2008/7/17 Cedric Blancher <blancher (at) cartel-securite (dot) fr [email concealed]>:
> Le jeudi 17 juillet 2008 à 09:11 -0300, Elton Ramos Carvalho a écrit :
>> Have you checked if iptables is stoped?
>
> AFAIK, iptables does not stop ARP traffic.
>
> Maybe a hint:
> http://content.ix2.com/showthread.php?t=1776
>
>
> "Ok, from the source code (arpspoof.c) i take that if __linux__ is
> defined, the attacker gets the client's MAC address by looking at
> the response to the bootp packet (which, according to ethereal, is a
> malformed packet)
> However, in arp.c (arp_cache_lookup) it seems that only entries wrt
> eth0 are looked for in the cache, so my arp entry concerning a
> machine on eth1 is ignored...
> All seems right now: i have changed eth0 in the code to eth1, and
> indeed for most of the time the client's arp entry for the gateway
> is now poisoned!"
>

I was going to wait till I had some time to read through all the
replies properly and to test some of them before replying but this
seems to completely explain the problem. I'm on ath0 so looking for
stuff in eth0's cache won't work.

I'll try the other suggestions later today hopefully, if not tomorrow,
and I'll report back. I can say that I did try ettercap at the same
time and that couldn't get the poisoning working either. I launched
everything but when I used the poison checker module it said that
nothing was being poisoned. By that point I'd lost the momentum and
given up so I'll give it another try now I'm fresh and I know that I'm
probably not just doing something basic wrong.

Robin

> Actually, ARPing target with BOOTP packet is kinda strange to me...
> Hardcoded eth0 too :)
>
>
> --
> http://sid.rstack.org/
> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>>> Hi! I'm your friendly neighbourhood signature virus.
>>> Copy me to your signature file and help me spread!
>

[ reply ]