well you can try and see if it works. Oh wait... can 2 interfaces have the same IP & MAC on the network? That is something you will have to fnd out by trying.
Hello everyone!
I've been doing some research on ARP poisoning and how to make it undetectable. This is my idea:
ARP poisoning, in a quick explained way, is broadcasting to the network that the victim's IP is associated to our MAC address. So it came to me: And if instead of changing the IP/MAC address pairing associations on the network, we just changed the IP and MAC of our interface to match the IP and MAC address of the victim's interface? Wouldn't this work as well? I know that it would only receive packets from the router/AP, but if we had two interfaces, we could mimic also the AP, and therefore receive packets from the victims computer (as from all other computers on the network, but i'm hoping there's a way to filter what we're receiving). Is it doable? If not, what's obstructing the method to work?
Sorry if i made any spelling/grammar/word misuse errors, english isn't my official language.
Now i know it isn't possible. no need for reply's, and sorry for asking without going deep into that matter...
well you can try and see if it works. Oh wait... can 2 interfaces have the same IP & MAC on the network? That is something you will have to fnd out by trying.
No, or they can but you will get mass IP conflicts popping up on any machine that had it first. Someone will notice very very quickly if you do this.Originally Posted by xorred
On the other end though, the actual ARP spoofing attack will be relatively silent and, if you set the timing for the packets at a decent rate it is quite often easy to miss it in the general traffic of a packet dump anyway (unless the security IT members of the test are specifically looking for it, in which case you are in trouble anyway).
If the standard ARP spoof fails (and my memory serves) there are other methods to get around it.
Any NIDS will pick them up though, you can configure some very simple tools (arpwatch) to do it as well (you're buggered if someone arpspoof's the NIDS and the Email server though, but that just shows bad configuration).
The method described in the OP is already too noisy and breaks basic checks that are generally in place on a DHCP/STATIC network anyway. It's a good thought, but ultimately wrong.
Now, if you could break the physical network in half you could do the spoofing between the two interfaces, but there is no point when you could just rig in an ethernet bridge (there are kernel modules/patches for this, BSD compiles it in and I've no idea about windows) and sniff the packets that way.
Still not underestimating the power...
There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.
Thank's for the answer, Gitsnik
Can you tell me what other methods can be used? I'm not testing a wired network, it's a wireless network.
@ Snayler
Is this what you were trying to do
RapidShare: 1-CLICK Web hosting - Easy Filehosting
It should be possable in theory
Serves me right for not coming back to threads I've posted in.
If regular ARP spoofing fails, there are a couple of other methods of ARP spoofing. There are also ICMP redirections, DHCP spoofing and other techniques (most of them in your standard arp spoofing toolkits).
Still not underestimating the power...
There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.
Posting Permissions