1

I want to capture all internet traffic on a small network, so I am experimenting with ARP spoofing of the default gateway but I don't see the spoofed ARP cache entries.

I am using two Linux machines on the network, one - the attack machine - runs ettercap and the other plays the role of victim. The third partipant is the default gateway which is a typical ADSL router. There are other devices on the network. All devices are connected over ethernet (wired).

I run ettercap (version 0.8.2) like this:

ettercap -T -j ettercap.hosts -M arp:remote -w ettercap.pcap /10.0.0.10/ //

where ettercap.hosts contains the hosts on the network (being a class A, a scan isn't practical) and the IP address is that of the default gateway.

Running arp on the victim shows that it has the correct MAC for the default gateway but I would expect it to show the MAC for the machine running ettercap. I see similar on the router: it has the correct MAC for the victim machine. I expected the arp caches to be modified to point at the attack machine.

Running wireshark on the victim machine shows that ARP packets are being sent by ettercap but they don't have any effect. For example:

136 13:50:12.666418095  Sony_8d:3f:5e   AsustekC_b9:59:24   ARP 60  10.0.0.10 is at 00:01:4a:8d:3f:5e

I presume that I misunderstand or am missing something but I am not clear what.

What is the right way to use ettercap to arp spoof the default gateway to log all traffic ?

starfry
  • 291
  • 2
  • 7
  • 1
    Does your router have anti-ARP spoofing defenses enabled? – Maximilian Gerhardt Aug 03 '17 at 13:56
  • 1
    In order to tell the victim host that now we (our MAC address) are the one belonging to the IP of the gateway enter the following command: `arpspoof -t victim gateway` In a seperate shell we start the matching command to fool gateway to belive we are victim. `arpspoof -t gateway victim` Don't forget to enable IP forwarding on your host so the traffic goes through your host. Otherwise victim will loose connectivity. `echo 1 > /proc/sys/net/ipv4/ip_forward` ..watch all the traffic between the victim host and the outside network going through your machine `tcpdump host victim and not arp` – Gewure Aug 03 '17 at 14:28
  • with the tool `arpwatch` you can verify that it works. in case it doesn't, i suspect your router prohibits it somehow (many new do so), as mentioned by @MaximilianGerhardt ... you can probably change that in the router-settings. – Gewure Aug 03 '17 at 14:32
  • Ok, so using `arpspoof` I can see the expected arp change on the victim. I can also see it reset pretty much straight away. The change does not effect on the router at all. I guess the router must have anti-ARP spoofing defenses on it. I don't know - I need to see what I can find from its crap documentation (its a thomson speedtouch tg585). Also, `arpwatch` didn't work for me `bad interface enp4s0: no IPv4 address assigned` I don't know if that's because its bridged. – starfry Aug 03 '17 at 16:57

0 Answers0