metasploit – Spoofing IP and/or machine from meterpreter

So, I have a meterpreter session with full rights. I wanted to know if there’s a way to either spoof my IP address so when I visit a website or whatever, the IP they get it’s the victim’s instead of mine. Also, if possible is there a way to “spoof the pc”? I mean like, pretend to websites that I’m using the same device as the victim is.
Thanks in advance

dns spoofing – Does subdomain DNS cache poisoning depend on the authoritative name server ignoring requests for non-existing domains?

I’m reading “Introduction to Computer Security”, Pearson New International Edition, 1st edition, by Goodrich and Tamassia.

On the subject of DNS cache poisoning, they mention that a “new” attack was discovered in 2008, so-called “subdomain DNS cache poisoning”. This is how that attack is supposed to play out:

  1. An attacker makes many requests to a name server for non-existing subdomains, say aaaa.example.com, aaab.example.com, aaac.example.com, etc.
  2. The book mentions that these subdomains don’t exist, and that, therefore, the target authoritative name server just ignores the requests.
  3. Simultaneously, the attacker issues spoofed responses to the requests made by the name server under attack, each with a guessed transaction ID (which is randomly chosen and unknown to the attacker).
  4. Because the target authoritative name server ignores requests for non-existing domains, the attacker has opportunity to issue a lot of spoofed responses, making it likely that she will guess the correct transaction ID.

The book was written in 2011, so something might have changed in the meantime. When I dig for a non-existing subdomain, e.g. aaaa.example.com, I get a NXDOMAIN response:

$ dig @a.iana-servers.net. aaaa.example.com. +norecurse

; <<>> DiG 9.16.16 <<>> @a.iana-servers.net. aaaa.example.com. +norecurse                                  
;; global options: +cmd                              
;; Got answer:            
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 20391                                                 
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
# ... snip ...

I would assume that any non-authoritative name server would put this result in its negative cache (as it should according to RFC 2308, written in March 1998).

Was it previously common practice for name servers to ignore (= not send a reply to) requests for non-existing subdomains? Has that been replaced with the NXDOMAIN reply that I see today? Is conducting the attack as described above still possible?

arp spoofing – Arp spoof with bettercap in internal network

Im using bettercap to assess my internal network, using bettercap/bettercap docker image on my mac.
My router ip us 192.168.0.254, and I have two connected objects who I try to spoof in order to monitor it using Wireshark.
the problem with my docker image doesn’t access my internal network, it always give me could not find spoof targets when executing this command

set arp.spoof.targets 192.168.0.100-101; arp.spoof on

The command net.show after executing net.probe on it gives me this result :

┌──────────────┬───────────────────┬──────┬────────┬───────┬────────┬──────────┐
│     IP ▴     │        MAC        │ Name │ Vendor │ Sent  │ Recvd  │   Seen   │
├──────────────┼───────────────────┼──────┼────────┼───────┼────────┼──────────┤
│ 192.168.65.3 │ 02:50:00:00:00:01 │ eth0 │        │ 0 B   │ 0 B    │ 08:07:35 │
│              │                   │      │        │       │        │          │
│ 192.168.65.1 │ f6:16:36:bc:f9:c6 │      │        │ 901 B │ 1.0 kB │ 08:08:57 │
└──────────────┴───────────────────┴──────┴────────┴───────┴────────┴──────────┘

I don’t know what to do. I just want to capture the commands sent from
the cloud servers to the IoT objects by arp spoofing.
Thank you?

gmail – Someone is apparently spoofing my email

gmail – Someone is apparently spoofing my email – Information Security Stack Exchange

How does SMS spoofing work practically?

You simply need a way to send SMS messages that allows you to send a message where you can specify the sender.

That’s certainly the easiest way to do it, but having that level of access is tough. My company provides apps and APIs to allow people to send/receive SMS. We do a lot of work to ensure that the “sender” you set is a phone number belonging to you.

We connect directly to SMS aggregators, and they generally don’t do much validation on the sender phone number that our platform provides. For example, I can easily send myself a message from a fake number like 15551234567, a toll-free number, someone’s mobile or landline, etc.

That said, carriers and aggregators constantly monitor for spam and other odd usage patterns. They will block phone numbers and/or originators of bad traffic. An occasional spoofed message or two could fly under the radar, but it’s in the interests of any entities that grant you access to the SMS world to prevent you from sending these types of messages.

tl;dr: Spoofing is possible, but you’ll have a hard time finding anyone willing to give you that access, since granting that access could jeopardize their entire business.

ip spoofing – How to find a presumably spoofed IP

My question is reciprocal to How to find the actual address of spoofed IPs?

On a coturn server I have a repeat offender who is able to initiate requests, and is invariably closed. That address is within a range designated denied-peer-ip, but it continues to appear.

My understanding is that it is the function and purpose of STUN/TURN servers to determine exactly the source IP of a request.

The IP at issue is arguably a bad actor.

I tried grepping all of /var/log/* for the IP and it only shows up in coturn.log
I paged journalctl for the same timestamp ranges – nothing

Where else can I look on my server for activity withing the same times as coturn logged the intrusion?

Just curious – I doubt they’d spoof it the same way twice, but to answer how to find the address of spoofed IPs, apparently a STUN/TURN server does.

protection – Does ARP spoofing work on android?

I learnt about ARP spoofing technique and just tried it on my Windows 10 virtual machine. When I tried ARP spoofing on my virtual machine which is connected to the same NAT network as my kali machine, everything goes fine.

But, when I tried the same ARP spoofing on my Android phone, it didn’t work. While trying to figure out this issue, I came to know that some devices have ARP spoofing protection mechanisms.

Do all modern mobile phones have ARP spoofing protection?
Do routers also have this ARP spoofing protection?

sslstrip – ARP Spoofing killing internet connection

I am trying to understand better sslstripping, I have a Kali Linux guest set to bridged mode inside a Windows 10 host, I give these commands:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 12345
arpspoof -i eth0 -t 192.168.1.119 -r 192.168.1.1
sslstrip -a -l 12345

after that the victim’s internet connection crashes here are all my tries:

Installing Kali directly on PC without usin VMWare;
Tried to poison another pshysical Windows 10 inside my LAN;
Tried to switch connection of attacking machine and victim to my mobile phone hotspot, to see if the router of my home wifi connection has some ARP spoofing protection (I read the manual it doesn’t);
Disabled my Windows 10 and router firewall;
Tried to poison another Kali VMWare machine in my LAN;
Tried to poison an android mobile phone.

Nothings works, just the cellphone seems to navigate better on the internet but sslstrip doesn’t catch anything and then the connection on my mobile starts lagging a lot, the other VMWare machine’s internet works fine but with “arp -a” it doesn’t seem really poisoned because my attacker machine and router have different MAC (maybe a VM poisoning a VM gives some troubles), Windows 10 machines instead get lot of problems, messages on the browser such as (unable to connecto to internet, unable to resolve DNS, connection time out, unable to find host) sometimes they do open a website and sslstrip catches something like api call for microsoft web service of windows 10 then connection dies again.

I tried Wireshark and I get message “Duplicate IP detected!” and inside my router admin page I can see my VMWare machine and the host where it runs share the same IP address untill I stop ARP Spoofing (without VMWare I didn’t get that message but connections dies on victim anyway).

Last I changed my listen service, I got rid of sslstrip and tried with SimpleHTTPserver on port 12345 and a funny thing happen, if I write in address bar “http://192.168.1.1” the ARP spoofing works because I can see the directory listening on my Kali, but if I try to go on internet websites both http and https nothing works.

Sorry if I used too many words, but the thing is so werid that I wanted to give you all details I found during my test.

DreamProxies - Cheapest USA Elite Private Proxies 100 Private Proxies 200 Private Proxies 400 Private Proxies 1000 Private Proxies 2000 Private Proxies ExtraProxies.com - Buy Cheap Private Proxies Buy 50 Private Proxies Buy 100 Private Proxies Buy 200 Private Proxies Buy 500 Private Proxies Buy 1000 Private Proxies Buy 2000 Private Proxies ProxiesLive Proxies-free.com New Proxy Lists Every Day Proxies123