omargnagy / subterfuge

Automatically exported from code.google.com/p/subterfuge
GNU General Public License v3.0
0 stars 0 forks source link

No FTP response #129

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
I was trying to figure out why the FTP harvester was not working and I managed 
to find out.

I was looking at the code searching for the origin of the problem and I found 
out it had nothing to do with the code, it was the ARP poisoning itself.

Using wireshark I could see myself logging in FTP using a poisoned computer. 
FTP request packets were being sent (USER xxx, PASS yyy) but no response was 
recorded in wireshark but the poisoned computer managed to login, so the 
response packets were arriving.

I used wireshark in both computers to look at the network traffic for FTP 
protocol. The computer running subterfuge had 6 FTP packets and the poisoned 
computer had 12+! All the RESPONSE packets are not going through the computer 
poisoning the network. 

Why is that and what can be done?

Original issue reported on code.google.com by andre...@gmail.com on 6 Nov 2013 at 12:21

GoogleCodeExporter commented 8 years ago
We will have to investigate this issue further. Thank you for your in-depth 
testing. It is always a possibility that the victim machine lost the ARP poison 
just before sending the FTP packets, and then was re-poisoned moments later. 
That is possible and shouldn't happen very often. There is a tough balance with 
ARP poisoning where you can bring down the network very easily if you try to 
keep victims poisoned every single second. The Dynamic ARP Retention feature 
should increase the likelyhood of maintaining a more consistent ARP poison, but 
at the risk of breaking network functionality. 

Original comment by topher.s...@gmail.com on 6 Nov 2013 at 4:06