1

I am experimenting a bit with Ettercap in my local Wifi Lan. I have a router (R), my pc (P) with Ettercap running on it and my smarthphone (S). In particular am testing the ARP poison MIM attack and it seems to work, but I have some doubts.

I have been able to make R believe that P has the S mac address and to make S believe that P has the R mac address. So the router maps the smartphone IP to my PC mac address and the smartphone maps the Router IP with my pc mac address.

Now, when the Smartphone sends packets to the Router it uses the PC mac address and when the Router sends packets to the Smartphone it uses the PC mac address. Let's suppose that the Router sends a packet that should be for the Smartphone, the smartphone will get the packet as am using WIFI so everyone can see everything but will it drop because Mac Address mismatching? Also, the PC will be able to get Smartphone packets from the router, but layer 2 will not drop the packets as Mac address matches with PC Mac address, but as the IP does not match, the Kernel should not drop it?

Edge7
  • 130
  • 11
  • 1
    Reading this: https://security.stackexchange.com/questions/96564/arp-poisoning-and-port-forward-together it seems that Linux has not problems in accepting IP packets with IP dst that does not match – Edge7 Apr 18 '18 at 20:15

2 Answers2

0

I investigated a lot on this in the last few days: By default, Linux drops packets with MAC address different from the NIC MAC address on which it gets the packet. Promiscuous mode should modify this behaviour. If the ARP-spoofing attack has had success, the Man in the middle will receive packets from R and S (see my question for S and R definition), which will have P MAC address (this is the point of ARP spoofing) but different IP. You can read this packets using different tools such as Wireshark. I experimented with libcap (I used that library in a C program), that I think is used by Ettercap, and by that, you can take those packets and also modify and re-forward. Please note that Ettercap does not enable IP forwarding by default doing:

echo 1 > /proc/sys/net/ipv4/ip_forward

Otherwise, the Kernel itself will forward the packets, but Ettercap also offers packets modifications and packets drop, that is possible just if the Kernel does not take care of those packets.

Edge7
  • 130
  • 11
-2

The attacking computer does not drop the packet because ip forwarding is enabled by ettercap before the attack starts. If ip forwarding is not enabled and these two devices(your computer and the smartphone) are not bridged, then the computer drops the packet. ARP DoS attack utillizes this technique by simply discarding the requests and thus blocking the connection between the victim and the router.

Merk
  • 1
  • Ettercap in 'offensive mode' disables IP Forwarding in the Kernel otherwise features such as packet modification/packet dropping would not be possible. – Edge7 Apr 23 '18 at 15:47
  • That's exactly why ip forwarding is alternatively modified during the process, and the command in your response above enables ip forwarding..... it is a universal truth in computer science that 1 is true, 0 is false.... – Merk Apr 25 '18 at 01:23
  • In case you still don't get it: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690158 The second item in this archive states that ettercap disables ip forwarding only when the attack mode is OFF. You can not bridge the attacker with the victims if ip forwarding is not enabled. – Merk Apr 25 '18 at 01:36
  • Basically, ettercap disables ip forwarding in the kernel and forwards the packets on its own. If this is what you were trying to convey, then it's good. – Merk Apr 25 '18 at 01:43