trouble with the mitm lab

[robertwatkins]

Here is what I did

• double-click 'vic1' to get terminal and wireshark
• Select the top interface to start capturing
• set the filter in wireshark to show only the ftp protocol
• Note: I can see ftp traffic to two different FTP servers, one on the 192.100.x.x network and one on the 10.100.x.x network
• I opened the terminal for the kali node from the kali desktop and not the network diagram.
• In order to attempt to see the mitm attack work, I started the capture on the 'kali' wireshark and set the filter to 'ftp'. In the beginning, I didn’t expect to see any traffic on the ‘kali’ wireshark.
• From the kali terminal, start Metasploit with 'sudo msfconsole'
• at the 'msf>' prompt enter 'use auxilliary/spoof/arp/arp_poisoning'
• I sent three pieces of information:
• DHOSTS points to the ip of the host to target (vic1)
• SHOSTS points to the ip address to spoof (the gateway ip is 192.100.200.1)
• LOCALSIP points to the ip address of where we want to send the spoofed traffic.(kali)
• enter 'set DHOSTS X.X.X.X' where the 'x.x.x.x' is replaced with the ip address for vic1
• enter 'exploit'
• I expected to see ftp traffic in the kali wireshark, but none appeared.
• Unexpectedly, I did see the ftp traffic from vic1 change from seeing ftp traffic to both the 192.x.x.x and 10.x.x.x networks to only the local network, 192.x.x.x

I've been looking at this on and off for a week, making sure I have the right IP addresses in each slot (as far as I can tell) and I get the same results each time. Am I missing a step?

Here are the settings

Basic options:

Name Current Setting Required Description

---

AUTO_ADD false yes Auto add new host when discovered by the listener BIDIRECTIONAL false yes Spoof also the source with the dest DHOSTS 192.100.200.160 yes Target ip addresses INTERFACE no The name of the interface LISTENER true yes Use an additional thread that will listen for arp requests to reply as fast as possible SHOSTS 192.100.200.1 yes Spoofed ip addresses SMAC no The spoofed mac

[w4sp-book]

ok, so I think this is a few issues combined, but mainly related to some new iptables rules that docker is adding. Try running the following as root after starting up the labs (you will need to run these every time you stop and start the labs until I push a fix):

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

This will clear out all of the iptables, secondly try setting BIDIRECTIONAL to true in metasploit. Finally, if you stop seeing vic1 trying to make ftp connections you can also check for other protocols (http/telnet). You should also be able to filter in wireshark for anything with a source ip address of vic1, then check all the destination addresses and if you see anything that is destined for the 10.100.200.x subnet then you know your arp spoofing is working.

Worse case scenario to try and just verify that arp spoofing is working is to open up the vic1 terminal and try to ping something in the 10.100.200.x subnet, arp spoofing is working if you are able to see those pings from the Kali host.

I already have a fix for the iptables issue but need to test it out a little bit before I push it to the code.

[robertwatkins]

Yay! I stopped the labs and then started it again, ran the commands as root from the kali terminal and then restarted the metasploit steps (with the new vic1 ip address) and can see ftp traffic being sent to the kali wireshark!

Thanks :)

[w4sp-book]

Awesome! I have pushed the fix so if you download the w4sp-lab again you shouldn't need to run those commands every time you start and stop the labs.

[andreacastelnuovo]

Hi, I have the same problem but I cannot resolve. This is what I do: 1.start the lab with sudo python w4sp_webapp.py 2.when the lab appears I don't click "setup" but I open a new terminal and run as root the scripts

iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -F iptables -t mangle -F iptables -F iptables -X

3.after click on "setup" and the lab starts 4.new terminal and run metasploit with sudo, after use auxiliary /spoof/arp/arp_poisoning, set all the parameters DHOSTS,SHOSTS,LOCALSIP and then exploit. 5.open wireshark and FTPs don't appears.

Is correct what I do? Help me please I'm so frustrated after 4 days of attempts!!! THANK YOU!