koeppea
commented
2 years ago Please re-produce the issue (first run and second run) with the -w parameter set to run 1.pcap and run2.pcap.
Then upload the pcap files
Closed music-cat-bread closed 2 years ago
koeppea
commented
2 years ago Please re-produce the issue (first run and second run) with the -w parameter set to run 1.pcap and run2.pcap.
Then upload the pcap files
music-cat-bread
commented
2 years ago Here's run1: run1.pcap.txt (Added .txt so github will not reject file from uploading)
Run 2 gave me an empty file (double checked that, and tried running command again, but always run2 was empty)
koeppea
commented
2 years ago OK that proves that the second run hits an issue initializing the PCAP loop. We have had a similar issue reported by #974 in 2019. But this got fixed. Which version of libpcap is installed on the WSL?
To further help you, you have to try to build Ettercap from source. See our Wiki article.
music-cat-bread
commented
2 years ago c1v@DESKTOP-HAU9PFT:~$ apt list | grep libpcap
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
libpcap-dev/focal 1.9.1-3 amd64
libpcap0.8-dbg/focal 1.9.1-3 amd64
libpcap0.8-dev/focal 1.9.1-3 amd64
libpcap0.8/focal,now 1.9.1-3 amd64 [installed,automatic]And also why do I have to build ettercap from source for further help?
koeppea
commented
2 years ago And also why do I have to build ettercap from source for further help?
music-cat-bread
commented
2 years ago Okey, so I builded my own version. I again preformed same run1 and run2 (I restarted WSL before preforming them). And here are results:
RUN 1
RUN 2
EmptyPS: I think it have to do something with how microsoft implemented wsl2 networking. It is virtual network adapter. So it is like I have a router that lives on my computer and on every boot ubuntu get new a IP address and it makes everything a way more complex. Like, I couldn't even setup simple apache serwer or anything else. And I am 100% sure it wasn't my router because trying access serwer from LAN gives same result. as WAN.
koeppea
commented
2 years ago What I don't understand from both logfiles, is that the eth0 interface is in the subnet 172.20.160.0/20 while you target for IPs in 192.168.8.0/24. Apparently the WSL is behind some sort of NAT device, where ARP poisoning doesn't work.
So I don't understand your statement, that it works. I looked again to your first output snippet. When ARP is starting, there are no targets shown.
The difference, is that in the first run, Ettercap received a ARP ping response for it's own IP, which is really kind of weird. The second time, Ettercap doesn't receive any response.
Generally, ARP poisoning does only work for IPs in the same broadcast domain. Of course, as you already said, it might be related to the way the Linux subsystem is implemented in Windows.
However I've added some more debug output around the instantiation of the PCAP handle. Please clone https://github.com/koeppea/ettercap/ and build branch fix-1172.
Please try to reproduce and upload the debug log again.
However I'm not sure if it's really related to the PCAP related code or the fact of the strange behavior, that Windows Linux Subsystem responds one time to it's own ARP request.
Thanks.
LocutusOfBorg
commented
2 years ago @koeppea are you sure you pushed the changes? I see fix-1172 is in line with master...
koeppea
commented
2 years ago Oh yes your're right. Forgot to commit.
Now it's there. @comand100vip please pull
music-cat-bread
commented
2 years ago RUN 1
RUN 2
Emptykoeppea
commented
2 years ago Thanks. As I thought. The PCAP initialization is fine. The main problem is, that Ettercap runs in a different subnet than the targets.
So even the first time, its not working, because targets in other subnets cannot be poisoned. The error message is just a cosmetic thing because with the second run, Windows' NAT gateway just remains silent to the ARP ping and Ettercap feels alone in the subnet (droadcast domain).
I don't know if it is possible with WSL, but you have to try to configure the networking setup in a way similar to bridged mode in other hypervisor software like VMWare or VirtualBox.
Once Ettercap, as well as the targets are within the same subnet and broadcast domain, ARP poisoning will start to work.
LocutusOfBorg
commented
2 years ago @koeppea do you think your debugging branch should go in master branch? I guess it might be useful to have it...
koeppea
commented
2 years ago I think it doesn't harm. But it was quite quick and dirty. I have to build in a check of the libpcap version because the pcap_set_immediate_mode() function was introduced with version 1.5.0.
Earlier versions don't have it. An I have to double check on FreeBSD and MacOSX, potentiality on OpenBSD as well.
music-cat-bread
commented
2 years ago I don't know if it is possible with WSL, but you have to try to configure the networking setup in a way similar to bridged mode in other hypervisor software like VMWare or VirtualBox. I managed to do it from VMware. I used bridged adapter so it have it's own ip in the network and it started working fantastic! I am not sure but maybe with some kind of creazy routing and port forwarding it may be possible, but I think it is not worth trying it.
Hi. I am using Ubuntu 20.04 running under WSL2. I tried the ARP poisoning attack using this command:
sudo ettercap -T -S -i eth0 -M arp:remote /192.168.8.1// /192.168.8.199//And it works. I pressesqto exit and stop it. But when I retry command above it just says:FATAL: ARP poisoning needs a non empty hosts list.I have to restart WSL every time I want to do it again.Full output on successful try:
Full output on un-successful try:
EIDT: I have found that there is version 0.8.3.1 and I have installed 0.8.3 but I can't figure a way out to install newer version. I am doing
sudo apt updateand then I triedsudo apt install ettercap-text-only=0.8.3.1, but it says this version doesn't exists. EDIT2: I found a way to install 0.8.3.1, but this error still occurs.