0 hosts found when iam trying the attack

[sakas23]

Hello community.

I ve followed this video:

https://www.youtube.com/watch?v=W3S1scJPy1Q&feature=youtu.be

to solve the initial 0 hosts problem.

Eventually, when i run the command "ettercap -Tqslq" the hosts appear.

But when iam trying to run this command:

"ettercap -T -q -i eth0 -M arp:remote -P dns_spoof //IP// //IP// "

It says that the host list is empty.

Anyone has has faced this problem?

Thanks in advance.

[koeppea]

Just tried on Kali having installed the latest Kali/Debian provided package version 0.8.3-6 showed in this video: https://www.youtube.com/watch?v=fQtlmi6tqDI

root@vm-kali64:~# ettercap -Tqieth0 -Marp:remote -Pdns_spoof //172.21.21.1// //172.21.21.22//

ettercap 0.8.3 copyright 2001-2019 Ettercap Development Team

Listening on:
  eth0 -> 08:00:27:6D:34:03
      172.21.21.45/255.255.255.0
      fe80::a00:27ff:fe6d:3403/64
      2a02:b98:18a1:4094:a00:27ff:fe6d:3403/64
      2a02:b98:18a1:4094:e46a:2f17:5d2d:fa75/64

SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Ettercap might not work correctly. /proc/sys/net/ipv6/conf/eth0/use_tempaddr is not set to 0.
Privileges dropped to EUID 65534 EGID 65534...

  34 plugins
  42 protocol dissectors
  57 ports monitored
24609 mac vendor fingerprint
1766 tcp OS fingerprint
2182 known services
Lua: no scripts were specified, not starting up!

Scanning for merged targets (2 hosts)...

* |==================================================>| 100.00 %

3 hosts added to the hosts list...

ARP poisoning victims:

 GROUP 1 : 172.21.21.1 E0:28:6D:47:C2:19

 GROUP 2 : 172.21.21.22 7C:F9:0E:A7:E6:75
Starting Unified sniffing...

Text only Interface activated...
Hit 'h' for inline help

Activating dns_spoof plugin...

Works for me, however the Target specification is not correct. From the man page:

SYNOPSIS
       ettercap [OPTIONS] [TARGET1] [TARGET2]

       If IPv6 is enabled:
       TARGET is in the form MAC/IPs/IPv6/PORTs
       Otherwise,
       TARGET is in the form MAC/IPs/PORTs
       where IPs and PORTs can be ranges (e.g. /192.168.0.1-30,40,50/20,22,25)

So a correct target specification would be with IPv6 enabled: /IP// /IP// or w/o IPv6 enabled /IP/ /IP/.

[sakas23]

But the thing is that in kali 2019 it works.

But there i have another weird problem.

The attack works well but i have some questions.

The first question is that, how the attacks works with the iptables line in etter.conf commented?

When i uncomment these lines, i have the following error: "Fatal: Cant insert firewall redirects".

The second question, when the attack is working, i open wireshark and i cannot see any dns requests from the attacker. However, if i do nslookup from the client to the website i chosen in the etter.dns file, the results return the IP specified again in the etter.dns file.

I dont know it seems really weird and i would like to ask you for help, because i rly want to understand how this attack works.

Thanks in advace.

[koeppea]

So the iptables commands are only necessary if you want to intercept SSL enabled protocols. However there quite some implications, which I'm currently working on for the next release, mainly driven by the evolvement of the OpenSSL library and the TLS standards. But i you want to go this road, you have to set the UID und GID in etter.conf to 0. And of course, you need to have iptables installed.

However this is not required for doing dns_spoof plugin it's work. There is another issue currently running, describing a similar issue, that ettercap is apparently doing it's job, but when the packets are captured in parallel with another PCAP application like wireshark or tcpdump, these packets are not seen. This is still to be investigated and confirmed from my side.

When dns_spoof does not show anything in the message pane, it means that the DNS query didn't arrive at the attacker or the etter.dns file is incorrect. If the message pane shows dns_spoof operations, then a DNS query arrived at the attacker and ettercap acted on it (dropped the original query and forged a reply).

[koeppea]

@sakas23 you're also invited joining instant discussions in our IRC channel #ettercap-project on FreeNode.

[sakas23]

Yeah the attacker receives the packet, it shows in other words that www... spoofed at 192.168....

And what about the UID GID values? What are their roles?

[koeppea]

It's required to install the port redirection rules using iptables. Otherwise ettercap has not the required priviledges doing these operations at runtime.

[sakas23]

Hello koeppea.

I want to ask you something because i got confused.

While the dns spoofing attack takes place, i notice on wireshark that the legitimate DNS Server gives the spoofed response. I mean is it normal? because the attacker was supposed to do this.

To understand my setup is a client,an ubuntu dns server and an attacker.

The attack works fines, but i have this concern.

Also in conf file i have put 0 in ID values and i didnt uncomment the iptables lines

Thanks in advance.

[koeppea]

When the legitimate DNS server responds, it means that it somewhat got the query packet.

This can happen if the attacker machine is the gateway for the victim at the same time.

Then the Kernel-based packet forwarding and ettercap's actions are concurring.

This setup is not yet supported by ettercap.

If ettercap is a dedicated machine in the same LAN and ARP poisoning is effective so that ettercap machine is the only one that gets the DNS query and the query matches an entry from the etter.dns file, the dns_spoof plugin drops the query and forges a response, hence the legitimate server doesn't see the query and can not respond.

But a debug logfile and packet capture may shed more light into this.

Regards.

[sakas23]

Which log files should i check?

And what do you mean with " the attacker machine is the gateway for the victim?

The client uses the Ubuntu Server as the DNS server, but the attacker uses the router DNS requests etc.

I dont know iam confused a little bit

[koeppea]

It’s a question of the topology. When you have a LAN with the victim inside, you have to have also a router, Routing to the outside world. If you use Linux OS for this functionality and execute ettercap on that box, this scenario is not supported and may lead to the observed behavior.

[sakas23]

Hello koeppea.

I want to tell you another thing i noticed.

I have snort Network Intrusion Detection System installed in my virtual environment.

I have created a rule to detect DNS traffic towards my client.

And during the attack, snort shows that the legitimate server gives the fake response to the client and not the attacker.

Isn't it weird?

[koeppea]

Well ettercap spoofs the DNS server IP. You can only detect it by looking at the MAC address.

However as already said, it’s hard to tell without knowing your environment exactly.

[sakas23]

I have 3 VM using virtual box. I use "bridge adapter"option in network settings.

The 1st VM is a windows 7 client.

The 2nd VM is a Kali linux

The 3rd VM is a Ubuntu DNS server, which has snort installed in it.

So the normal thing while dns spoofing is that the attacker should give the forged response right response right? I mean ettercap does not poison the DNS Server's cache right?

[koeppea]

It poisons the client DNS. The discussions branches now quite a bit. Is the problem for which this issue has originally been opened still present? If you have another issue related dns_spoof plugin, you should open a new issue starting over.

[sakas23]

Forgot to say that the attacker is in the middle of the client and DNS server and the client uses the Ubuntu as the DNS ofc. I have issue running ettercap in kali 2020 but i did the attack with 2019. And about the other problem, is it finally normal or no ?

Thanks in advance.

[koeppea]

Regarding the 0 hosts found issue, it should be fixed when you have upgraded to the latest Kali version including the ettercap package version >= 0.8.3-6.

But again, if you have now another problem with DNS spoofing, please dedicate a new issue for that.

[sakas23]

Thank you koeppea.

And something else.

The iptables lines in etter.conf file do not play a role in dns spoofing right?

Because i have them uncommented and the attack works.

Thanks in advance.

[koeppea]

No they are not required for dns_spoof plugin.

[koeppea]

Closing this issue since the 0 hosts issue is fixed on latest master and has been backported on all major Linux distributions.

[sakas23]

Hey Koeppea,

Thank you for the updates.

I would like to ask you about the issue i had and we were discussing in this post.

In brief, the issue was that wireshark does not capture the fake DNS response from the attacker to the victim, instead shows that the legitimate DNS server gives the fake response.

Should i open a new issue topic about it?

Are there any updates about this?

Feel free to tell me to remind you the issue if you wish.

Thanks in advance.

[koeppea]

Please open a new issue about the DNS Spoof topic.