I think I understand the overall process here, but for some reason I am not seeing telnet traffic. I even confirmed that I was following the steps in the solution and am still not seeing telnet, just the ARP messages and some TCP retransmission. I have tried switching the host and target in arpspoof with no change.
Hi! Can you share some screens of the commands and the traffic?
Hi @DarrenHobbs, I retraced all the steps from the solution given for the Lab and i got the Telnet credentials in wireshark. I have attatched a few screenshots for reference.
After connecting to the Lab and identifying the server i followed the following steps:
sudo bash -c ‘echo 1 > /proc/sys/net/ipv4/ip_forward’
because i got a permission denied prompt even after using sudo with
echo 1 > /proc/sys/net/ipv4/ip_forward
Starting ARP Spoof
I Managed to find the credentials for the telnet server on the first TCP packet intercepted by Wire Shark.
Make Sure that you start Packet Capture on wireshark on “tap0” interface.
@DarrenHobbs Have you used IP forwarding command, if not attacker machine will not proxy the request from source and destination.
Also check the command and usage of the IP address of victim and server, if the IP address is interchanged then again there might be some issues of interception.
Please check the Wireshark interface and do not use in the promiscuous mode as there would be chance of other traffic interception.
Also, try resetting the lab after initial issues - it resolves most of the issues and try to look at the solution as there might be minute error which we might have been performing.
I had recently completed the lab and was successfully able to capture the data.
If still the problem persists, it would be better if you can share some screenshots?
I will try it again this evening, but I think the only thing I was doing differently was that I was root instead of using sudo repeatedly. My output was just like your screen shot, though. No telnet to follow.
If you do find the issue behind it, do update us for any future reference
Well… for some reason the ip_forward redirect only works when I am root. When I try what you did I get:
This seems to work for me:
In Wireshark, I am getting:
All the steps you have taken seems to be correct, i am not able to figure out why will the credentials not show up after following the TCP stream. Maybe Try to capture & check more packets!
After few research, I think I found the solution: try to use the command
sudo iptables -P FORWARD ACCEPT
This should solve the issue. I’ll try rn to see if the issue is solved. Please let me know!
I see that the packets are redirected to the telnet service (the TCP retransmission packets forward the packets from your port to the port 23) but you can’t see the telnet traffic. I don’t know what could be the problem, I’ll try to troubleshoot and I’ll let you know!
@DarrenHobbs Can you post the output of this command:
Here you go. Lots of weirdness in there. Maybe I should flush it and see if that fixes it?
Try to flush the iptable with
sudo iptables -F and try again!
As you can see, the FORWARD is setted to
DROP, try to flush and then execute the command
sudo iptables -P FORWARD ACCEPT
Yep, having the iptable jacked up was the problem. Worked like a charm! Thanks a lot.
You’re welcome! If you want, you can ping the solution post as the solution, in this way this thread will be flagged as Solved and other students could solve this issue!
Which one to follow TCP Stream?
In wireshark, each conversation entries are grouped together. It is displayed in the first column[No.] with a connecting line. From the image that you have shared, it seems like all these packets are part of the same conversation. You can right click on any of the entry and follow the TCP stream.
If you have multiple conversations, then try the following.
View Conversations: Statistics -> Conversations -> TCP (tab). Then select one conversation (based on your source/destination) and click on 'Follow Stream'. That will create a display filter to show only that single conversation.
You can also display filter manually: tcp.stream eq 0 or tcp.stream eq 1 etc.
I did this but I am not able to find the credentials as shown in the image in solutions.