MITM 5: Forwarding packets

Posted on January 31, 2012


As mentioned in the previous post, after spoofing the ARP table of both victim and default gateway, you may block the internet connection of the victim because packets are sent to the attacker which doesn’t forward them to the default gateway: the attacker open the packet (data link layer) and read the destination IP address (network layer). If it doesn’t match its own IP address, it drops the packet.

Instead of dropping the packet, the attacker should read the destination IP address and forward the packet to the MAC address bound to this IP address (regarding its ARP table).

In order to enable the forwarding of packets, you can use sysctl on OS X and on most of Linux systems. sysctl is used to modify kernel parameters at runtime. Here is the command on Linux to enable the forwarding of IPv4 packets:

sudo sysctl -w net.ipv4.ip_forward=1

This command will actually write (-w) in the file /proc/sys/net/ipv4/ip_forward (net.ipv4.ip_forward) the value 1 (=1).

On OS X, you can use the command:

sudo sysctl -w net.inet.ip.forwarding=1

The command need to be run on the attacker computer.

The change will be done only once reboot or by using the command: sudo sysctl -p

Now if you try to browse some website with the victim computer, it should work. And if you use Wireshark on the attacker computer, you should see the internet traffic of the victim.

Posted in: Tutorials