ARP poisoning not working

nn080026 commented 2 years ago

After starting ettercap-graphical, starting sniffing + arp poisoning I use the plugin to check if its working. It keeps saying, no poisoning

koeppea commented 2 years ago

What is the exact environment? Do you use a containerized network? More information is needed.

nn080026 commented 2 years ago

Kali Linux, not a containerized network.

koeppea commented 2 years ago

Define the two IPs that are subject of the ARP poisoning:

export TARGET1=192.168.1.1
export TARGET2=192.168.1.2

Replace the above example IPs with your actual IP address you want to poison. Then run the following sequence:

ettercap -Tqw /tmp/packets.pcap -Marp:remote /$TARGET1// /$TARGET2//

Then wait 5 seconds and press p to bring up the plugins list. Then type chk_poison and press Enter. Afterwards press q to quit Ettercap.

Please paste the terminal output of the above described sequence. Also attach the created packet capture file /tmp/packets.pcap.

nn080026 commented 2 years ago

How do you do this in the graphical version since there is no terminal?

koeppea commented 2 years ago

You wanna tell me, that there is no Terminal on Kali Linux? There is definitely one. You have to look closer in your desktop environment. It's normally a direct icon on the screen or at least available when going through the application menus. grafik

The execution on the terminal makes it easier for traceability what happens.

nn080026 commented 2 years ago

I think we misunderstood eachother, I thought I had to do it in the graphical version of ettercap not in a linux terminal. Anyways following this path, it actually says poising succesful! however when I use the ettercap graphical version not via terminal it doesnt work. Also thanks for bearing with me since as you probably have already noticed I am quite new to all this :) so thanks!

nn080026 commented 2 years ago

I tried again without specifiyng the target, as I wanted to poison the entire network, and now there is no poisoning. :

ettercap -Tqw /tmp/packets2.pcap -Marp

Error Opening file /usr/local/share/GeoIP/GeoIP.dat Error Opening file /usr/local/share/GeoIP/GeoIP.dat Listening on: wlan0 -> 94:E7:0B:C7:C3:7E 192.168.2.13/255.255.255.0 fe80::4190:692d:e2c:fd95/64 2a02:a457:4e4:1:1d3a:2336:628f:5ec7/64

SSL dissection needs a valid 'redir_command_on' script in the etter.conf file Privileges dropped to EUID 65534 EGID 65534...

34 plugins 42 protocol dissectors 57 ports monitored 28230 mac vendor fingerprint 1766 tcp OS fingerprint 2182 known services Lua: no scripts were specified, not starting up!

Randomizing 255 hosts for scanning... Scanning the whole netmask for 255 hosts...

|==================================================>| 100.00 %

11 hosts added to the hosts list...

ARP poisoning victims:

GROUP 1 : ANY (all the hosts in the list)

GROUP 2 : ANY (all the hosts in the list) Starting Unified sniffing...

Text only Interface activated... Hit 'h' for inline help

Available plugins :

[0] arp_cop 1.1 Report suspicious ARP activity [0] autoadd 1.2 Automatically add new victims in the target range [0] chk_poison 1.1 Check if the poisoning had success [0] dns_spoof 1.3 Sends spoofed dns replies [0] dos_attack 1.0 Run a d.o.s. attack against an IP address [0] dummy 3.0 A plugin template (for developers) [0] find_conn 1.0 Search connections on a switched LAN [0] find_ettercap 2.0 Try to find ettercap activity [0] find_ip 1.0 Search an unused IP address in the subnet [0] finger 1.6 Fingerprint a remote host [0] finger_submit 1.0 Submit a fingerprint to ettercap's website [0] fraggle_attack 1.0 Run a fraggle attack against hosts of target one [0] gre_relay 1.1 Tunnel broker for redirected GRE tunnels [0] gw_discover 1.0 Try to find the LAN gateway [0] isolate 1.0 Isolate an host from the lan [0] krb5_downgrade 1.0 Downgrades Kerberos V5 security by modifying AS-REQ packets [0] link_type 1.0 Check the link type (hub/switch) [0] mdns_spoof 1.0 Sends spoofed mDNS replies [0] nbns_spoof 1.1 Sends spoof NBNS replies & sends SMB challenges with custom challenge [0] pptp_chapms1 1.0 PPTP: Forces chapms-v1 from chapms-v2 [0] pptp_clear 1.0 PPTP: Tries to force cleartext tunnel [0] pptp_pap 1.0 PPTP: Forces PAP authentication [0] pptp_reneg 1.0 PPTP: Forces tunnel re-negotiation [0] rand_flood 1.0 Flood the LAN with random MAC addresses [0] remote_browser 1.2 Sends visited URLs to the browser [0] reply_arp 1.0 Simple arp responder [0] repoison_arp 1.0 Repoison after broadcast ARP [0] scan_poisoner 1.0 Actively search other poisoners [0] search_promisc 1.2 Search promisc NICs in the LAN [0] smb_clear 1.0 Tries to force SMB cleartext auth [0] smb_down 1.0 Tries to force SMB to not use NTLM2 key auth [0] smurf_attack 1.0 Run a smurf attack against specified hosts [0] sslstrip 1.2 SSLStrip plugin [0] stp_mangler 1.0 Become root of a switches spanning tree

Plugin name (0 to quit): chk_poison Activating chk_poison plugin...

chk_poison: Checking poisoning status... chk_poison: No poisoning between 192.168.2.2 -> 192.168.2.1 chk_poison: No poisoning between 192.168.2.9 -> 192.168.2.1 chk_poison: No poisoning between 192.168.2.11 -> 192.168.2.1 chk_poison: No poisoning between 192.168.2.2 -> 192.168.2.1 chk_poison: No poisoning between 192.168.2.2 -> 192.168.2.3 chk_poison: No poisoning between 192.168.2.2 -> 192.168.2.5 chk_poison: No poisoning between 192.168.2.2 -> 192.168.2.6 chk_poison: No poisoning between 192.168.2.2 -> 192.168.2.8 chk_poison: No poisoning between 192.168.2.2 -> 192.168.2.9 chk_poison: No poisoning between 192.168.2.9 -> 192.168.2.2 chk_poison: No poisoning between 192.168.2.2 -> 192.168.2.11 chk_poison: No poisoning between 192.168.2.11 -> 192.168.2.2 chk_poison: No poisoning between 192.168.2.2 -> 192.168.2.15 chk_poison: No poisoning between 192.168.2.2 -> 192.168.2.151 chk_poison: No poisoning between 192.168.2.2 -> 192.168.2.254 chk_poison: No poisoning between 192.168.2.2 -> 192.168.2.3 chk_poison: No poisoning between 192.168.2.9 -> 192.168.2.3 chk_poison: No poisoning between 192.168.2.11 -> 192.168.2.3 chk_poison: No poisoning between 192.168.2.2 -> 192.168.2.5 chk_poison: No poisoning between 192.168.2.9 -> 192.168.2.5 chk_poison: No poisoning between 192.168.2.11 -> 192.168.2.5 chk_poison: No poisoning between 192.168.2.2 -> 192.168.2.6 chk_poison: No poisoning between 192.168.2.9 -> 192.168.2.6 chk_poison: No poisoning between 192.168.2.11 -> 192.168.2.6 chk_poison: No poisoning between 192.168.2.2 -> 192.168.2.8 chk_poison: No poisoning between 192.168.2.9 -> 192.168.2.8 chk_poison: No poisoning between 192.168.2.11 -> 192.168.2.8 chk_poison: No poisoning between 192.168.2.9 -> 192.168.2.1 chk_poison: No poisoning between 192.168.2.9 -> 192.168.2.2 chk_poison: No poisoning between 192.168.2.2 -> 192.168.2.9 chk_poison: No poisoning between 192.168.2.9 -> 192.168.2.3 chk_poison: No poisoning between 192.168.2.9 -> 192.168.2.5 chk_poison: No poisoning between 192.168.2.9 -> 192.168.2.6 chk_poison: No poisoning between 192.168.2.9 -> 192.168.2.8 chk_poison: No poisoning between 192.168.2.9 -> 192.168.2.11 chk_poison: No poisoning between 192.168.2.11 -> 192.168.2.9 chk_poison: No poisoning between 192.168.2.9 -> 192.168.2.15 chk_poison: No poisoning between 192.168.2.9 -> 192.168.2.151 chk_poison: No poisoning between 192.168.2.9 -> 192.168.2.254 chk_poison: No poisoning between 192.168.2.11 -> 192.168.2.1 chk_poison: No poisoning between 192.168.2.11 -> 192.168.2.2 chk_poison: No poisoning between 192.168.2.2 -> 192.168.2.11 chk_poison: No poisoning between 192.168.2.11 -> 192.168.2.3 chk_poison: No poisoning between 192.168.2.11 -> 192.168.2.5 chk_poison: No poisoning between 192.168.2.11 -> 192.168.2.6 chk_poison: No poisoning between 192.168.2.11 -> 192.168.2.8 chk_poison: No poisoning between 192.168.2.11 -> 192.168.2.9 chk_poison: No poisoning between 192.168.2.9 -> 192.168.2.11 chk_poison: No poisoning between 192.168.2.11 -> 192.168.2.15 chk_poison: No poisoning between 192.168.2.11 -> 192.168.2.151 chk_poison: No poisoning between 192.168.2.11 -> 192.168.2.254 chk_poison: No poisoning between 192.168.2.2 -> 192.168.2.15 chk_poison: No poisoning between 192.168.2.9 -> 192.168.2.15 chk_poison: No poisoning between 192.168.2.11 -> 192.168.2.15 chk_poison: No poisoning between 192.168.2.2 -> 192.168.2.151 chk_poison: No poisoning between 192.168.2.9 -> 192.168.2.151 chk_poison: No poisoning between 192.168.2.11 -> 192.168.2.151 chk_poison: No poisoning between 192.168.2.2 -> 192.168.2.254 chk_poison: No poisoning between 192.168.2.9 -> 192.168.2.254 chk_poison: No poisoning between 192.168.2.11 -> 192.168.2.254 Closing text interface...

Terminating ettercap... Lua cleanup complete! ARP poisoner deactivated. packets.pcap.gz

RE-ARPing the victims... Unified sniffing was stopped.

Thanks in advance :)

koeppea commented 2 years ago

I've reproduced:

┌──(koeppea㉿vm-kali64)-[~]
└─$ sudo ettercap -TqMarp /172.21.21.1// /172.21.21.2//

ettercap 0.8.4-rc copyright 2001-2020 Ettercap Development Team

Listening on:
  eth0 -> 08:00:27:6D:34:03
      172.21.21.45/255.255.255.0
      fe80::a00:27ff:fe6d:3403/64
      xxxxxxxxxxxxxxxxxxx:a00:27ff:fe6d:3403/64
      xxxxxxxxxxxxxxxxxxx:b353:62e5:1d2:e515/64

SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Ettercap might not work correctly. /proc/sys/net/ipv6/conf/eth0/use_tempaddr is not set to 0.
Privileges dropped to EUID 65534 EGID 65534...

  34 plugins
  42 protocol dissectors
  56 ports monitored
28230 mac vendor fingerprint
1766 tcp OS fingerprint
2182 known services

Scanning for merged targets (2 hosts)...

* |==================================================>| 100.00 %

3 hosts added to the hosts list...

ARP poisoning victims:

 GROUP 1 : 172.21.21.1 E0:28:6D:47:C2:19

 GROUP 2 : 172.21.21.2 00:26:98:AC:D2:41
Starting Unified sniffing...

Text only Interface activated...
Hit 'h' for inline help

Available plugins :

[0]         arp_cop  1.1  Report suspicious ARP activity
[0]         autoadd  1.2  Automatically add new victims in the target range
[0]      chk_poison  1.1  Check if the poisoning had success
[0]       dns_spoof  1.3  Sends spoofed dns replies
[0]      dos_attack  1.0  Run a d.o.s. attack against an IP address
[0]           dummy  3.0  A plugin template (for developers)
[0]       find_conn  1.0  Search connections on a switched LAN
[0]   find_ettercap  2.0  Try to find ettercap activity
[0]         find_ip  1.0  Search an unused IP address in the subnet
[0]          finger  1.6  Fingerprint a remote host
[0]   finger_submit  1.0  Submit a fingerprint to ettercap's website
[0]  fraggle_attack  1.0  Run a fraggle attack against hosts of target one
[0]       gre_relay  1.1  Tunnel broker for redirected GRE tunnels
[0]     gw_discover  1.0  Try to find the LAN gateway
[0]         isolate  1.0  Isolate an host from the lan
[0]  krb5_downgrade  1.0  Downgrades Kerberos V5 security by modifying AS-REQ packets
[0]       link_type  1.0  Check the link type (hub/switch)
[0]      mdns_spoof  1.0  Sends spoofed mDNS replies
[0]      nbns_spoof  1.1  Sends spoof NBNS replies & sends SMB challenges with custom challenge
[0]    pptp_chapms1  1.0  PPTP: Forces chapms-v1 from chapms-v2
[0]      pptp_clear  1.0  PPTP: Tries to force cleartext tunnel
[0]        pptp_pap  1.0  PPTP: Forces PAP authentication
[0]      pptp_reneg  1.0  PPTP: Forces tunnel re-negotiation
[0]      rand_flood  1.0  Flood the LAN with random MAC addresses
[0]  remote_browser  1.2  Sends visited URLs to the browser
[0]       reply_arp  1.0  Simple arp responder
[0]    repoison_arp  1.0  Repoison after broadcast ARP
[0]   scan_poisoner  1.0  Actively search other poisoners
[0]  search_promisc  1.2  Search promisc NICs in the LAN
[0]       smb_clear  1.0  Tries to force SMB cleartext auth
[0]        smb_down  1.0  Tries to force SMB to not use NTLM2 key auth
[0]    smurf_attack  1.0  Run a smurf attack against specified hosts
[0]        sslstrip  1.2  SSLStrip plugin
[0]     stp_mangler  1.0  Become root of a switches spanning tree

Plugin name (0 to quit): chk_poison
Activating chk_poison plugin...

chk_poison: Checking poisoning status...
chk_poison: No poisoning between 172.21.21.2 -> 172.21.21.1
Closing text interface...

Terminating ettercap...
ARP poisoner deactivated.
RE-ARPing the victims...
Unified sniffing was stopped.

┌──(koeppea㉿vm-kali64)-[~]
└─$

At the same time, looking at my switch I see the following message in the log:

%ARP-3-STCKYARPOVR: Attempt to overwrite Sticky ARP entry: 172.21.21.1, hw: e028.6d47.c219 by hw: 0800.276d.3403

That means in one way poisoning worked but not the other way round. That means that the switch is intelligent enough to detect the attempt to mess with the ARP information and prevents it.

Similar is it in your case. E.g. it says

chk_poison: No poisoning between 192.168.2.2 -> 192.168.2.1

but it doesn't complain for the opposite direction 192.168.2.1 -> 192.168.2.2. Actually the provided packets.pcap file contains the successful poisoned ping from 192.168.2.1 to 192.168.2.2 which proves that the plugin doesn't complain about relations where poisoning actually works. Of course, the feedback in case of such a differentiated result could be more clear.

Probably its the same in your case.

koeppea commented 2 years ago

As a test, I just disabled the ARP stickyness on my switch and now chk_poison plugin reports for the same test that poisoning is successful. So that proves that ARP poisoning as well as the _chkpoison plugin work properly. Just an external protection mechanism is kicking in. Closing issue as a Ettercap issue.

ghost commented 1 year ago

Hi - I can’t kill process- I’ve forgotten and deleted kali so now again reinstalled to kill ettercap- still can’t kill the connections - any assistance would appreciate it

koeppea commented 1 year ago

@Iamzoltan1 Please open a dedicated issue since this one was quite specific related to the underlying switching hardware.

macario73 commented 1 year ago

As a test, I just disabled the ARP stickyness on my switch and now chk_poison plugin reports for the same test that poisoning is successful. So that proves that ARP poisoning as well as the _chkpoison plugin work properly. Just an external protection mechanism is kicking in. Closing issue as a Ettercap issue.

Hello, sorry to dig up the topic but how to disabled the ARP stickyness (sorry for my english I'm not Anglo-Saxons and for my question I have just started

koeppea commented 1 year ago

how to disabled the ARP stickyness

I'm having a Cisco IOS switch. With the following command, I've disabled the ARP stickiness:

no ip sticky-arp

Don't if this can be translated 1:1 for your environment...

macario73 commented 1 year ago

ok really tanks you

Ettercap / ettercap

ARP poisoning not working #1157