Can some router prevent arp spoofing ?

[ronin101]

Hi everyone,

I've got a small experience regarding arp spoofing. I managed to make it work with tools such as arpspoof, ettercap following the various tutorials of the site since backtrack 3. Recently I failed to arp spoof some routers with BT5 and I don't understand why. I can verify that the victim is arp spoofed by checking its arp table. And I can see some of the traffic going through the midm machine. But somehow it kills the internet connection of the victim. I think the problem is there (not sure though)

Website <****** OK **** midm <**** OK **** victim
Website ****** OK ****> midm **** FAILED ****> victim

I've noticed the problem specifically on a router/box provided by my ISP which I can't manage to arp spoof. And the exact same process, same machine, on different router works perfectly. So my question is, are there some router with an anti arp spoof protection ? and if yes, is it possible to circumvent it ? Is there a different arp tool I can test ?

Thanks a lot for your help

[qwattash]

As far as I've tested MITM with ettercap I've never found an home router that prevented ARP spoofing, however I haven't a broad experience 'cause I'm only an amateur (forgive me for my bad english too).
I did some googling and I found these, it shows that it is possible to mitigate an ARP spoofing attack in well determined conditions, so it could be that some router implements such features but I don't think so not by now and not if your router isn't brand new XD
As I found in this paper(see scenario 3) from cisco systems, they developed something called ARP inspection (described in an human-readable form here in their blog). It seems to be something similar to your scenario (if I understood well): as they say in the blog, enabling ARP inspection will make the router drop strange ARP replies, but I think it's not your case 'cause I don't think you used professional routers such the one of the cisco's demo. In addition they talk about static ARP tables and again I don't think it's your case.

Answering your last question i think ARPSpoof and Ettercap are the best ones, I didn't searched for others 'cause it Always worked with them, but I think that if you google around for a while you'll find something...
If you find somethink keep me up to date! I'm interested in this topic too!

[iliyapolak]

Use Ettercap plugin "checkpoison" ,also use wireshark and look for the traffic coming from the router if it is poisoned properly router's ethernet frame''DA" field will have your card source address.

[iliyapolak]

Arp poisoning cleverly exploits dumbness and simplicity of Arp protocol , moreover lack of any security features (handshaking, session tokens, host to host indentification) will not prevent any attacks at protocol level.
Read this paper http://www.prism.uvsq.fr/users/jbo/I.../S03S06P08.PDF

[ronin101]

Thanks for all your answers. First I think I found the exact reference of my router. It's packaged
and re branded by the ISP but it appears to be a netgear CBVG834G
http://www.netgear.com/service-provi.../CBVG834G.aspx

Also I noticed that I add "better" result when using arp:remote instead of only arp when using ettercap
- With only arp the arp spoof works (checked with arp -a on victim) but ettercap does not see any packet
- With arp:remote I can see the packets from the victim to the net but the way back

I've confirmed this with wireshark. And in any case there is no packet from the net to the victim.
Here is a screenshot of what I think is the problem. You'll see that the http request goes into a loop
of retransmission.


I'm not knowledgeable enough to detect the problem more precisely though.

[ronin101]

mmm. I had posted a long reply but it never appeared so sorry it there is a double post.

Thanks for your answers.
The problematic router is rebranded by the ISP but I've identified it as a NetGear CBVG834G
http://www.netgear.com/service-provi.../CBVG834G.aspx

Also I've made some test with wireshark and here is what I get

It's pretty obvious that no traffic goes back to the victime. But I'm not savvy enough to understand why.
What's really frustrating is that the same commands, config, machine etc work on other router :-/

[ronin101]

mmm. I had posted a long reply but it never appeared so sorry it there is a double post.

Thanks for your answers.
The problematic router is rebranded by the ISP but I've identified it as a NetGear CBVG834G
http://www.netgear.com/service-provi.../CBVG834G.aspx

Also I've made some test with wireshark and here is what I get

It's pretty obvious that no traffic goes back to the victime. But I'm not savvy enough to understand why.
What's really frustrating is that the same commands, config, machine etc work on other router :-/

[iliyapolak]

What is the Mac address of your router?
Ethernet frame as seen in your pics is encapsulating higher level protocols of level 3,4,7 so you must look at the source address of this ethernet frame if it is properly poisoned it will contain
you attacker mac address.
Maybe network stack in your backtrack machine is not forwarding properly all those packets sent through its interface?

[ronin101]

So following to this topics I managed to get it working when using another USB wifi key. I've no idea why. Both worked with all kind
of configuration but in the case of this specific router only one wifi key worked.

[pentest09]

Depends on the security application protecting the target, smart security by eset has options in the ids settings for arp attacks, dns poisoning etc which will protect the target from these attacks and also block the ip from further attacks.

regards dee