Etter.dns issues (dns_spoof)

[himuura]

Can't figure it out why but when arp poisoning and dns_spoofing a target a couple of things happen:

• if the line (example) www.microsoft.com PTR is commented or does not exist, the spoof doesnt work, i cannot catch a single DNS request.
• if the refered line is changed accordingly, i can see the dns_spoof in ettercap but on the victim's browser i only see connection reseted. All internet connection is suspended, i mean i cannot access to a single web page (like a DoS).

I've enabled ip forward, uncommented the lines for iptables on etter.conf, set the ID's to 0. The columns on the etter.dns file are tab separated or space? like microsoft.com (tab) A (tab) IP ?

Any ideas on how to solve this one? Im testing both Kali linux latest and raspbian buster latest, and i'm experiencing the same behaviour on either one. Apache is running and i can access the demo page from other devices.

[koeppea]

Please read this wiki page

[koeppea]

Please reproduce with your version of etter.dns.

[himuura]

Weird, after following the wiki page, ettercap -G breaks almost automatically...

[ init] ssl_wrap_init [ init] sslw - bind 992 on 59263 [ init] ec_redirect("insert", "telnets", IPv4, 0.0.0.0/0, 0.0.0.0/0, 992, 59263) [ init] ec_redirect(): execute [iptables -t nat -A PREROUTING -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 992 -j REDIRECT --to-port 59263] [ init] register_redir_service(telnets) [ init] ec_redirect("insert", "telnets", IPv6, ::/0, ::/0, 992, 59263) [ init] !!! SEGMENTATION FAULT !!! [ init] ui_cleanup

Any idea?

EDIT: Figured it out. Edited etter.conf and removed the # on the IPv6 rules of iptables. Now it starts.

[himuura]

To where can i send you the .pcap log?

[koeppea]

pack it in a tarball and attach it to the issue

[himuura]

dnsspoof.tar.gz

To sum up the PCAP:

Searched for hosts, found and locked the targets (192.168.43.1 and 192.168.43.239). If i'm not mistaken, the attacker is the .208. I was using my phone as wifi hotspot and connected both the attacker and another cellphone device to the hotspot network (Xiaomi was the victim). After locking the targets, i went to MITM Menu --> Arp Poisoning (Sniff Remote Connections). Then, Plugins --> Manage Plugins and activated the dns_spoof pluging (etter.dns was already modified to spoof "abola.pt"). After that i just pressed start capturing. Am i missing any step?

[koeppea]

Figured it out. Edited etter.conf and removed the # on the IPv6 rules of iptables. Now it starts.

Thanks for that. Going to prepare a fix for that.

Unfortunately you've missed to provide the ettercap debug logfile in the tarball.

[himuura]

My bad, thought it hadn't anything relevant. I attached both. debug_log.tar.gz

[himuura]

Crap, wrong .log. Here's the correct one. ettercap-0.8.3_debug.log

[koeppea]

Just out of curiosity: can you please try to activate the plugin at startup by passing argument -Pdns_spoof in addition when launching ettercap? Does that make any difference?

[himuura]

Will try that tomorrow mate and i'll let you know asap! thank you for your time :)

[himuura]

dns_spoof_on_startup.tar.gz i executed the command: sudo ettercap -G -P dns_spoof -w packetsv4.pcap (and with the -Pdns_spoof variant as well) but for some reason it doesnt show as enabled on ettercap Manage Plugins menu...

[himuura]

no_graphical.tar.gz tried a no GUI capture: sudo ettercap -T -Q -i wlan0 -P dns_spoof -M arp -w packetsv4.pcap /192.168.43.239/192.168.43.1/

I captured a dns_spoof but on the browser i got connection reseted message (apache is running on 80). Hope it helps!! again, thank you for your time mate!

[koeppea]

but for some reason it doesnt show as enabled on ettercap Manage Plugins menu

Oh yes you're right. It's only started automatically in text user interface. One more item on the list.....

I captured a dns_spoof

This is correct. The DNS spoofing in text mode worked.

 1322  52.122917 192.168.43.239 → 192.168.43.1 DNS 68  Standard query 0x8586 A abola.pt
 1324  52.124113 192.168.43.1 → 192.168.43.239 DNS 84  Standard query response 0x8586 A abola.pt A 192.168.43.47

but on the browser i got connection reseted message

I've not seen any packet to port 80. I think you didn't specifiy the scheme http:// in the browser. Modern browsers often do https:// implicitely. You can test if port 80 is listening on 192.168.43.47 by doing a telnet 192.168.43.47 80.

However, you've not specified the targets correctly. This is how ettercap has parsed it:

[     init]     TARGET1: /192.168.43.239/192.168.43.1/
[     init]     compile_target TARGET: /192.168.43.239/192.168.43.1/
[     init]     MAC  : []
[     init]     IP   : [192.168.43.239]
[     init]     IPv6 : [192.168.43.1]
[     init]     PORT : []

It parsed your intended TARGET2 as the IPv6 address of TARGET1. The correct target specification would be /192.168.43.1// /192.168.42.239//

[edit] But by accident the ARP spoofing was still working as TARGET2 defaulted to ANY. So you ARP-poisened 192.168.43.239 <-> ANY.[/edit]

[himuura]

So any idea on why the poisoning / spoofing isn't working with GUI? I'll try to tinker around to check if i can get a spoofed reponse with the correct values but as you said, it's only working in text mode. Am i doing something wrong in GUI? The steps i usually do are: Fire up ettercap -G Unified Sniffing - Stop Search for hosts Set target 1 and target 2 MITM Menu - Arp Poisoning - Sniff remote connections Plugins - Activate DNS Spoof Start Sniffing

It should be straight forward with this one but for some reason, on GUI i rarely get a spoofed response...

[koeppea]

If you wait a bit, I'll soon finish a pull-request where autostarting plugins on the CLI for graphical UI will also work.

Normally it shouldn't make any difference. It seems that dns_spoof plugin hasn't actually been started from what I saw in the logfile.

[himuura]

No worries mate, take your time! i thank you for all your help! Let me know when it's fixed. Cheers!

[koeppea]

@himuura, could you please try to compile #968 in Debug mode? Then try to reproduce by calling ettercap -G -Pdns_spoof -w/tmp/packets.pcap on the CLI.

968 supports now autostarting CLI provided plugins even when started in graphical mode.

[himuura]

building from the start, im getting this warning (i think its just a heads up) [ 8%] Building C object src/interfaces/CMakeFiles/ec_interfaces.dir/curses/ec_curses.c.o /root/ettercap/src/interfaces/curses/ec_curses.c: In function ‘curses_unified_sniff’: /root/ettercap/src/interfaces/curses/ec_curses.c:572:7: warning: ‘pcap_lookupdev’ is deprecated: use 'pcap_findalldevs' and use the first device [-Wdeprecated-declarations] 572 | iface = pcap_lookupdev(err); | ^~~~~ In file included from /usr/include/pcap.h:43, from /root/ettercap/include/ec_network.h:6, from /root/ettercap/include/ec_globals.h:6, from /root/ettercap/include/ec.h:59, from /root/ettercap/src/interfaces/curses/ec_curses.c:22: /usr/include/pcap/pcap.h:326:16: note: declared here 326 | PCAP_API char pcap_lookupdev(char ) | ^~~~~~ /root/ettercap/src/interfaces/curses/ec_curses.c: In function ‘curses_bridged_sniff’: /root/ettercap/src/interfaces/curses/ec_curses.c:596:7: warning: ‘pcap_lookupdev’ is deprecated: use 'pcap_findalldevs' and use the first device [-Wdeprecated-declarations] 596 | if(pcap_lookupdev(err) != NULL) | ^~ In file included from /usr/include/pcap.h:43, from /root/ettercap/include/ec_network.h:6, from /root/ettercap/include/ec_globals.h:6, from /root/ettercap/include/ec.h:59, from /root/ettercap/src/interfaces/curses/ec_curses.c:22: /usr/include/pcap/pcap.h:326:16: note: declared here 326 | PCAP_API char pcap_lookupdev(char ) | ^~~~~~ /root/ettercap/src/interfaces/curses/ec_curses.c:597:10: warning: ‘pcap_lookupdev’ is deprecated: use 'pcap_findalldevs' and use the first device [-Wdeprecated-declarations] 597 | strncpy(EC_GBL_OPTIONS->iface, pcap_lookupdev(err), IFACE_LEN - 1); | ^~~ In file included from /usr/include/pcap.h:43, from /root/ettercap/include/ec_network.h:6, from /root/ettercap/include/ec_globals.h:6, from /root/ettercap/include/ec.h:59, from /root/ettercap/src/interfaces/curses/ec_curses.c:22: /usr/include/pcap/pcap.h:326:16: note: declared here 326 | PCAP_API char pcap_lookupdev(char ) | ^~~~~~ [ 8%] Building C object src/interfaces/CMakeFiles/ec_interfaces.dir/curses/ec_curses_filters.c.o [ 9%] Building C object src/interfaces/CMakeFiles/ec_interfaces.dir/curses/ec_curses_help.c.o

[himuura]

dont know if im doint this the right way but i cloned from your repo, installed, ran the command with -P flag and still, when the GUI opens, the dns_spoof is not marked as in use...and the behavior is the same, similar to a DOS while MITM arp poisoning. Any ideas?

[himuura]

can you shed me some light on how to pull from your fix mate?

[himuura]

i think i got it. i added your repo as upstream and fetched & merged. now the changelog reads as 0.8.4. Still, same issues. dns_spoofed not marked on startup via CMD line, i have to manually set it up. and despite catching the spoof, i get a DoS behavior. Nothing is shown. not even other non-spoofed pages.

[himuura]

Well, i'm dumb as a door. I merged the repo but forgot to recompile again. DNS_SPOOF plugin is active from the start now, will perform some more tests tomorrow. Sorry for being a pain in the a**. Will keep you posted.

EDIT: AFAIKT, no spoof is being caught so far despite appearing as active.

[himuura]

Here's the files:

etter_fix_log.tar.gz

[koeppea]

Yeah well really seems you've been a little bit messed up. the .tar.gz file isn't actually gzip'ed - just tar'ed.... Looking into the packet capture, there hasn't been any DNS packet seen. Looking again to the packet capture, it appears to me that the ARP poisoning wasn't successful at the victim. Especially on Wireless networks, ARP spoofing isn't always reliable. You should check with the _chkpoison plugin if the target's have been successfully poisoned.

What's also questionable is the fact that the configuration parameter _arp_poisonicmp is set to 1, but Ettercap hasn't sent the expected spoofed ICMP Echo Request to trigger a ARP cache refresh on the victims.

BTW: There is no need to Stop Unified Sniffing. This can lead to black-holing. You should just let it run.

[himuura]

Oh sorry, I has in a hurry and just tar'd the files and when I went to attach them i got the notice that only tar.gz are accepted and forced the .gz extension :p my bad. On yesterday's last test, when I finally got it working with your branch, I just did a couple of tests but didn't manage to catch a spoof, dunno why. Will tinker around in the next couple of days and let you know how it goes ;) thank you for your time mate!

[himuura]

Update: i'm not getting a weird behavior. The dns request quest spoofed (i can see it on ettercap) but somehow it redirects to the original site instead of the spoofed one (the entry on etter.dns was modified to the fake website machine). What am i missing?

[himuura]

spoofv2.tar.gz

new spoofed site: eunops.org (only works in HTTP, no HTTPS support), victim: 192.168.43.1. and 192.168.43.239.

[himuura]

Dunno how, but i got it working with 2 devices (mobile and VM) with bridged adapters. Thank you yet again for your time mate!

[koeppea]

@himuura hey that sounds great. So can we close the issue then?

[himuura]

Yeah sure mate! I'm getting some weird behavior with dns_spoof plugin but nothing that can't be overlooked. Thank you for your time! Cheers and kudos for the good job!

[koeppea]

Alright. Closing then..