The experience of the failure of the DNS spoofing experiment of a wonderful student in Xiao Kee

This is a DNS spoofing experiment that uses Kali's ettercap. There are three machines, the victim, the attacker (virtual machine), and the Web server.
The victim's 124.16.70.105.
The virtual machine is 124.16.71.48
The Web server is 124.16.70.235 and is 80 ports
Subnet mask is 255255.254.0

Little White has deceived success, the target domain of deception is hao123. But his experiment found that using the victim ping hao123 when the DNS spoofing success, the display IP is 235, but the browser can not access the hao123, prompted not to find the Web page. The victim visited Baidu is normal access, these content in the packet (Hao123bao.pcapng.tar, and not packaged, just to be able to upload to the blog, after the download rename remove tar) in all have, this is why? The victim directly enters the 235 IP that is reachable to the built Web server.

After analyzing the packet, it was found that the victim was using a normal gateway when accessing IP 235, and access to other URLs was using the gateway of the attacker, the virtual machine. Looking at 1748 and 17,492 packs is obvious.

Why use the right gateway when you visit 235?
I feel that because IP 235 is the intranet, the victim makes a broadcast ARP request (packet 1737), so the normal gateway returns to the normal Mac (1746), so the TCP connection is made using a normal gateway Mac.

Therefore, the test environment as far as possible simulation ... So as not to meet the wonderful things.

(Blog park can not upload attachments in blog post?) ）

by ascii0x03, 2015.8.20

The experience of the failure of the DNS spoofing experiment of a wonderful student in Xiao Kee