1

I recently tried to do a MiTM attack on my network using ettercap. I have a router, two windows 7 machines : Host A and Host B, and Backtrack on a VM.

In the ettercap window I added the router as TARGET 1, Host A as TARGET 2 then started Arp poisoning. When I checked the arp tables of Host B, I found that it was also targeted by the attack.

Any explanations? How can I exclude Host B?

Thank you.

EDIT :

After switching to Ettercap v0.8, the attack works correctly, only HOST B sees a spoofed router's mac address. Maybe it was a bug in the old version.

1 Answers1

2

As explained here, some operating systems ignore some ARP responses. In particular, Linux will ignore unsolicited responses, but will use apparently legit request and replies from other hosts on the network. So the attacker must emit both fake requests and fake answers, and make sure that the target hosts see them nonetheless, which more-or-less implies the use of broadcast ethernet frames. By construction, broadcast frames propagate everywhere, so other hosts on the local network will be affected as well.

If you want to avoid poisoning host B while targeting the router, then you must send fake non-broadcast ARP responses that bear the router's MAC address (so that the router sees them), but they also must NOT bear the router's MAC address (so that the router does not ignore them as unsolicited responses), which is a bit self-contradictory.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • Thank you, but if others hosts on the network will be affected by arp broadcasts, what is the use or selecting targets in ettercap? –  Apr 01 '14 at 17:15