0

At home I have two laptops (running on Windows). With one laptop (attacking laptop) I try to get in the middle of the connection of other laptop (victim laptop).

To do this is run Kali Linux in a virtual environment using VirtualBox on the attacking laptop. In VirtualBox I bridged my build-in wifi adapter to the virtual environment (I have no external USB wifi adapter).

I use the following commands:

echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t 192.168.1.63 -r 192.168.1.254

After executing the commands above, I can see that the physical address of the 192.168.1.254 (the router) changes in the victim's laptop ARP tabel (using arp -a).

The new physical address is the MAC address of the host OS of the attacking laptop (so not the MAC address of the virtual adapter that Kali Linux uses)!

Therefore, the victim laptop start sending information to the wrong MAC address. It looks like Kali Linux is not receiving any data of interest and also cannot forward the data.

As a result, the victim laptop loses its internet connection while Kali Linux should forward the ethernet traffic of the victim laptop to the actual destination.

1) Why does the MAC address in the ARP tabel of the victim laptop becomes the MAC address of the host OS of the attacking laptop, and not the MAC address of the virtual adapter used by Kali Linux? I think it has something to do with the briding of the virtual network adapter with the build in wifi adapter. Maybe there are details about the briding I do not understand?

2) What should I change in order to make this attack work.

In Wireshak I can capture some data but I cannot make anything out of it. It seems like Wireshark is also capturing the traffic of the host OS.

Thank you for any clarification!

Stefan
  • 111
  • 1
  • 7
  • After enabling IP Forwarding, use arpspoof to create and send malicious ARP messages to the target claiming that the Kali Linux MAC address is the MAC address of the network router. arpspoof -i eth0 -t [Kali Linux IP] -r [Router IP] – Ubaidah Nov 11 '18 at 22:40
  • I don't understand. Why would it work to use the Kali Linux IP instead of the victim IP? How will I in this case be able to sniff the victim's laptop network traffic? Can you please explain? – Stefan Nov 12 '18 at 08:58

2 Answers2

1

1) The problem is indeed that for communication with the VM the host's MAC address is used. This is what VirtualBox does when bridging to a wireless network adapter:

From the VirtualBox manual: 6.5. Bridged networking

Note: Bridging to a wireless interface is done differently from bridging to a wired interface, because most wireless adapters do not support promiscuous mode. All traffic has to use the MAC address of the host's wireless adapter, and therefore VirtualBox needs to replace the source MAC address in the Ethernet header of an outgoing packet to make sure the reply will be sent to the host interface. When VirtualBox sees an incoming packet with a destination IP address that belongs to one of the virtual machine adapters it replaces the destination MAC address in the Ethernet header with the VM adapter's MAC address and passes it on. VirtualBox examines ARP and DHCP packets in order to learn the IP addresses of virtual machines.

2a) As a solution I use a wired network adapter. I used an external USB adapter which is operated by the host. I bridged it with the VM. I tested this and it does work.

2b) What probably also works is to put set the field 'Promiscuous Mode' to 'Allow All' in the Advanced section of the Network adapter settings of the VM. Then the host will pass all traffic to the virtual adapter. I haven't tested it but I expect it to work.

Stefan
  • 111
  • 1
  • 7
  • This is correct and explains the behavior of the MAC addresses. But why doesn't the attack work? – multithr3at3d Nov 13 '18 at 00:11
  • The attack does not work because the behavior of the virtual adaptor described in the tekst above. The MAC address of the host is used, so the host does receive the traffic. The virtual adapter will only take packets with the desitnation IP of the corresponding VM. Since the destination IP is that of the gateway or the victim laptop, the virtual adapter will not take the packets and finally the host will drop them. – Stefan Nov 14 '18 at 13:14
  • 2
    I am able to replicate this and it seems to work. Because of _"VirtualBox examines ARP and DHCP packets in order to learn the IP addresses of virtual machines"_, the network driver should pass the MitM'd traffic on to the VM running arpspoof. The MAC address of the host replacing the VM is still fine for arpspoofing with the side affect of the victim's entire host being affected by the attack. – multithr3at3d Nov 18 '18 at 21:47
-1

You have to also do the command in reverse:

arpspoof -i eth0 -t 192.168.1.63 -r 192.168.1.254
arpspoof -i eth0 -t 192.168.1.254 -r 192.168.1.63
peterh
  • 2,938
  • 6
  • 25
  • 31
Savitar
  • 1