sgeto
commented
6 years ago Hmmm... have you changed the IPs next to both microsoft.com A records entries to 192.162.2.101?
Closed amateur02 closed 6 years ago
sgeto
commented
6 years ago Hmmm... have you changed the IPs next to both microsoft.com A records entries to 192.162.2.101?
nonokh
commented
6 years ago @sgeto i have a similar issue.
i followed all the steps above and also configured my /etc/ettercap/etter.dns and kept my ip adresses accordingly.
Plus i am getting an L3 send error-unable to forward packets(permisson denied).
i am quite confused because i ran ettercap with sudo ettercap -G
koeppea
commented
6 years ago Make sure ettercap is build in debug mode. Then rerun and provide the ettercap_debug log file located in the execution directory.
Generally, famous sites like Microsoft.com or facebook.com are not the best to start testing in times of HSTS. Start with maybe your own.
Furthermore when ettercap spoofs a DNS reply, a message in the message pane appears. Haven’t seen this in any of the screenshots.
It important to know which IP a client uses for DNS resolution. E.g. when you only poison ARP but the client uses IPv6 for DNS resolution, ettercap won’t see the DNS query.
The operation not permitted may be something else, not related to dns_spoof.
amateur02
commented
6 years ago Hello, thanks again for the swift response! This may be a stupid question to you, like I’m said, I’m an amateur, but I have to ask. To redirect someone within my privat network to my host, do I need to have an own domain? Anyhow, I tried it again today with another web page and the end result was a little bit different. Same setup as yesterday: Localhost activated and running, victim was my I-Pad, and should have been redirected to my MacBook. I adjusted the etter.dns to the other web page. Etter.dns config is attached to this message, so you can also check if I messed something up or maybe you can run it on a computer to check.
As requested, I also attached the debug.log. I hope it will help to find out why it is not working. I really appreciate your help solving this issue. ettercap-0.8.2_debug.log
koeppea
commented
6 years ago Honestly I begin to get confused.
The content of the provided etter.dns.zip is not what is loaded (captured by _ettercap-0.8.2debug.log).
Ettercap expects by default (and in your case) the file /etc/ettercap/etter.dns.
For me it looks like, you've edited in the file in the share source directory past doing the make install.
amateur02
commented
6 years ago Okay, now I'm confused too. I didn't know that I have two different etter.dns on my MacBook. Anyhow, this time I edited and modified etc/ettercap/etter.dns.
Like the other tests, I'm using my I-Pad as victim (192.168.2.100).
So I started Ettercap, selected my I-Pad as target 1 and my router as target 2.
Started arp poisoning
I've selected dns_spoofing at the plugin menu.
On my I-Pad I entered fynn-design.de and the page opened normally. No redirecting to my localhost, which was running. As soon as the whole page was loaded I got the message below in the message pane, but nothing else happened.
You can see the complete message below.
HTTP : 82.198.79.63:80 -> USER: YTozOntzOjEyOiJjb250ZW50X3R5cGUiO3M6NDoicGFnZSI7czoxMDoiY29udGVudF9pZCI7aToyO3M6NjoiYXV0aG9yIjtzOjg6ImZpam5qYXJkIjt9.741007dc6c621a34becf0e582bdfe47e PASS: INFO: http://fynn-design.de/ CONTENT: action=slimtrack&op=add&id=YTozOntzOjEyOiJjb250ZW50X3R5cGUiO3M6NDoicGFnZSI7czoxMDoiY29udGVudF9pZCI7aToyO3M6NjoiYXV0aG9yIjtzOjg6ImZpam5qYXJkIjt9.741007dc6c621a34becf0e582bdfe47e&ref=&res=aHR0cDovL2Z5bm4tZGVzaWduLmRlLw==&sw=768&sh=1024&bw=768&bh=954&sl=1371&pp=127&pl=
Did you get a chance to check if you are able to spoof the above mentioned web page? I also attached the debug.log from my last attempt and some pictures of the file structure how ettercap was build at the installation. Maybe you can see, what goes wrong. If I need to modify or delete some corrupted parts, let me know. I'm really happy with ettercap, but I also want to see dns spoofing working.
amateur02
commented
6 years ago Sorry, got the wrong button!
koeppea
commented
6 years ago Reproduced using ettercap on MacOSX. My victim is a Linux VM.
As expected I got the notification, that the DNS reply has been spoofed. As expected the website on the redirected web server is shown:
The content of the etter.dns:
$ cat /etc/ettercap/etter.dns
fynn-design.de A 172.21.21.1
*.fynn-design.de A 172.21.21.1
$I've selected my router as TARGET1 and the victim as TARGET2.
So what could it be:
Can you try with another victim? Maybe it helps if you activate arp_poisoning_smart in /etc/ettercap/etter.conf.
koeppea
commented
6 years ago arp_poisoning_request in /etc/ettercap/etter.dns may also be worth a try.
See man etter.conf for further information about the mentioned options.
amateur02
commented
6 years ago I followed your advice, except, I activated both arp_poisoning_smart and arp_poisoning_request. Now it is working with both, my I-Pad (192.168.2.100) and my I-Phone (192.168.2.102) as you can see on the pictures.
I didn't had enough time to really check which one did the trick, or if both need to be activated. I will try later and also with another victim. Does it pose a problem to keep both activated? Do I have to expect other problems? Please let me know what you think.
koeppea
commented
6 years ago Coola banana. I originally added those two features 4 years ago (#491, #492), just having in mind such a scenario. It goes down well that it's really helping in such situations, as they haven't been tested in wild (up to today).
The intention was, to make ettercap behave like a normal machine, but just with poisoned information. I suspected some modern devices introduce a anti-ARP spoof detection like apparently is the case meanwhile.
It's good to see it working. Thanks for testing. I'll discuss with the team, if and how and when we could change the default values making ettercap more robust against such counter measures. But most probably not for the upcoming release. For IPv6 (ND poisoning) I'll work on a similar approach.
Closing this issue now.
koeppea
commented
6 years ago which one did the trick, or if both need to be activated.
I think you need both. The arp_poisoning_confim option, just aims to win the race condition for normal ARP request of the TARGETs.
arp_poisoning_smart, only poisons the cache for a very brief period. It's not distinguishable for a end-device if this is a poisoner or a HA-infrastructure just experiencing a fail-over event, updating the attached nodes about the IP-to-MAC change.
Hello, I have another issue und could again use some professional assistance. I tried to do some DNS spoofing and it won’t work. This is what I’ve done:
I activated Apache and it is running.
Starting Ettercap for en1
Added router to Target 1 and my I-Pad to Target 2
I started ARP poisoning
I went to manage plugins and selected dns_spoofing
Now when I’m trying to open microsoft.com on my I-Pad it should be redirected, according to the etter.dns config, to another page!?
All it shows is „Safari could not open the page because the server stopped responding“. What changes do I have to make in the etter.dns config, to get requests (e.g. microsoft.com) from my I-Pad (192.168.2.100) redirected to my MacBook (192.162.2.101) to show the content of localhost. What am I missing? Like already mentioned, I’m no professional, just learning. With one working example I will be able to get the rest. It would be good to see it working. Your assistance will be highly appreciated!