arpspoof not doing what I want

[EonsNearby]

I downloaded the dsniff package found here onto my machine with Ubuntu 12.04 installed on it:


http://www.monkey.org/~dugsong/dsniff/


I installed everything, and I started learning the tools it came with it.  The one I started with is arpspoof.  I looked up what I can do with it, and I found these tutorials about how to perform a man-in-the-middle attack:


http://teh-geek.com/?p=171
http://www.irongeek.com/i.php?page=security/arpspoof
http://www.youtube.com/watch?v=VjlQny3LNlA


However, everytime I try to perform the attack against my victim (another machine with openSUSE 12.1 installed on it), I end up just performing a DoS attack against it.  I even made sure that /proc/sys/net/ipv4/ip_forward = 1.

Code: [Select]

fortwood:~ # echo "1" >> /proc/sys/net/ipv4/ip_forward
fortwood:~ # cat /proc/sys/net/ipv4/ip_forward
1


Could someone help me with this?  Thanks

[proxx]

Well first of all your syntax is weird.

Code: [Select]

echo 1 > /proc/sys/net/ipv4/ip_forward

The double > means append.
Also there is no need to put it in quotation mark because its a digi not a string.
This doesnt have to be the reason though.


Can you post the command you use for arpspoof ?

Code: [Select]

arpspoof -eth0 -t TARGET_MACHINE GATEWAYThats what I would do.


Also when you test these kinda things run wireshark to see whats going on behind the scenes, this is good practise anyway.
It might help you diagonse the situation.

[EonsNearby]

Well first of all your syntax is weird.

Code: [Select]

echo 1 > /proc/sys/net/ipv4/ip_forward

The double > means append.
Also there is no need to put it in quotation mark because its a digi not a string.
This doesnt have to be the reason though.


Can you post the command you use for arpspoof ?

Code: [Select]

arpspoof -eth0 -t TARGET_MACHINE GATEWAYThats what I would do.


Also when you test these kinda things run wireshark to see whats going on behind the scenes, this is good practise anyway.
It might help you diagonse the situation.

I tried that echo command the way you suggested, but that didn't change anything.  Also, I have to have 3 ssh open in the ubuntu computer.  Two are to execute the following commands each:

Code: [Select]

arpspoof -i eth0 -t  TARGET_MACHINE GATEWAY
and

Code: [Select]

arpspoof -i eth0 -t  GATEWAY TARGET_MACHINE


The 3rd ssh is just so I can analyze network traffic between those 2.  All 3 of those websites said to do it this way.

[proxx]

I tried that echo command the way you suggested, but that didn't change anything.  Also, I have to have 3 ssh open in the ubuntu computer.  Two are to execute the following commands each:

Code: [Select]

arpspoof -i eth0 -t  TARGET_MACHINE GATEWAY
and

Code: [Select]

arpspoof -i eth0 -t  GATEWAY TARGET_MACHINE


The 3rd ssh is just so I can analyze network traffic between those 2.  All 3 of those websites said to do it this way.

Alright that looks good.

Have you analyzed with wireshark?

Oke so after you started the attack on your client go to the client machine and check the output of the command

Code: [Select]

arp Now Ill assume you now what it is supposed to say.
If it doesnt it somehow doenst get poisioned.

[frog]

I don't know this for a fact: I heard that a few certain software repos had been compromised(this was a couple years back) and there was modifying of the source code and binaries of common 'blackbox' programs like ettercap, dsniff, etc. so that they were no longer functional. Supposedly this was to keep others from using tools they did not fully understand, effectively removing hasty arp-spoofers and login-sniffers from the face of the earth.

I agree with this idea of control, but not to that extent. I do like aircrack and all of it's handy 802.11-related functions and I would hate to make these tools from scratch (nor am I presently capable of doing so); I refuse to as long as there is an internet. People are willing to share knowledge to the extent that if you want to know how something works, you have the opportunity to do so by learning.

On that note, you could build your own arp spoofer. Ruby and packetfu is just around the corner:
https://github.com/ochronus/ArpSpoof/blob/master/arpspoof.rb

[proxx]

I don't know this for a fact: I heard that a few certain software repos had been compromised(this was a couple years back) and there was modifying of the source code and binaries of common 'blackbox' programs like ettercap, dsniff, etc. so that they were no longer functional. Supposedly this was to keep others from using tools they did not fully understand, effectively removing hasty arp-spoofers and login-sniffers from the face of the earth.

I agree with this idea of control, but not to that extent. I do like aircrack and all of it's handy 802.11-related functions and I would hate to make these tools from scratch (nor am I presently capable of doing so); I refuse to as long as there is an internet. People are willing to share knowledge to the extent that if you want to know how something works, you have the opportunity to do so by learning.

On that note, you could build your own arp spoofer. Ruby and packetfu is just around the corner:
https://github.com/ochronus/ArpSpoof/blob/master/arpspoof.rb

I agree with you to some extend.
However if someone is actually dedicated to learn I think its good to have a couple of tools for testing purposes.
That thing about arpspoof you mentioned is new to me.
In my experience this tool never let me down.

Nor do I understand how setting this up could cause any problems

[frog]

I agree to you to some extend.
However if someone is actually dedicated to learn I think its good to have a couple of tools for testing purposes.
That thing about arpspoof you mentioned is new to me.
In my experience this tool never let me down.

Nor do I understand how setting this up could cause any problems

I agree; our learning tools should not be tampered with.

It's possible that the code you got has been tampered with(it's within the realm of possibility). It might be fun to run a diff on a different arpspoof binaries with the same version number just to see what happens. Try compiling from source code. Run wireshark to check the results; you should see arp reply packets every so often and these can be filtered in wireshark by putting 'arp' in the filter field and hitting enter.

As for the ruby script:
If you install ruby on your machine as well as the packetfu library(which helps you create ARP packets) then you can run the linked script for the desired effect. You will have to change some of the parameters in the script, but it looks like it will work.

This page will explain how to use it.
https://github.com/ochronus/ArpSpoof

[EonsNearby]

Alright that looks good.

Have you analyzed with wireshark?

Oke so after you started the attack on your client go to the client machine and check the output of the command

Code: [Select]

arp Now Ill assume you now what it is supposed to say.
If it doesnt it somehow doenst get poisioned.

Here is the thing, I can only ssh into the Ubuntu computer.  It is basically a virtual machine that is used primarily for security purposes that I am only allowed to interact with via a ssh.  As such, I can't use wireshark or any other kind of GUI to aid me in this.  Anyway, after I run those two arp commands I posted, I ran arp on the victim machine, but it didn't return anything (it stalled, so it wasn't doing anything).  I also ran it on the machine performing the attack, and it returned the same thing it returned when I ran "arp" before I did the attack, which was the following (spacing may be off):

Code: [Select]

Address                  HWtype  HWaddress           Flags Mask            Iface
cisco                    ether   ADDRESS             C                     eth0
VICTIM_IP_ADDRESS        ether   ADDRESS             C                     eth0
OTHER_IP_ADDRESS         ether   ADDRESS             C                     eth0

[RedBullAddicted]

Haven't followed the complete conversation but you could run tcpdump on the ubuntu machine, save the capture to a .cap or .pcap file, scp that file to another machine and open it in wireshark. Thats basically what I would do

[proxx]

Here is the thing, I can only ssh into the Ubuntu computer.  It is basically a virtual machine that is used primarily for security purposes that I am only allowed to interact with via a ssh.  As such, I can't use wireshark or any other kind of GUI to aid me in this.  Anyway, after I run those two arp commands I posted, I ran arp on the victim machine, but it didn't return anything (it stalled, so it wasn't doing anything).  I also ran it on the machine performing the attack, and it returned the same thing it returned when I ran "arp" before I did the attack, which was the following (spacing may be off):

Code: [Select]

Address                  HWtype  HWaddress           Flags Mask            Iface
cisco                    ether   ADDRESS             C                     eth0
VICTIM_IP_ADDRESS        ether   ADDRESS             C                     eth0
OTHER_IP_ADDRESS         ether   ADDRESS             C                     eth0

I assumed you know what that data is supposed to mean.
Obviously you dont

The arp table should be changed, as you should know we are altering the arp table with the attack.
The table from the machine you attack should report your MAC address.
If it doesnt there is probably something wrong in your networking configuration.


Btw you could try arp -a, on some distro's it has to be run as root.

[EonsNearby]

Am I supposed to execute arp -a on the victim machine or on the machine performing the attack?

[proxx]

Now what do you think??
No offense but your not gonna learn much if I keep telling you what to do.

[EonsNearby]

I'm assuming that I would execute arp -a on the victim machine because arp -a can check to see if its cache has been poisoned, but I cannot get it to respond when I execute the attack because the attacking machine is performing a DoS against the victim.