January 29, 2021 at 6:56 pm #51595
Did you avoid running sslstrip this time and any iptables rule? So it looks like you have internet connection now. So it might happen that your router has some arp spoofing protection, in that case the only thing you can do is disabling such protection or just arp spoof in one direction, as mentioned in the last lecture of Section 9 Post Connection Attacks, in that case you won’t be able to modify any response. So to confirm this is an issue with the router can you run arp -a in windows machine before and during the attack? And show the results here.
You have mentioned that it didn’t work in the virtual lab, so how did you test it if you are not able to run 2 virtual machines?
DiegoJanuary 29, 2021 at 9:49 pm #51601
I was able to run even though that was so hard because it took me one hour to just type a command, I don’t have a powerful laptop.
How can it be a router with Arp spoofing protection when I can spoof it using bettercap ?January 29, 2021 at 9:50 pm #51602
I avoid using sslstrp and I also did not use any ip table rules, I used the commands to flush it.January 29, 2021 at 10:08 pm #51603January 29, 2021 at 10:08 pm #51604
as you can see that is working because it is changing.January 30, 2021 at 6:24 pm #51617
You have never mentioned before that bettercap works, so I was just pointing out the possible things that could go wrong. Are you able to sniff http data in with bettercap?
Yeah, the arp spoof attack is working so you should be able to sniff data from http://testphp.vulnweb.com/login.php, so clear browser’s cache on victim and try it again.
Also remember to enable ip forwarding every time you want boot kali and want to try this attack, I mean echo 1 > /proc/sys/net/ipv4/ip_forward
Let me know.
DiegoJanuary 30, 2021 at 8:41 pm #51620
Everything works with bettercap. I can sniff data from http, I can downgrade https to http, dns spoof and so on.
I am not able to sniff data from http://testphp.vulnweb.com/login.php, and in no http webiste.
I always enable port forward.February 1, 2021 at 1:09 pm #51659
Help me please.February 1, 2021 at 6:29 pm #51675
I just tested it and it works as expected. The steps I follow:
– Check ip from victim machine.
– Run the ettercap attack with all the arguments needed.
– Check on windows machine that the arp table has been modified.
– Clear browser’s cache.
– Visit http://testphp.vulnweb.com/login.php and log in.
– Credentials are displayed in ettercap.
So if the arp spoofing attack is working then you should be able to sniff credentials, you can also run wireshark in the background before visiting vulnweb page and capture all the packets, then search among the results and you should be able to find the credentials.
DiegoFebruary 3, 2021 at 12:37 am #51731
It’s working for http, I can see data in wireshark, everything okay, but when I run sslstrip everything goes over https.February 3, 2021 at 7:22 pm #51765
Ok, now let’s make sslstrip to work first, so just run the arp spoof attack, set the proper ipstables rule, then go to victim machine and check that the arp spoofing attack is working by checking the arp table, if it does then clear the entire browser’s cache and type stackoverflow in the browser’s bar address without prepending https://
Let me know how it goes!
- You must be logged in to reply to this topic.