I'm trying to create a lab environment to experiment with MiTM attacks. I want to learn docker also so I've decided to do this with docker. I created 2 images (attacker, victim):
Victim - based on Alpine, with curl installed Attacker - based on Ubuntu, with installed iputils-ping iproute2 curl iptables vim ettercap-text-only dsniff and tshark.
They're both in bridged network, so the router here would be docker0 interface (default: 172.17.0.1)
I'm running the attacker container with --privileged flag, to enable using ettercap.
So when both images is running I'm executing ettercap from attacker container with:
ettercap -T -o -S -i eth0 -M arp:remote //victim_ip/ //172.17.0.1/
Victim's traffic is getting through attacker, but there's a problem that when victim is trying to ping google.com there is no response.The MiTM attack is working because I can see this traffic on victim containers but something is blocking it.
I've tried with arpspoof tool too, but with the same effect.
Tried also
echo 1 > /proc/sys/net/ipv4/ip_forward
- no effect.
I've checked it on host machine with wireshark and that's what I see...
So my question is - Is docker gateway somehow can block this MiTM attack?
I'm not pro with wireshark and ettercap and docker so, maybe I assumed wrong that I can consider docker0 as a normal router that can be fooled with arpsoofing attack.
When I disable ettercap, the network connection is back again.
Any hint what may be wrong will be helpful.
[EDIT]
Okay I've found a little hint what's the problem here. I opened 2 wiresharks on my host, one on docker0 interface one on my default wifi interface.
As you can see after arpspoofing docker interface isn't translating ip of docker to ip of host. With this I've changed my question to "How docker is translating docker0 interface ip address to host ip address." If I learn more about this maybe I will figure out why my problem occurs.
