I am playing around with Ettercap and ARP spoofing attacks. I have noticed that the computers that are involved in my attack not are displaying any messages telling that an IP conflict has occured.
Isn't that the case when ARP spoofing? Then two (or more) computers will share the same IP. When does an IP conflict occur?
The computers I spoof are a Windows 7 and Ubuntu machines.
Get to the roots ! If you know what ARP does, things will be clearer.
On a subnet (machines plugged into the same set of hubs and switches), the machines talk to each other with MAC addresses: the MAC address uniquely identifies each ethernet/WiFi card. Machines, a priori, do not know MAC addresses; they just know IP addresses. So, when machine A wants to send a packet to machine B, it sends a broadcast frame following the ARP protocol; the packet says: "hey, does anybody knows the MAC address of B" ? If someone responds with the information ("B has MAC address xx:xx:xx:xx:xx:xx") then A will be able to send its data to B.
To speed up the process, A maintains a cache of known mappings IP-to-MAC, but is ready to remove entries from the cache when the information is not renewed (information renewal is when a packet comes to A, tagged with the IP address of B as source, and, at the ethernet level, uses the MAC address of B). The ARP cache entries must not be too long-lived because B is allowed to switch hardware (in case B's ethernet adapter fries and is replaced, the new adapter will have a distinct MAC address, but may assume the same IP address).
Other users of ARP are switches. Switch do not emit packets, but they observe a lot. The point of a switch, as opposed to a simpler hub, is to optimize things by sending packets only on relevant cables, instead of broadcasting all packets over the complete subnet. A switch "knows" that a given machine (i.e. a MAC address) lies at the other end of a specific link by observing traffic (i.e. the switch has noticed that all packets with that MAC address as source come from a given link). The switch maintains thus a mapping MAC->link in an internal table, which is confusingly (and inappropriately) also called an "ARP cache".
Spoofing is the term some people came up with to designate what is otherwise known as a forgery, when in the context of network security (for some reason, perfectly usable words from previous centuries never seem to be good enough for the technology-addict). ARP spoofing is about sending packets which are forged at the ARP level, i.e. packets which will deceive other systems as to the mappings involving ARP (i.e. the ARP caches that machines and switches maintain). The attacker may gain some advantages so doing; for instance, he may convince a switch to send him some packets which would otherwise have been sent to another machine on another link. This kind of attack is also know as "ARP cache poisoning" because it ultimately fills some ARP caches with wrong entries.
An IP conflict is when two machines, with distinct MAC addresses, want to assume the same IP. When an ARP request is sent ("what is the MAC address of B"), both machines will respond, with conflicting information. The requester (A) receives both answers and can warn about the problem: two concurrent mappings with one IP and two MAC addresses. ARP spoofing tries to do something different: two IP addresses (or two links) which map to one MAC address. The successful ARP attack is not really distinguishable from a machine which changed its IP address, something which, on a general basis, is normal (when machines get IP addresses dynamically with DHCP, their IP address may change from time to time), and thus triggers no special warning.
When ARP Poisoning You are poisoning the ARP tables. If computer 10.1.1.1 needs to get to computer 10.1.1.2, it keeps the MAC address in its ARP tables. ARP is a trusting protocol, which means when a computer responds to a ARP request, there is nothing requiring its response to be correct and no mechanism for verifying it is correct.
So here's the game plan.
One interesting thing about ARP is that the victim doesn't need to send out an ARP request to poison them. Like I said, ARP is poisoning them.
IP Addressing Spoofing I pick an IP address that already exists on my network. Other Hosts will have issues establishing a TCP connection. For example. The legitimate host that the attacker is spoofing tries to access a webserver. The legitimate host sends a SYN, the legitimate webserver sends an ACK that both the attacker AND the legitimate host responds to. The legitimate host responds with a SYN-ACK like they should. The attacker responds with a RST since they ACK is unexpected to it. It makes it really difficult (impossible) for a IP address being spoofed to use any TCP services.
I'm having trouble interpreting your question (I'm bad at reading) but hopefully this helps.
ARP Spoofing is NOT the same as IP address spoofing.
What ARP spoofing does is associate a MAC Address with an existing IP Address. The exploit involves sending fake ARP reply packets that will associate the attackers MAC address with a legitimate IP address. This involves making use of the fact that the ARP protocol is stateless - it doesn't keep track of any changes. New ARP reply packets will override the old ARP entries in the cache.
To any hosts in the network, they will only see one IP address associated to one MAC address (the attackers MAC).