1

Set up:

  • Victim: 192.168.0.2
  • Attacker (also having SSH server installed): 192.168.0.3
  • SSH server: 192.168.0.4

I perform a successful ARP Spoofing attack (being obviously the attacker's MAC address):

victim shell shown

But when I try to connect via ssh user@192.168.0.4, instead of connecting to the attacker's ssh server, it redirects the traffic to the real ssh server (or keeps waiting for this connection if traffic redirect is disabled in attackers /proc/sys/net/ipv4/ip_forward file).

Is there any way I could interpret packets coming from an IP before redirecting to the original destination?

Note: in case it's relevant, I'm using Ubuntu docker containers inside GNS3 inside a VM. This is the scheme:

enter image description here

schroeder
  • 123,438
  • 55
  • 284
  • 319
LearningSquad
  • 11
  • 2
  • Do you mean "intercept"? And you are running the `ssh user@192.168.0.4` command from the victim? – schroeder Apr 08 '21 at 18:15
  • Can you explain what you want to have happen? "instead of connecting to the attacker's ssh server, it redirects the traffic to the real ssh server" -- it sounds like you configured your attacker machine to do this since disabling ip forwarding cuts the connection. – schroeder Apr 08 '21 at 18:21
  • Ask yourself this: if the packets are still addressed to the original server, why would your attacker machine think they belong to them? You need to create a firewall rule to rewrite the destination. – multithr3at3d Apr 08 '21 at 21:52

0 Answers0