First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

would it be called ARP Spoofing or not?

My computer is connected to a ethernet. The service provider distributed 5 connections through one switch. MAC address of switch is fe:dc:05:41:38:8k (manipulated for privacy). The MAC address of my computer is cx:cm:1d:2k:58:a8. I am getting arp packets as given below: Note: MAC address and IP address are modified. 

04:47:05 [1] ARP Request Ethernet Info: [Source] = fe:dc:05:41:38:8k + [Destination] = ff:ff:ff:ff:ff:ff
04:47:05 [1] ARP Request- 000.00.64.1 is asking for L2 of 000.00.67.84
04:47:08 [1] ARP Request Ethernet Info: [Source] = fe:dc:05:41:38:8k + [Destination] = ff:ff:ff:ff:ff:ff
04:47:08 [1] ARP Request- 000.00.64.1 is asking for L2 of 000.00.65.250
04:47:11 [1] ARP Request Ethernet Info: [Source] = fe:dc:05:41:38:8k + [Destination] = ff:ff:ff:ff:ff:ff
04:47:11 [1] ARP Request- 000.00.64.1 is asking for L2 of 000.00.68.131
04:47:13 [1] ARP Request Ethernet Info: [Source] = fe:dc:05:41:38:8k + [Destination] = ff:ff:ff:ff:ff:ff
04:47:13 [1] ARP Request- 000.00.64.1 is asking for L2 of 000.00.69.72
04:47:13 [1] ARP Request Ethernet Info: [Source] = fe:dc:05:41:38:8k + [Destination] = ff:ff:ff:ff:ff:ff
04:47:13 [1] ARP Request- 000.00.64.1 is asking for L2 of 000.00.70.217
04:47:20 [1] ARP Request Ethernet Info: [Source] = fe:dc:05:41:38:8k + [Destination] = ff:ff:ff:ff:ff:ff
04:47:20 [1] ARP Request- 111.11.48.1 is asking for L2 of 111.11.59.83
04:47:23 [1] ARP Request Ethernet Info: [Source] = fe:dc:05:41:38:8k + [Destination] = ff:ff:ff:ff:ff:ff
04:47:23 [1] ARP Request- 000.00.64.1 is asking for L2 of 000.00.69.169
04:47:25 [1] ARP Request Ethernet Info: [Source] = fe:dc:05:41:38:8k + [Destination] = ff:ff:ff:ff:ff:ff
04:47:25 [1] ARP Request- 111.11.48.1 is asking for L2 of 111.11.61.223
04:47:25 [1] ARP Request Ethernet Info: [Source] = fe:dc:05:41:38:8k + [Destination] = ff:ff:ff:ff:ff:ff
04:47:25 [1] ARP Request- 000.00.64.1 is asking for L2 of 000.00.65.239
04:47:28 [1] ARP Request Ethernet Info: [Source] = fe:dc:05:41:38:8k + [Destination] = ff:ff:ff:ff:ff:ff
04:47:28 [1] ARP Request- 000.00.64.1 is asking for L2 of 000.00.65.22
04:47:30 [1] ARP Request Ethernet Info: [Source] = fe:dc:05:41:38:8k + [Destination] = ff:ff:ff:ff:ff:ff
04:47:30 [1] ARP Request- 000.00.64 ...
(more)
wolvo's avatar
1
wolvo
asked 2022-03-21 12:55:30 +0000, updated 2022-03-21 14:15:57 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Hi. What’s your topology? Generally the Service Providers sell public IP addresses through a fiber optic interface and they give you a terminal (Optical Network Terminal), that technically speaking includes a router, a switch, a firewall and wireless interfaces, all in the same box.

An example of a home topology is:

(Internet)—> ISP—>ONT (“Router”)—>Switch—>PC

If your switch is on a different box, all the interfaces will have Internet access with the public IP.

I’m understanding your computer is plugged in one of that switch interfaces, right? Is that fe:dc:05:41:38:8k?

Remember the number of MAC addresses a switch has depends on the number of physical network interfaces, so if your switch has 4 Ethernet and 1 wireless card, it will have 5 MAC addresses in total.

Now, the answer of your question depends on the network topology, what else is plugged in your switch, another switch(es)? A lot of wireless devices? Do you recognize the IPs T2 is being asked for by fe:dc:05:41:38:8k? Are they private addresses in a segment/VLAN you recognize?

In any way, the solution is to filter by MAC and only allow known MACs access the switch. This can be configured in the router or switch, if it’s an administrable one.

mr_chispa's avatar
1
mr_chispa
answered 2022-03-23 05:01:38 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks or reply. my connection diagram is as below:

 ------->Switch(1 input  3 output)>> To other home (Suspected Hacker)
                                                  >> To other home
                                                  >> To my home(PCE/LAN) >> Laptop

Yes fe:dc:05:41:38:8k is MAC address of Switch. In wireshark I am seeing two completely different IP addresses and some times 3 at same MAC address fe:dc:05:41:38:8k in arp requests. Wireshark dissector show that as ARP spoofing. But above is log of lots of IP addresses.

wolvo's avatar wolvo (2022-03-23 13:01:10 +0000) edit
more
  • delete

Hi. By definition that topology is insecure, the definitive solution could be buying your own Internet service (own public IP address), so you can have your own DHCP pool, segment, VLAN, etc. In the meantime you can use a VPN software for your personal devices.

If you are seeing more than 1 IP binded to fe:dc:05:41:38:8k, that attack is called ARP Poisoning and as you mention, Wireshark default dissector should mark them as yellow and a message like "Duplicate IP Address detected (...)"

mr_chispa's avatar mr_chispa (2022-03-23 17:06:10 +0000) edit
more
  • delete

I used these plugins https://github.com/pentesteracademy/p... The plung-in showing it is ARP spoofing

wolvo's avatar wolvo (2022-03-23 18:10:11 +0000) edit
more
  • delete

That plugin looks pretty good! I'll give it a try. Another option is to buy a layer 3 switch for your devices, but now that you are sure that this person does attacks, you definitely don't want to share LAN with him, much less share public IP to the Internet...

mr_chispa's avatar mr_chispa (2022-03-23 21:19:25 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer