Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Can some router prevent arp spoofing ?

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    May 2011
    Posts
    11

    Question Can some router prevent arp spoofing ?

    Hi everyone,

    I've got a small experience regarding arp spoofing. I managed to make it work with tools such as arpspoof, ettercap following the various tutorials of the site since backtrack 3. Recently I failed to arp spoof some routers with BT5 and I don't understand why. I can verify that the victim is arp spoofed by checking its arp table. And I can see some of the traffic going through the midm machine. But somehow it kills the internet connection of the victim. I think the problem is there (not sure though)

    Website <****** OK **** midm <**** OK **** victim
    Website ****** OK ****> midm **** FAILED ****> victim

    I've noticed the problem specifically on a router/box provided by my ISP which I can't manage to arp spoof. And the exact same process, same machine, on different router works perfectly. So my question is, are there some router with an anti arp spoof protection ? and if yes, is it possible to circumvent it ? Is there a different arp tool I can test ?

    Thanks a lot for your help

  2. #2
    Just burned his ISO
    Join Date
    May 2011
    Location
    Italy
    Posts
    7

    Default Riferimento: Can some router prevent arp spoofing ?

    As far as I've tested MITM with ettercap I've never found an home router that prevented ARP spoofing, however I haven't a broad experience 'cause I'm only an amateur (forgive me for my bad english too).
    I did some googling and I found these, it shows that it is possible to mitigate an ARP spoofing attack in well determined conditions, so it could be that some router implements such features but I don't think so not by now and not if your router isn't brand new XD
    As I found in this paper(see scenario 3) from cisco systems, they developed something called ARP inspection (described in an human-readable form here in their blog). It seems to be something similar to your scenario (if I understood well): as they say in the blog, enabling ARP inspection will make the router drop strange ARP replies, but I think it's not your case 'cause I don't think you used professional routers such the one of the cisco's demo. In addition they talk about static ARP tables and again I don't think it's your case.

    Answering your last question i think ARPSpoof and Ettercap are the best ones, I didn't searched for others 'cause it Always worked with them, but I think that if you google around for a while you'll find something...
    If you find somethink keep me up to date! I'm interested in this topic too!

  3. #3
    Member
    Join Date
    May 2011
    Location
    Israel
    Posts
    74

    Default Re: Can some router prevent arp spoofing ?

    Use Ettercap plugin "checkpoison" ,also use wireshark and look for the traffic coming from the router if it is poisoned properly router's ethernet frame''DA" field will have your card source address.
    Scientia ac Labore

  4. #4
    Member
    Join Date
    May 2011
    Location
    Israel
    Posts
    74

    Default Re: Can some router prevent arp spoofing ?

    Arp poisoning cleverly exploits dumbness and simplicity of Arp protocol , moreover lack of any security features (handshaking, session tokens, host to host indentification) will not prevent any attacks at protocol level.
    Read this paper http://www.prism.uvsq.fr/users/jbo/I.../S03S06P08.PDF
    Scientia ac Labore

  5. #5
    Just burned his ISO
    Join Date
    May 2011
    Posts
    11

    Default Re: Can some router prevent arp spoofing ?

    mmm. I had posted a long reply but it never appeared so sorry it there is a double post.

    Thanks for your answers.
    The problematic router is rebranded by the ISP but I've identified it as a NetGear CBVG834G
    http://www.netgear.com/service-provi.../CBVG834G.aspx

    Also I've made some test with wireshark and here is what I get

    It's pretty obvious that no traffic goes back to the victime. But I'm not savvy enough to understand why.
    What's really frustrating is that the same commands, config, machine etc work on other router :-/

  6. #6
    Just burned his ISO
    Join Date
    May 2011
    Posts
    11

    Default Re: Can some router prevent arp spoofing ?

    mmm. I had posted a long reply but it never appeared so sorry it there is a double post.

    Thanks for your answers.
    The problematic router is rebranded by the ISP but I've identified it as a NetGear CBVG834G
    http://www.netgear.com/service-provi.../CBVG834G.aspx

    Also I've made some test with wireshark and here is what I get

    It's pretty obvious that no traffic goes back to the victime. But I'm not savvy enough to understand why.
    What's really frustrating is that the same commands, config, machine etc work on other router :-/

  7. #7
    Just burned his ISO
    Join Date
    May 2011
    Posts
    11

    Default Re: Can some router prevent arp spoofing ?

    Thanks for all your answers. First I think I found the exact reference of my router. It's packaged
    and re branded by the ISP but it appears to be a netgear CBVG834G
    http://www.netgear.com/service-provi.../CBVG834G.aspx

    Also I noticed that I add "better" result when using arp:remote instead of only arp when using ettercap
    - With only arp the arp spoof works (checked with arp -a on victim) but ettercap does not see any packet
    - With arp:remote I can see the packets from the victim to the net but the way back

    I've confirmed this with wireshark. And in any case there is no packet from the net to the victim.
    Here is a screenshot of what I think is the problem. You'll see that the http request goes into a loop
    of retransmission.


    I'm not knowledgeable enough to detect the problem more precisely though.

  8. #8
    Member
    Join Date
    May 2011
    Location
    Israel
    Posts
    74

    Default Re: Can some router prevent arp spoofing ?

    What is the Mac address of your router?
    Ethernet frame as seen in your pics is encapsulating higher level protocols of level 3,4,7 so you must look at the source address of this ethernet frame if it is properly poisoned it will contain
    you attacker mac address.
    Maybe network stack in your backtrack machine is not forwarding properly all those packets sent through its interface?
    Scientia ac Labore

  9. #9
    Just burned his ISO
    Join Date
    May 2011
    Posts
    11

    Default Re: Can some router prevent arp spoofing ?

    So following to this topics I managed to get it working when using another USB wifi key. I've no idea why. Both worked with all kind
    of configuration but in the case of this specific router only one wifi key worked.

  10. #10
    Senior Member
    Join Date
    Jan 2010
    Posts
    173

    Default Re: Can some router prevent arp spoofing ?

    Depends on the security application protecting the target, smart security by eset has options in the ids settings for arp attacks, dns poisoning etc which will protect the target from these attacks and also block the ip from further attacks.

    regards dee

Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 1
    Last Post: 06-14-2010, 10:05 AM
  2. Help with spoofing IP
    By trebor117 in forum OLD Newbie Area
    Replies: 7
    Last Post: 11-20-2009, 05:19 AM
  3. Prevent Mounting of NTFS drives?
    By thorin in forum OLD BT3final Support
    Replies: 4
    Last Post: 05-12-2009, 08:50 AM
  4. Ettercap DNS Spoofing Not.. Spoofing
    By oxide in forum OLD Newbie Area
    Replies: 4
    Last Post: 04-02-2009, 10:39 PM
  5. How to Prevent Brute-Force Cracking?
    By radioraiders in forum OLD Wireless
    Replies: 10
    Last Post: 10-13-2008, 08:03 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •