Metasploit mailing list archives
ARP Poisoning
From: jimbo at abs.net (jim)
Date: Thu, 16 Apr 2009 15:51:56 -0400
Hmm. Well, maybe. Firstly, I went back and re-read your original question. You asked about traffic to a specific destination host. The methods I outlined will redirect *all* the victim's traffic to the other machine- you'll then have to decide what to do with it. Check out the whole dsniff suite- you can do a lot with it besides the redirection, but it's mainly MITM/eavesdropping attacks. If you want to, say, redirect all the victim's traffic through yourself and serve up a browser attack back to the target on port 80 with Metasploit, I think that could work. Actually, that's something I've been meaning to try- if anyone has done this, I'd like to hear about it. Now then: in you scenario below: is the pivot machine on the same subnet as the victim? If so, you can arp poison the target and save a copy of the traffic locally on the pivot machine (tcpdump), or encapsulate and forward a copy to your off-subnet attack machine. Something like tcpdump eth0 | netcat <options> might work for this. There may be better tools, but I don't know what they are. If the target machine is compromised, and that technique works, you could use that to get it off-subnet directly. Without knowing more about what you're trying to do and the OSes involved that's about all I can come up with. J-. Bryan Richardson wrote:
Hey Jim, Thanks for the response. That's great news. One quick question... if my attack machine is on a different subnet, but I'm pivoting through another compromised machine, is there a way to still make this work? -- Bryan On Thu, Apr 16, 2009 at 9:33 AM, jim <jimbo at abs.net <mailto:jimbo at abs.net>> wrote: If the host is already compromised, you can use the "arp" command to make a static arp entry. If it's not, you can use the dsniff utility to poison its arp cache. Note that this is a layer 2 redirection so the machine to which you're redirecting traffic must be on the same IP subnet. Jim Bryan Richardson wrote: Hello All, I've poked around a little bit in the code and on the mailing list, but I haven't found an answer to a question I have: Is it possible to conduct ARP poisoning (or some other act) so as to direct traffic from a compromised host destined for a particular IP address to the attacker's machine? -- Thanks! Bryan _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- ARP Poisoning Bryan Richardson (Apr 16)
- ARP Poisoning jim (Apr 16)
- ARP Poisoning Bryan Richardson (Apr 16)
- ARP Poisoning jim (Apr 16)
- ARP Poisoning rogue (Apr 16)
- server/capture/smb issue jeffs (Apr 18)
- ARP Poisoning Bryan Richardson (Apr 16)
- ARP Poisoning jim (Apr 16)