Results 1 to 6 of 6

Thread: Undetectable ARP poisoning (not exactly arp poisoning)

  1. #1
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Lightbulb

    Hello everyone!
    I've been doing some research on ARP poisoning and how to make it undetectable. This is my idea:

    ARP poisoning, in a quick explained way, is broadcasting to the network that the victim's IP is associated to our MAC address. So it came to me: And if instead of changing the IP/MAC address pairing associations on the network, we just changed the IP and MAC of our interface to match the IP and MAC address of the victim's interface? Wouldn't this work as well? I know that it would only receive packets from the router/AP, but if we had two interfaces, we could mimic also the AP, and therefore receive packets from the victims computer (as from all other computers on the network, but i'm hoping there's a way to filter what we're receiving). Is it doable? If not, what's obstructing the method to work?

    Sorry if i made any spelling/grammar/word misuse errors, english isn't my official language.

    Now i know it isn't possible. no need for reply's, and sorry for asking without going deep into that matter...

  2. #2
    Good friend of the forums
    Join Date
    Feb 2009
    Posts
    356

    Default

    well you can try and see if it works. Oh wait... can 2 interfaces have the same IP & MAC on the network? That is something you will have to fnd out by trying.

  3. #3
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by xorred View Post
    well you can try and see if it works. Oh wait... can 2 interfaces have the same IP & MAC on the network? That is something you will have to fnd out by trying.
    No, or they can but you will get mass IP conflicts popping up on any machine that had it first. Someone will notice very very quickly if you do this.

    On the other end though, the actual ARP spoofing attack will be relatively silent and, if you set the timing for the packets at a decent rate it is quite often easy to miss it in the general traffic of a packet dump anyway (unless the security IT members of the test are specifically looking for it, in which case you are in trouble anyway).

    If the standard ARP spoof fails (and my memory serves) there are other methods to get around it.

    Any NIDS will pick them up though, you can configure some very simple tools (arpwatch) to do it as well (you're buggered if someone arpspoof's the NIDS and the Email server though, but that just shows bad configuration).

    The method described in the OP is already too noisy and breaks basic checks that are generally in place on a DHCP/STATIC network anyway. It's a good thought, but ultimately wrong.

    Now, if you could break the physical network in half you could do the spoofing between the two interfaces, but there is no point when you could just rig in an ethernet bridge (there are kernel modules/patches for this, BSD compiles it in and I've no idea about windows) and sniff the packets that way.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  4. #4
    My life is this forum Snayler's Avatar
    Join Date
    Jan 2010
    Posts
    1,418

    Default

    Thank's for the answer, Gitsnik

    Quote Originally Posted by Gitsnik View Post
    If the standard ARP spoof fails (and my memory serves) there are other methods to get around it.
    Can you tell me what other methods can be used? I'm not testing a wired network, it's a wireless network.

  5. #5
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    @ Snayler
    Is this what you were trying to do

    RapidShare: 1-CLICK Web hosting - Easy Filehosting

    It should be possable in theory

  6. #6
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by Snayler View Post
    Thank's for the answer, Gitsnik



    Can you tell me what other methods can be used? I'm not testing a wired network, it's a wireless network.
    Serves me right for not coming back to threads I've posted in.

    If regular ARP spoofing fails, there are a couple of other methods of ARP spoofing. There are also ICMP redirections, DHCP spoofing and other techniques (most of them in your standard arp spoofing toolkits).
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •