Results 1 to 4 of 4

Thread: Proxy ARP an issue?

Hybrid View

  1. #1
    Junior Member nightlybuild's Avatar
    Join Date
    Feb 2010
    Location
    InYourBucci/Chicago
    Posts
    36

    Default Proxy ARP an issue?

    I recently did a host scan with ettercap (just looking around) and found that all of the IP addresses (which were all different) had the same MAC address. I did a little research and came up with a proxy arp possibly being the cause of this. The way I understand it is that every single computer (including the one I was on) can only see one mac address, which I think is the arp proxy. From reading I understand that all computers will send data to that arp proxy and then the proxy will identify where it must go based on it's arp tables which it keeps track of. If this is the way it all works then wouldn't Man in the Middle attacks not work since all you can see is the arp proxy, or is there away around this. Can someone clarify this for me, I never heard of an arp proxy before, neither do I know that this is what is happening in my case, it just seemed like it would make the most sense. It seems kind of funny seeing all these different IP addresses all with the same MAC address.
    Thanks!

    I found this on this site: Verkot: Model answer 5, st-98

    "Hosts which are using proxy ARP are not concious about the fact that they have been subnetted. Response from any machine is as valid as response from server w hich handles routing.

    Whole idea of proxy ARP is spoofing. (Comer: figure 10.2 page 142): "In essence, R lies about IP-to-physical address bindings."

    Proxy ARP is based on trust - every request and reply is considered legitimate.

    It is also impossible to implement warning which alerts when two IP addresses map to the same physical address. "

    Can someone explain to me how ettercap would relate to this and also if two IP addresses have the same physical address, would both computers receive the packets? It would really help me if someone explained how ARP poisoning would work in a situation with Proxy ARP...it seems like there would be a conflict (I can't even get real MAC addresses)
    Last edited by lupin; 03-04-2010 at 09:45 AM. Reason: Merging...
    If you get tired of listening to your music... cat /vmlinuz > /dev/audio
    -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
    Macbook 2.4Ghz Dual Core, 4GB Ram, Edimax EW-7318USG, BT4

  2. #2
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Proxy ARP an issue?

    Quote Originally Posted by nightlybuild View Post
    I recently did a host scan with ettercap (just looking around) and found that all of the IP addresses (which were all different) had the same MAC address. I did a little research and came up with a proxy arp possibly being the cause of this.
    There are a number of other possible causes for this. Routing, binding multiple IP addresses to one physical network interface, various clustered configurations, certain virtualisation configurations, perhaps a VPN concentrator, etc could all cause multiple IPs to resolve to one MAC address. You didnt mention anything about the network structure that you just scanned so its hard to say whether any of these are the case here.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  3. #3
    Junior Member nightlybuild's Avatar
    Join Date
    Feb 2010
    Location
    InYourBucci/Chicago
    Posts
    36

    Default Re: Proxy ARP an issue?

    I didn't get a chance to do an in depth scan, just a quick hosts scan. I'll try to map out the network tomorrow and I'll let you know how it's laid out. Thanks for the reply!
    If you get tired of listening to your music... cat /vmlinuz > /dev/audio
    -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
    Macbook 2.4Ghz Dual Core, 4GB Ram, Edimax EW-7318USG, BT4

  4. #4
    Junior Member nightlybuild's Avatar
    Join Date
    Feb 2010
    Location
    InYourBucci/Chicago
    Posts
    36

    Default Re: Proxy ARP an issue?

    Okay, so I found out a little bit more. It seems like the MAC address that I was seeing multiple time was a CISCO Switch (scanned with NMAP). I found the following ports open:

    23/tcp open telnet Cisco IOS telnetd
    1720/tcp open tcpwrapped

    Also, the MAC address was known as "Lanner Electronics"

    The IP address of the switch was the first on the list when I scanned for hosts. Also, the IP address are in the form "192.168.228.XX" Does this information help in any way? Also, I don't get how I'm supposed see other computers on the network when all I get is IP addresses with the MAC address of the Switch...Can someone explain this to me?
    Thanks!
    If you get tired of listening to your music... cat /vmlinuz > /dev/audio
    -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
    Macbook 2.4Ghz Dual Core, 4GB Ram, Edimax EW-7318USG, BT4

Similar Threads

  1. WPA handshake issue?
    By brawngp in forum Beginners Forum
    Replies: 4
    Last Post: 03-01-2010, 06:17 AM
  2. Macbook Pro 5,1 DWA-643 issue
    By darlord in forum Beginners Forum
    Replies: 1
    Last Post: 02-24-2010, 08:17 AM
  3. BT4 on IBM ThinkPad T43 Wireless Issue
    By khaji00 in forum Beginners Forum
    Replies: 1
    Last Post: 02-21-2010, 11:02 AM
  4. Issue solved???
    By PunksUndead in forum Beginners Forum
    Replies: 1
    Last Post: 01-31-2010, 11:50 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •