Running a true MITM by arp spoofing another device on the LAN

[smi...@sericontech.com]

I've just started to use libtins and so far I think it's great. Setting it up and running the examples was not difficult and I'm beginning to understand what's happening. I am kind of stuck though and was hoping I could get some help.

I'm trying to write a MITM that's just like the HTTP follower example except instead of printing out the requests that are made from the local machine, I want to print requests from a different machine on the LAN.

I do understand that in order to do this I need to run an ARP Spoofing attack. I've played around with the ARP Spoofing example and it seems like a good start, but it seems that any packets that are redirected by the spoof are simply dropped. Instead, I'd like a message printed and then have the packets relayed to the gateway so that they can go on to their correct destination.

Can someone suggest how to merge these two ideas or show me some sample code?

[Matias Fontanini]

As much as it would be great if you used libtins for that, isn't it better to use an existing tool (e.g. arpspoof) and then simply running a variation of the HTTP follower that prints what you want? You'll save a lot of effort that way, unless you really want to try implementing that yourself.

[smi...@sericontech.com]

On Thursday, October 26, 2017 at 12:44:10 PM UTC-4, Matias Fontanini wrote:

As much as it would be great if you used libtins for that, isn't it better to use an existing tool (e.g. arpspoof) and then simply running a variation of the HTTP follower that prints what you want? You'll save a lot of effort that way, unless you really want to try implementing that yourself.

 

Thanks Matias,

You're right, simply running arpspoof is probably the way to go. But I still have a problem now that I understand my requirements a little bit better.

What I really need to do is arp spoofing so that I can see the stream of data, but I also want to possibly filter it.

I see that I can use IP forwarding so that the packets from the victims computer make it out to their destination, and I can use a modified HTTP following to print that data stream. But I can't filter the data that's being sent out.

What can I look at in libtins to be able to do this?

[Matias Fontanini]

By "filtering out" do you mean modifying the stream on the fly? That's trickier and if I were you I'd actually not use libtins at all for that. There's no support for modifying streams on the fly on libtins so you'd have to do this yourself, updating sequence/ack numbers, handling retransmissions, etc. If I were you I'd use a proxy (there's surely an open source tool that does what you want) so you basically perform ARP spoofing, then have clients connect to you (as you're now doing MITM you can do whatever you want) and you actually have the proxy intercept and modify the streams.