When I run ettercap and arspoof a host. After I close the console it continues to spoof the target and sslstrip them. The same happens when I ettercap dns spoof. After I stop the spoof the target page is still redirected. Do I have to clear the dns cache or something? if so, can someone help me?

Hi. If you are using firefox/iceweasle, try seeing if it has a cache history to clear.
Edit --> Preferences --> Advanced --> Network --> Cached Content; Clear Now.

Also, you can try bouncing your network connection. (Haven't tried this personally yet)
root:~# ifdown eth0 (or wlan0 if your using wireless, may be dependent on what your connection is)
root:~# ifup eth0

You may want to try this command as well: /etc/init.d/networking restart

Let us know if this works for you, I am curious as well.

None of these worked. I'll explain the scenario in more depth
**ON MY OWN NETWORK**
I set up ip forward
then setup my iptables
I then start up sslstrip
I run ettercap and arpspoof my laptop and run the dns plugin
I redirect a specefic webpaget to my custom html.
Works like a charm
after I wipe the ettercap targets and stop the attack and close ettercap
I then go on my laptop (which was being arpspoofed) and I go to the webpage.. It still gets redirected to my custom html
The only way I can get the laptop to load the original page back is if I log off the network and back on.. Which is kind of pointless.
I remember in backtrack 5r3 there was some way to do a flush or something similiar which made the original page come back.

A couple of questions....

Have you tried flushing DNS Cache AND ARP cache? Have you run wireshark/tcpdump to watch the communication? I would venture to guess that the ARP cache from the ARP spoof might be the issue once the domain name is translated to the IP and the IP associated with the spoofed MAC address.

Clearing ARP cache:

ip -s -s neigh flush all

OR.... clearing specific ARP cache

arp -d <IP address to clear MAC association>

A couple of questions....

Have you tried flushing DNS Cache AND ARP cache? Have you run wireshark/tcpdump to watch the communication? I would venture to guess that the ARP cache from the ARP spoof might be the issue once the domain name is translated to the IP and the IP associated with the spoofed MAC address.

Clearing ARP cache:

ip -s -s neigh flush all

OR.... clearing specific ARP cache

arp -d <IP address to clear MAC association>

This seems like what I was looking for. I'll try to do it in a minute

unfortunately this didn't work ): I ran it and went to the target computer. Refreshed the page that was spoofed.. and it was still spoofed even though I stopped ettercap and cleared all targets and closed it.

I'm sorry if this isn't a solution, but I hade simular problem when redirecting a webpage address to my custom html and when I stopped the attack the address were still being redirected. I finally diceded to try to reset (power cable out for 1 minute) my router. That solved it for me, think it hade to do with sslstrip and redirecting port 80 to 8080, but not sure. Worth a try?

I'm behind a Netgear wireless router, and don't know if the router in question has a cache that needed a wipe?

BR Jake

Disconnecting the victim from the network and reconnecting them also clears the spoofed page too. I was just looking for something simpler xD Guess that's the only solution!

Ah, can you SSH into your router? If so, there might be way to issue a KILLALL command, to .. I guess the best way to describe it is like a soft reset ( I read this on a Linksys site, don't remember where, I was googling several).. Also I forgot to mention to try "ipconfig /flushdns", don't think it will work cause it seems like your router is saving the bad info until you reset it. I hope you can find a simpler solution too. I will try to recreate what you are doing to see if I can get the same results, but it may be dependent on our routers. What router model are you using?

Just want to note, when you exit ettercap are you hitting 'q' to rearp the victims?

Also, for sslstrip you will need to flush your IPtables (as others noted above)

And of course the cache on your victim browser.

As charonsecurity said, if its cached on the router, you may have to clear there as well.

I will try with easy-creds, as it will usually clear all the client side stuff for you on cleanup.

Thanks,
Eric