ARP Poisoning

[wullie19 at ntlworld.com (rogue)]

Hi there,

I'm not sure about doing this on a pivot(that's a trick I really would like to 
know) but I guess it comes down to the OS's involved. To redirect some one 
via arp poisoning to metasploit client side attack you can use ettercap with a 
custom filter to swap img tags for iframe's ponting at the attack machine.  Or 
alternatively you can use fasttrack mass client side attack which sets up a 
web server creates index.htm full of iframes pointing at waiting metasploit 
client side exploits and uses arp poisoning to redirect the victims to our 
attack machine.

-rogue


> Hmm.  Well, maybe.
>
> Firstly, I went back and re-read your original question.  You asked
> about traffic to a specific destination host.  The methods I outlined
> will redirect *all* the victim's traffic to the other machine- you'll
> then have to decide what to do with it.  Check out the whole dsniff
> suite- you can do a lot with it besides the redirection, but it's mainly
> MITM/eavesdropping attacks.  If you want to, say, redirect all the
> victim's traffic through yourself and serve up a browser attack back to
> the target on port 80 with Metasploit, I think that could work.
> Actually, that's something I've been meaning to try- if anyone has done
> this, I'd like to hear about it.
>
> Now then: in you scenario below: is the pivot machine on the same subnet
> as the victim?  If so, you can arp poison the target and save a copy of
> the traffic locally on the pivot machine (tcpdump), or encapsulate and
> forward a copy to your off-subnet attack machine.  Something like
> tcpdump eth0 | netcat <options> might work for this.  There may be
> better tools, but I don't know what they are.  If the target machine is
> compromised, and that technique works, you could use that to get it
> off-subnet directly.
>
> Without knowing more about what you're trying to do and the OSes
> involved that's about all I can come up with.
>
> J-.
>
> Bryan Richardson wrote:
> > Hey Jim,
> >
> > Thanks for the response. That's great news.  One quick question... if
> > my attack machine is on a different subnet, but I'm pivoting through
> > another compromised machine, is there a way to still make this work?
> >
> > --
> > Bryan
> >
> > On Thu, Apr 16, 2009 at 9:33 AM, jim <jimbo at abs.net
> > <mailto:jimbo at abs.net>> wrote:
> >
> >
> >     If the host is already compromised, you can use the "arp" command
> >     to make a static arp entry.  If it's not, you can use the dsniff
> >     utility to poison its arp cache.
> >
> >     Note that this is a layer 2 redirection so the machine to which
> >     you're redirecting traffic must be on the same IP subnet.
> >
> >     Jim
> >
> >     Bryan Richardson wrote:
> >
> >         Hello All,
> >
> >         I've poked around a little bit in the code and on the mailing
> >         list,
> >         but I haven't found an answer to a question I have:
> >
> >         Is it possible to conduct ARP poisoning (or some other act) so
> >         as to
> >         direct traffic from a compromised host destined for a
> >         particular IP
> >         address to the attacker's machine?
> >
> >         --
> >         Thanks!
> >         Bryan
> >         _______________________________________________
> >         https://mail.metasploit.com/mailman/listinfo/framework
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework