Viewing 11 posts - 16 through 26 (of 26 total)
  • Author
    Posts
  • #51595
    diegodiego
    Moderator

    Hi!
    Did you avoid running sslstrip this time and any iptables rule? So it looks like you have internet connection now. So it might happen that your router has some arp spoofing protection, in that case the only thing you can do is disabling such protection or just arp spoof in one direction, as mentioned in the last lecture of Section 9 Post Connection Attacks, in that case you won’t be able to modify any response. So to confirm this is an issue with the router can you run arp -a in windows machine before and during the attack? And show the results here.

    You have mentioned that it didn’t work in the virtual lab, so how did you test it if you are not able to run 2 virtual machines?

    Thanks!
    Diego

    #51601
    akademikaneakademikane
    Participant

    I was able to run even though that was so hard because it took me one hour to just type a command, I don’t have a powerful laptop.

    How can it be a router with Arp spoofing protection when I can spoof it using bettercap ?

    #51602
    akademikaneakademikane
    Participant

    I avoid using sslstrp and I also did not use any ip table rules, I used the commands to flush it.

    #51603
    akademikaneakademikane
    Participant

    uja
    uje
    ujk

    #51604
    akademikaneakademikane
    Participant

    as you can see that is working because it is changing.

    #51617
    diegodiego
    Moderator

    Hi!
    You have never mentioned before that bettercap works, so I was just pointing out the possible things that could go wrong. Are you able to sniff http data in with bettercap?
    Yeah, the arp spoof attack is working so you should be able to sniff data from http://testphp.vulnweb.com/login.php, so clear browser’s cache on victim and try it again.
    Also remember to enable ip forwarding every time you want boot kali and want to try this attack, I mean echo 1 > /proc/sys/net/ipv4/ip_forward

    Let me know.
    Diego

    #51620
    akademikaneakademikane
    Participant

    Everything works with bettercap. I can sniff data from http, I can downgrade https to http, dns spoof and so on.
    I am not able to sniff data from http://testphp.vulnweb.com/login.php, and in no http webiste.
    I always enable port forward.

    #51659
    akademikaneakademikane
    Participant

    Help me please.

    #51675
    diegodiego
    Moderator

    Hi!
    I just tested it and it works as expected. The steps I follow:

    – Check ip from victim machine.
    – Run the ettercap attack with all the arguments needed.
    – Check on windows machine that the arp table has been modified.
    – Clear browser’s cache.
    – Visit http://testphp.vulnweb.com/login.php and log in.
    – Credentials are displayed in ettercap.

    So if the arp spoofing attack is working then you should be able to sniff credentials, you can also run wireshark in the background before visiting vulnweb page and capture all the packets, then search among the results and you should be able to find the credentials.

    Greetings!
    Diego

    #51731
    akademikaneakademikane
    Participant

    It’s working for http, I can see data in wireshark, everything okay, but when I run sslstrip everything goes over https.

    #51765
    diegodiego
    Moderator

    Hi!
    Ok, now let’s make sslstrip to work first, so just run the arp spoof attack, set the proper ipstables rule, then go to victim machine and check that the arp spoofing attack is working by checking the arp table, if it does then clear the entire browser’s cache and type stackoverflow in the browser’s bar address without prepending https://

    Let me know how it goes!
    Diego

Viewing 11 posts - 16 through 26 (of 26 total)
  • You must be logged in to reply to this topic.