6

Recently I became interested in sniffing/spoofing. I'm running Kali Linux with MITMf(9.8) and SSLstrip.

To start the attack I use:

python mitmf.py -i wlan0 --target X.X.X.2 --gateway X.X.X.1 --arp --spoof --hsts

  1. Victim I (OS X)

    I tried to attack my MBP. It works. I can sniff username/passwords when it connects to http sites. It doesn't last long though. After a minute or so my connection on the victim machine is completely dead. I have to stop the attack and reconnect the victim machine to the router to make it's internet connection work again.

    I thought it might have been caused by having IP forwarding disabled, but as it turns out it works even worse when it's enabled (connection is lost on victim's machine almost immediately).

    Then, I thought it might be an issue with my router, so I tried to run a hotspot on my iPhone. Indeed, it improved the length of the attacks greatly, but still after 2-3 minutes the connection died on the victim's machine.

    What can be causing this?

  2. Victim II (Bootcamp Windows 8.1 Pro)

    My second Victim was a Windows 8.1 machine running in bootcamp. No luck here either. The connection is killed immediately after I run MITMf command.

Has anyone encountered these issues?

techraf
  • 9,141
  • 11
  • 44
  • 62
gradle
  • 69
  • 1
  • 3
  • 1
    As far as I know you don't have to get between victim and router to capture wireless traffic. If you are connected same router with the victim you just need to capture wireless traffic. You can do that with [aircrack-ng](http://www.aircrack-ng.org/) tool. When you capture wireless packets you will also see passwords in clear text for http sites. – Gökhan Okumuş Dec 25 '15 at 07:52
  • 1
    Try to accomplish MITM from other tool, like ettercap or other. also please explain more about what do you mean by 'your connection to victim is dead'. – Eibo Feb 01 '16 at 09:21
  • 2
    A question like this would really benefit from at least a partial wireshark capture from both the victim and the attackers point of view. – Daisetsu Apr 24 '16 at 01:35
  • 1
    Did you try sniff packets on the victim machine? That may give you a clue. – packetie Jul 05 '16 at 15:23

4 Answers4

1

I've not used mitmf.py, but from your description, the most obvious cause is that the tool is only poisoning the victim's arp cache at startup and is not intercepting the refresh of the cache (fast enough). This should be apparent from a packet capture (though you'll have to wade through a lot data to validate it).

If this is the case, re-running the arp cache poisoning at regular intervals may fix the problem.

symcbean
  • 18,278
  • 39
  • 73
1

I would say that your program is not using a continued ARP poisonning. After couple minutes when the router ask " Who is who?" ARP goes back to normal. Another way would be to use IPtable instead to handle the ARP poisoning. If you could post the content of the python script you're using we would be able to verify such a thing. Please post the source of the python script.

Z3phyre1
  • 9
  • 1
0

MitmF is very powerfull, but I do recommend using bettercap or scapy. It could also be the laptop detecting the change and realising the ARP just changed. This kind of stuff isn't very reliable, because the router may also still be sending out ARP, everyone get's confused and packets are going everywhere.

dGRAMOP
  • 280
  • 1
  • 9
-2

Did you try to see your packets in wireshark. I think there may be many duplicate packets to your router causing loss in connection.

ashish
  • 127
  • 1
  • 6