ARP Spoofing

[mimran79]

Hello Fellow Reader,

I am running KAli 2018.02, on Virtual Box 5.2.18.

I am running Ettercap in text mode. When I run the command, all seems well and it appears that now it is waiting for an activity on the target computer. When I browse any website on my other computer in the same WiFi network, I do not see any activity in the attacker terminal. The command I use is as follows:

ettercap -Tq -M arp:remote -i wlan0 /GatewayIP// /TargetIP/

Any idea what could be possible go wrong?

[sgeto]

it appears that now it is waiting for an activity on the target computer

Can you post the output of that?

[mimran79]

To understand the issue, please see details below:

Kali Details: Linux kali 4.17.0-kali3-amd64 #1 SMP Debian 4.17.17-1kali1 (2018-08-21) x86_64 GNU/Linux

Ettercap Version: ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team

Command Used for Arp Spoof: ettercap -Tq -M arp:remote -i wlan0 /192.168.1.254// /192.168.1.69//

Output of the Command:

ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team

Listening on: wlan0 -> 00:C0:CA:96:15:09 192.168.1.58/255.255.255.0 fe80::8902:fc9e:7cd:a0da/64

Privileges dropped to EUID 0 EGID 0...

33 plugins 42 protocol dissectors 57 ports monitored 20388 mac vendor fingerprint 1766 tcp OS fingerprint 2182 known services Lua: no scripts were specified, not starting up!

Scanning for merged targets (2 hosts)...

• |==================================================>| 100.00 %

2 hosts added to the hosts list...

ARP poisoning victims:

GROUP 1 : 192.168.1.254 3C:62:00:F6:E4:DE

GROUP 2 : 192.168.1.69 2C:D0:5A:42:3B:E4 Starting Unified sniffing...

Text only Interface activated... Hit 'h' for inline help

Now on my other victim computer, no matter http or https website I browse , I do not see any activity on my Attacker computer.

[sgeto]

What kind of activity are you expecting to see? Credentials?

You could verify that the poisoning is having any effect by checking your targets' arp tables (or by running a packet capture on the target machines).

[mimran79]

Thank you @sgeto for your reply.

I checked arp -a on my victim laptop before & after performing arp spoofing. There is no change. Normally, after running the arp spoofing command, gateway mac address should change to the attacker wlan0 mac address.

[koeppea]

Can you try setting _arp_poisonsmart to 1 and _arp_poisonrequest also to 1 in your etter.conf?

[sgeto]

Also, verify that the devices involved are able to reach one another (use ping maybe) under normal circumstances.

[mimran79]

Thank you @koeppea and @sgeto for the suggestions.

I changed the etter.conf file but the result is still the same, no activity appears in attacker terminal. Further, I am able to ping the target computer from the attacker computer.

I think ettercap does not works on updated browsers. Could you try to update your Chrome browsers and see it works?

Thank you again for helping out.

[koeppea]

Without knowing exactly what you're doing it's hard to tell. There are even methods to protect against ARP MITM on manageable switches. The same applies for some wireless infrastructure.

However, the browser on the victim's machine doesn't have any influence on the ARP cache behaviour. This is solely handled by the operating system.

Can you try via wired connection?

[mimran79]

Hello & thank you @koeppea for the suggestion. I will try to do it with wired connection. Though I cannot understand what do you mean by "Without knowing exactly what you're doing it's hard to tell"? . If you read from top of the thread, in my 2nd Comment, I gave all my operating system details, Command that I use, and its output after running the command.

What I have noticed, that when I use the following command, It works and I do get in the middle. But when I use ettercap for arp spoof, it is not working.

mitmf --arp --spoof --gateway 192.168.1.254 --targets 192.168.1.69 -i wlan0

The above command works fine and I do see the activity in my attacker computer. ( by activity, I mean, I see all http sites which are opened in target laptop).

I hope it is little clear.

[koeppea]

This shows at least that it may be a defect on ettercap. To get to the bottom of it, the debug logfile is essential.

The steps would be the following:

1. Remove and purge ettercap using the package management of your distro.
2. Install the dependencies to build ettercap (see the apt-get commend in the README file required libraries section
3. Then build ettercap from source from Github in debug mode

   git clone https://github.com/Ettercap/ettercap
   cd ettercap
   mkdir build
   cd build
   cmake -DCMAKE_BUILD_TYPE=Debug ..
   make
   sudo make install

   Then retry if the issue still persists with the latest code from Github and if yes, please share the ettercap-0.8.2_debug.log file which is created in the directory where ettercap has been executed.

[mimran79]

Thank you @koeppea for the suggestions.

I tried removing ettercap using command apt-get remove ettercap but then get a message saying cannot remove the virtual package. Could you please help me out removing the ettercap. Sorry that I am asking these basic commands. I am justt learning watching youtube and other sources on internet.

Once I remove the ettercap, I will reinstall it as you specified in the above comment.

Once again, thank you for your help.

[koeppea]

First install aptitude using apt-get install aptitude. Then type aptitude search ettercap | egrep "^i " The listed package names should be then supplied to aptitude purge <package>

This should purge all installed ettercap packages.

[mimran79]

Thank you again @koeppea. I ran the commands, but I think i did something wrong. Here is what happened:

root@kali:~# apt-get install aptitude Reading package lists... Done Building dependency tree
Reading state information... Done The following packages were automatically installed and are no longer required: libluajit-5.1-2 libluajit-5.1-common nginx Use 'apt autoremove' to remove them. The following additional packages will be installed: aptitude-common libclass-accessor-perl libcwidget3v5 libio-string-perl libparse-debianchangelog-perl Suggested packages: aptitude-doc-en | aptitude-doc apt-xapian-index libcwidget-dev libxml-simple-perl The following NEW packages will be installed: aptitude aptitude-common libclass-accessor-perl libcwidget3v5 libio-string-perl libparse-debianchangelog-perl 0 upgraded, 6 newly installed, 0 to remove and 75 not upgraded. Need to get 3,556 kB of archives. After this operation, 15.9 MB of additional disk space will be used. Do you want to continue? [Y/n] Y Get:1 http://archive-4.kali.org/kali kali-rolling/main amd64 aptitude-common all 0.8.11-3 [1,766 kB] Get:2 http://archive-4.kali.org/kali kali-rolling/main amd64 libcwidget3v5 amd64 0.5.17-11 [323 kB] Get:3 http://archive-4.kali.org/kali kali-rolling/main amd64 aptitude amd64 0.8.11-3 [1,373 kB] Get:4 http://archive-4.kali.org/kali kali-rolling/main amd64 libclass-accessor-perl all 0.51-1 [23.2 kB] Get:5 http://archive-4.kali.org/kali kali-rolling/main amd64 libio-string-perl all 1.08-3 [12.3 kB] Get:6 http://archive-4.kali.org/kali kali-rolling/main amd64 libparse-debianchangelog-perl all 1.2.0-12 [59.4 kB] Fetched 3,556 kB in 2s (2,251 kB/s)
Selecting previously unselected package aptitude-common. (Reading database ... 381250 files and directories currently installed.) Preparing to unpack .../0-aptitude-common_0.8.11-3_all.deb ... Unpacking aptitude-common (0.8.11-3) ... Selecting previously unselected package libcwidget3v5:amd64. Preparing to unpack .../1-libcwidget3v5_0.5.17-11_amd64.deb ... Unpacking libcwidget3v5:amd64 (0.5.17-11) ... Selecting previously unselected package aptitude. Preparing to unpack .../2-aptitude_0.8.11-3_amd64.deb ... Unpacking aptitude (0.8.11-3) ... Selecting previously unselected package libclass-accessor-perl. Preparing to unpack .../3-libclass-accessor-perl_0.51-1_all.deb ... Unpacking libclass-accessor-perl (0.51-1) ... Selecting previously unselected package libio-string-perl. Preparing to unpack .../4-libio-string-perl_1.08-3_all.deb ... Unpacking libio-string-perl (1.08-3) ... Selecting previously unselected package libparse-debianchangelog-perl. Preparing to unpack .../5-libparse-debianchangelog-perl_1.2.0-12_all.deb ... Unpacking libparse-debianchangelog-perl (1.2.0-12) ... Processing triggers for menu (2.1.47+b1) ... Setting up aptitude-common (0.8.11-3) ... Processing triggers for libc-bin (2.27-6) ... Setting up libio-string-perl (1.08-3) ... Processing triggers for man-db (2.8.4-2) ... Setting up libcwidget3v5:amd64 (0.5.17-11) ... Setting up libclass-accessor-perl (0.51-1) ... Setting up aptitude (0.8.11-3) ... update-alternatives: using /usr/bin/aptitude-curses to provide /usr/bin/aptitude (aptitude) in auto mode Setting up libparse-debianchangelog-perl (1.2.0-12) ... Processing triggers for libc-bin (2.27-6) ... Processing triggers for menu (2.1.47+b1) ... root@kali:~# aptitude search ettercap | egrep "^i " root@kali:~# apt-get remove ettercap Reading package lists... Done Building dependency tree
Reading state information... Done Virtual packages like 'ettercap' can't be removed The following packages were automatically installed and are no longer required: libluajit-5.1-2 libluajit-5.1-common nginx Use 'apt autoremove' to remove them. 0 upgraded, 0 newly installed, 0 to remove and 75 not upgraded. root@kali:~#

[koeppea]

I'm not sure how Kali provided ettercap. Can you redo just the aptitude search ettercap command? Apparently not using the packaging system.

[sgeto]

Mind the package name. The package is called ettercap-xyz:

root@CALCULINA:/mnt/c# apt search ettercap
Sorting... Done
Full Text Search... Done
ettercap-common/xenial-updates,xenial-security 1:0.8.2-2ubuntu1.16.04.1 amd64
  Multipurpose sniffer/interceptor/logger for switched LAN

ettercap-dbg/xenial-updates,xenial-security 1:0.8.2-2ubuntu1.16.04.1 amd64
  Debug symbols for Ettercap

ettercap-graphical/xenial-updates,xenial-security 1:0.8.2-2ubuntu1.16.04.1 amd64
  Ettercap GUI-enabled executable

ettercap-text-only/xenial-updates,xenial-security 1:0.8.2-2ubuntu1.16.04.1 amd64
  Ettercap console-mode executable

root@CALCULINA:/mnt/c#

[mimran79]

Thank you for replying. Here is the result after running the search command:

root@kali:~# aptitude search ettercap p bettercap - Complete, modular, portable and easily extensible MITM framework
p bettercap-dbgsym - debug symbols for bettercap
v ettercap -
c ettercap-common - Multipurpose sniffer/interceptor/logger for switched LAN
p ettercap-dbg - Debug symbols for Ettercap
c ettercap-graphical - Ettercap GUI-enabled executable
p ettercap-text-only - Ettercap console-mode executable
p fruitywifi-module-bettercap - bettercap module for fruitywifi
p fruitywifi-module-ettercap - ettercap module for fruitywifi
p golang-github-bettercap-gatt-dev - Gatt is a Go package for building Bluetooth Low Energy peripherals
p golang-github-bettercap-readline-dev - pure golang implementation for GNU-Readline kind library

So what next? I run apt-get remove ettercap,, it still gives error.

[sgeto]

Depends

apt-get remove --purge ettercap-graphical or apt-get remove --purge ettercap-text-only should work.

[mimran79]

Thank you guys for helping but I do not understand what is happening. Here what happened when I followed last instructions from @sgeto

root@kali:~# apt-get remove --purge ettercap-graphical Reading package lists... Done Building dependency tree
Reading state information... Done The following packages will be REMOVED: ettercap-graphical* 0 upgraded, 0 newly installed, 1 to remove and 75 not upgraded. After this operation, 0 B of additional disk space will be used. Do you want to continue? [Y/n] y (Reading database ... 381486 files and directories currently installed.) Purging configuration files for ettercap-graphical (1:0.8.2-10+b2) ... Processing triggers for menu (2.1.47+b1) ... root@kali:~# apt-get remove --purge ettercap-text-only Reading package lists... Done Building dependency tree
Reading state information... Done Package 'ettercap-text-only' is not installed, so not removed 0 upgraded, 0 newly installed, 0 to remove and 75 not upgraded. root@kali:~# clear

root@kali:~# aptitude search ettercap p bettercap - Complete, modular, portable and easily extensible MITM framework
p bettercap-dbgsym - debug symbols for bettercap
v ettercap -
c ettercap-common - Multipurpose sniffer/interceptor/logger for switched LAN
p ettercap-dbg - Debug symbols for Ettercap
p ettercap-graphical - Ettercap GUI-enabled executable
p ettercap-text-only - Ettercap console-mode executable
p fruitywifi-module-bettercap - bettercap module for fruitywifi
p fruitywifi-module-ettercap - ettercap module for fruitywifi
p golang-github-bettercap-gatt-dev - Gatt is a Go package for building Bluetooth Low Energy peripherals
p golang-github-bettercap-readline-dev - pure golang implementation for GNU-Readline kind library

After this, I though now I would be able touninstall ettercap so I ran following command:

root@kali:~# apt-get remove ettercap Reading package lists... Done Building dependency tree
Reading state information... Done Virtual packages like 'ettercap' can't be removed 0 upgraded, 0 newly installed, 0 to remove and 75 not upgraded.

[koeppea]

OK now ettercap-common is left. So the same command as with ettercap-graphical.

[koeppea]

@mimran79 have you had a chance to run the apt-get remove --purge ettercap-common? You need a clean system before going ahead and compiling ettercap from GitHub latest source.

[sgeto]

I don't think he needs this anymore. You should close it.

-- "We are saddened by a bird's cry, but not for a fish's blood. Blessed are those with voices."

-Mamoru Oshii

On Oct 21, 2018, at 11:22 AM, Alexander Köppe notifications@github.com wrote:

@mimran79 have you had a chance to run the apt-get remove --purge ettercap-common? You need a clean system before going ahead and compiling ettercap from GitHub latest source.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[koeppea]

@mimran79 Feel free to reopen if you want to continue