Results 1 to 10 of 10

Thread: ettercap help and dns

  1. #1
    Join Date
    2013-Mar
    Posts
    71

    ettercap help and dns

    When I run ettercap and arspoof a host. After I close the console it continues to spoof the target and sslstrip them. The same happens when I ettercap dns spoof. After I stop the spoof the target page is still redirected. Do I have to clear the dns cache or something? if so, can someone help me?

  2. #2
    Join Date
    2013-Mar
    Posts
    269
    Hi. If you are using firefox/iceweasle, try seeing if it has a cache history to clear.
    Edit --> Preferences --> Advanced --> Network --> Cached Content; Clear Now.

    Also, you can try bouncing your network connection. (Haven't tried this personally yet)
    root:~# ifdown eth0 (or wlan0 if your using wireless, may be dependent on what your connection is)
    root:~# ifup eth0

    You may want to try this command as well: /etc/init.d/networking restart

    Let us know if this works for you, I am curious as well.
    Fact, Science and the Pursuit of Knowledge. Working to secure your networks from threats; Outside and Within.

  3. #3
    Join Date
    2013-Mar
    Posts
    71
    None of these worked. I'll explain the scenario in more depth
    **ON MY OWN NETWORK**
    I set up ip forward
    then setup my iptables
    I then start up sslstrip
    I run ettercap and arpspoof my laptop and run the dns plugin
    I redirect a specefic webpaget to my custom html.
    Works like a charm
    after I wipe the ettercap targets and stop the attack and close ettercap
    I then go on my laptop (which was being arpspoofed) and I go to the webpage.. It still gets redirected to my custom html
    The only way I can get the laptop to load the original page back is if I log off the network and back on.. Which is kind of pointless.
    I remember in backtrack 5r3 there was some way to do a flush or something similiar which made the original page come back.

  4. #4
    Join Date
    2013-Mar
    Posts
    12
    A couple of questions....

    Have you tried flushing DNS Cache AND ARP cache? Have you run wireshark/tcpdump to watch the communication? I would venture to guess that the ARP cache from the ARP spoof might be the issue once the domain name is translated to the IP and the IP associated with the spoofed MAC address.

    Clearing ARP cache:

    ip -s -s neigh flush all

    OR.... clearing specific ARP cache

    arp -d <IP address to clear MAC association>
    Last edited by blu3gl0w13; 2013-04-11 at 15:26. Reason: forgot some commands

  5. #5
    Join Date
    2013-Mar
    Posts
    71
    Quote Originally Posted by blu3gl0w13 View Post
    A couple of questions....

    Have you tried flushing DNS Cache AND ARP cache? Have you run wireshark/tcpdump to watch the communication? I would venture to guess that the ARP cache from the ARP spoof might be the issue once the domain name is translated to the IP and the IP associated with the spoofed MAC address.

    Clearing ARP cache:

    ip -s -s neigh flush all

    OR.... clearing specific ARP cache

    arp -d <IP address to clear MAC association>
    This seems like what I was looking for. I'll try to do it in a minute

  6. #6
    Join Date
    2013-Mar
    Posts
    71
    unfortunately this didn't work ): I ran it and went to the target computer. Refreshed the page that was spoofed.. and it was still spoofed even though I stopped ettercap and cleared all targets and closed it.

  7. #7
    Join Date
    2013-Apr
    Posts
    6
    I'm sorry if this isn't a solution, but I hade simular problem when redirecting a webpage address to my custom html and when I stopped the attack the address were still being redirected. I finally diceded to try to reset (power cable out for 1 minute) my router. That solved it for me, think it hade to do with sslstrip and redirecting port 80 to 8080, but not sure. Worth a try?

    I'm behind a Netgear wireless router, and don't know if the router in question has a cache that needed a wipe?

    BR Jake

  8. #8
    Join Date
    2013-Mar
    Posts
    71
    Disconnecting the victim from the network and reconnecting them also clears the spoofed page too. I was just looking for something simpler xD Guess that's the only solution!

  9. #9
    Join Date
    2013-Mar
    Posts
    269
    Ah, can you SSH into your router? If so, there might be way to issue a KILLALL command, to .. I guess the best way to describe it is like a soft reset ( I read this on a Linksys site, don't remember where, I was googling several).. Also I forgot to mention to try "ipconfig /flushdns", don't think it will work cause it seems like your router is saving the bad info until you reset it. I hope you can find a simpler solution too. I will try to recreate what you are doing to see if I can get the same results, but it may be dependent on our routers. What router model are you using?
    Last edited by charonsecurity; 2013-04-12 at 13:17.
    Fact, Science and the Pursuit of Knowledge. Working to secure your networks from threats; Outside and Within.

  10. #10
    Join Date
    2013-Mar
    Posts
    65
    Just want to note, when you exit ettercap are you hitting 'q' to rearp the victims?

    Also, for sslstrip you will need to flush your IPtables (as others noted above)

    And of course the cache on your victim browser.

    As charonsecurity said, if its cached on the router, you may have to clear there as well.

    I will try with easy-creds, as it will usually clear all the client side stuff for you on cleanup.

    Thanks,
    Eric

Similar Threads

  1. Help with ettercap!
    By dippyv2 in forum General Archive
    Replies: 3
    Last Post: 2013-11-27, 14:42

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •