(question) perform MiTM on a Debian bridge?

bettercap / bettercap

The Swiss Army knife for 802.11, BLE, HID, CAN-bus, IPv4 and IPv6 networks reconnaissance and MITM attacks.

https://www.bettercap.org/

Other

16.58k stars 1.46k forks source link

(question) perform MiTM on a Debian bridge? #460

Closed DefinitlyEvil closed 5 years ago

DefinitlyEvil commented 5 years ago

Hello community, I'm doing a experiment with Debian bridged interfaces, I set up the environment like this:

auto lo
iface lo inet loopback

iface eth0 inet manual
iface eth1 inet manual

auto br0
iface br0 inet dhcp
bridge_ports eth0 eth1

where eth0 and eth1 are connected to a router and a client(in my case eth1 is the client). I tried with following command with a caplet:

bettercap -iface br0 -caplet the_caplet_file

net.probe on
set http.proxy.script s.js
http.proxy on

I can see the traffics through the proxy but it can't intercept any of them, could anyone help? A big thanks to you all! <3

evilsocket commented 5 years ago

I need the logs as requested by the issue template that you ignored.

DefinitlyEvil commented 5 years ago

@evilsocket ok, sorry sir but I got no errors.

root@raspberrypi:/home/pi# ./bettercap -iface br0 -caplet init
bettercap v2.17 (type 'help' for a list of commands)

[14:12:10] [sys.log] [war] Could not find mac for 192.168.0.1
[14:12:10] [endpoint.new] endpoint 192.168.0.3 detected as XXX (Apple, Inc.).
[14:12:10] [endpoint.new] endpoint 192.168.0.4 detected as XXX (Apple, Inc.).
[14:12:10] [endpoint.new] endpoint 192.168.0.5 detected as XXX (Apple, Inc.).
[14:12:10] [endpoint.new] endpoint 192.168.0.2 detected as XXX (Apple, Inc.).
[14:12:10] [endpoint.new] endpoint 192.168.0.1 detected as XXX.
[14:12:10] [sys.log] [inf] http.proxy started on 192.168.0.9:8080 (sslstrip enabled)
192.168.0.0/24 > 192.168.0.9  » [14:12:11] [net.sniff.upnp] upnp 192.168.0.1 -> DESKTOP-OAO5B0K : upnp:Location:http://192.168.0.1:1980/InternetGatewayDevice.xml upnp:Server:POSIX UPnP/1.0 UPnP Stack/1.11.0.0 upnp:St:urn:schemas-upnp-org:device:InternetGatewayDevice:1 upnp:Usn:uuid:00000000-0000-2f4d-0000-000000000000::urn:schemas-upnp-org:device:InternetGatewayDevice:1

DefinitlyEvil commented 5 years ago

Environment:

Raspberry Pi (with an extra USB net adapter):
eth0 <--> router
eth1 <--> my PC
br0: the bridge

DefinitlyEvil commented 5 years ago

oh, I finally fixed this problem by using the solution here: https://security.stackexchange.com/questions/165527/mitm-position-with-bridged-network-and-iptables

command:

# now ensure that netfilter works on the l2 bridge
modprobe br_netfilter
echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables

quote:

The reason it didn't work before is that iptables does not normally work on the second layer of the OSI model but on the third. Bridges are on the second layer and therefore don't care about PRE- or POSTROUTING activities. The br_netfilter kernel module enables exactly that. Afterwards you just have to turn on the functionality.

and also thank you sir so much for your fast reply! <3

evilsocket commented 5 years ago

:+1: