ARP Poisoning

[jimbo at abs.net (jim)]

Hmm.  Well, maybe.

Firstly, I went back and re-read your original question.  You asked 
about traffic to a specific destination host.  The methods I outlined 
will redirect *all* the victim's traffic to the other machine- you'll 
then have to decide what to do with it.  Check out the whole dsniff 
suite- you can do a lot with it besides the redirection, but it's mainly 
MITM/eavesdropping attacks.  If you want to, say, redirect all the 
victim's traffic through yourself and serve up a browser attack back to 
the target on port 80 with Metasploit, I think that could work.   
Actually, that's something I've been meaning to try- if anyone has done 
this, I'd like to hear about it. 

Now then: in you scenario below: is the pivot machine on the same subnet 
as the victim?  If so, you can arp poison the target and save a copy of 
the traffic locally on the pivot machine (tcpdump), or encapsulate and 
forward a copy to your off-subnet attack machine.  Something like 
tcpdump eth0 | netcat <options> might work for this.  There may be 
better tools, but I don't know what they are.  If the target machine is 
compromised, and that technique works, you could use that to get it 
off-subnet directly.

Without knowing more about what you're trying to do and the OSes 
involved that's about all I can come up with.

J-.

Bryan Richardson wrote:
> Hey Jim,
>
> Thanks for the response. That's great news.  One quick question... if 
> my attack machine is on a different subnet, but I'm pivoting through 
> another compromised machine, is there a way to still make this work?
>
> --
> Bryan
>
> On Thu, Apr 16, 2009 at 9:33 AM, jim <jimbo at abs.net 
> <mailto:jimbo at abs.net>> wrote:
>
>
>     If the host is already compromised, you can use the "arp" command
>     to make a static arp entry.  If it's not, you can use the dsniff
>     utility to poison its arp cache.
>
>     Note that this is a layer 2 redirection so the machine to which
>     you're redirecting traffic must be on the same IP subnet.
>
>     Jim
>
>     Bryan Richardson wrote:
>
>         Hello All,
>
>         I've poked around a little bit in the code and on the mailing
>         list,
>         but I haven't found an answer to a question I have:
>
>         Is it possible to conduct ARP poisoning (or some other act) so
>         as to
>         direct traffic from a compromised host destined for a
>         particular IP
>         address to the attacker's machine?
>
>         --
>         Thanks!
>         Bryan
>         _______________________________________________
>         https://mail.metasploit.com/mailman/listinfo/framework
>