniffing in Ettercap using ARP poisoning and to my bosses disappointment it worked but the program also detected it (of course) but the weird thing is that it ID the point of origin to be another computer that another employee was working on and also when i started the poisoning some peoples connections were cut off.

    My question is why it didn't find the real host of the attack and why some computers lost there connection. I ran the attack in VMware (BT2 ofc =)) if it matters

    thx... nitras
    It sounds as though this should be a question for whomever made the program that your boss installed on the router.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  4. #4
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    also when i started the poisoning some peoples connections were cut off.
    /me thinks you should read up on ARP poisoning

    You're question is basically: "If I hi-jack someone's phone number why do they stop getting calls?" The answer should be obvious.

    http://www.watchguard.com/infocenter...ial/135324.asp
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  5. #5
    Just burned his ISO
    Join Date
    Oct 2007
    Posts
    6

    Default

    Quote Originally Posted by thorin View Post
    /me thinks you should read up on ARP poisoning
    You're question is basically: "If I hi-jack someone's phone number why do they stop getting calls?" The answer should be obvious.
    indeed but i just thought that it was weird that only a couple of the computers lost there connection and not the whole bunch. i read that paper you linked and from what i understand the arp poisoning simple screws up all assosiated mac and ip adresses which would mean that the program caught my colleges computer because it was "tricked" to belive that it was my computer... am i right?

    and my boss. or well truth be told hes not my boss... more like the system administrator wouldnt tell me the name of the program (or monitoring device) since well an outside attacker wouldnt know that from the start either.

  6. #6
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Ya basically you told the network that your system was one (or more) of the other systems on the network so all the traffic was routed to/from you instead of the true source/destination.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  7. #7
    Just burned his ISO
    Join Date
    Oct 2007
    Posts
    6

    Default

    ok thank you thorin
    my question has been answered

  8. #8
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    also if you are going to do arp/arp cache poisoning, its a good rule to make sure that the attacking machine is forwarding traffic:

    echo 1 > /proc/sys/net/ipv4/ip_forward

    form windows:

    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\
    IPEnableRouter
    REG_DWORD
    Value: 1
    Present by Default: Yes
    dd if=/dev/swc666 of=/dev/wyze

  9. #9
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    I recall reading somewhere in the man pages of ettercap that you should
    not enable port forwarding because ettercap does that by itself.
    Ergo doing so, will forward all the packets twice which isn't the best idea.
    ettercap NG has a new unified sniffing method. This implies that ip_forwarding in the kernel is always disabled and the forwarding is done by ettercap. Every packet with destination mac address equal to the host's mac address and destination ip address different for the one bound to the iface will be forwarded by ettercap. Before forwarding them, ettercap can content filter, sniff, log or drop them. It does not matter how these packets are hijacked, ettercap will process them. You can even use external programs to hijack packet.
    You have full control of what ettercap should receive. You can use the internal mitm attacks, set the interface in promisc mode, use plugins or use every method you want. IMPORTANT NOTE: if you run ettercap on a gateway, remember to re-enable the ip_forwarding after you have killed ettercap. Since ettercap drops its privileges, it cannot restore the ip_forwarding for you.
    - Poul Wittig

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •