would it be called ARP Spoofing or not?

asked 2022-03-21 12:55:30 +0000

wolvo
1 ●1 ●3

updated 2022-03-21 14:15:57 +0000

My computer is connected to a ethernet. The service provider distributed 5 connections through one switch. MAC address of switch is fe:dc:05:41:38:8k (manipulated for privacy). The MAC address of my computer is cx:cm:1d:2k:58:a8. I am getting arp packets as given below: Note: MAC address and IP address are modified.

04:47:05 [1] ARP Request Ethernet Info: [Source] = fe:dc:05:41:38:8k + [Destination] = ff:ff:ff:ff:ff:ff
04:47:05 [1] ARP Request- 000.00.64.1 is asking for L2 of 000.00.67.84
04:47:08 [1] ARP Request Ethernet Info: [Source] = fe:dc:05:41:38:8k + [Destination] = ff:ff:ff:ff:ff:ff
04:47:08 [1] ARP Request- 000.00.64.1 is asking for L2 of 000.00.65.250
04:47:11 [1] ARP Request Ethernet Info: [Source] = fe:dc:05:41:38:8k + [Destination] = ff:ff:ff:ff:ff:ff
04:47:11 [1] ARP Request- 000.00.64.1 is asking for L2 of 000.00.68.131
04:47:13 [1] ARP Request Ethernet Info: [Source] = fe:dc:05:41:38:8k + [Destination] = ff:ff:ff:ff:ff:ff
04:47:13 [1] ARP Request- 000.00.64.1 is asking for L2 of 000.00.69.72
04:47:13 [1] ARP Request Ethernet Info: [Source] = fe:dc:05:41:38:8k + [Destination] = ff:ff:ff:ff:ff:ff
04:47:13 [1] ARP Request- 000.00.64.1 is asking for L2 of 000.00.70.217
04:47:20 [1] ARP Request Ethernet Info: [Source] = fe:dc:05:41:38:8k + [Destination] = ff:ff:ff:ff:ff:ff
04:47:20 [1] ARP Request- 111.11.48.1 is asking for L2 of 111.11.59.83
04:47:23 [1] ARP Request Ethernet Info: [Source] = fe:dc:05:41:38:8k + [Destination] = ff:ff:ff:ff:ff:ff
04:47:23 [1] ARP Request- 000.00.64.1 is asking for L2 of 000.00.69.169
04:47:25 [1] ARP Request Ethernet Info: [Source] = fe:dc:05:41:38:8k + [Destination] = ff:ff:ff:ff:ff:ff
04:47:25 [1] ARP Request- 111.11.48.1 is asking for L2 of 111.11.61.223
04:47:25 [1] ARP Request Ethernet Info: [Source] = fe:dc:05:41:38:8k + [Destination] = ff:ff:ff:ff:ff:ff
04:47:25 [1] ARP Request- 000.00.64.1 is asking for L2 of 000.00.65.239
04:47:28 [1] ARP Request Ethernet Info: [Source] = fe:dc:05:41:38:8k + [Destination] = ff:ff:ff:ff:ff:ff
04:47:28 [1] ARP Request- 000.00.64.1 is asking for L2 of 000.00.65.22
04:47:30 [1] ARP Request Ethernet Info: [Source] = fe:dc:05:41:38:8k + [Destination] = ff:ff:ff:ff:ff:ff
04:47:30 [1] ARP Request- 000.00.64 ...

(more)

answered 2022-03-23 05:01:38 +0000

mr_chispa
1 ●1

Hi. What’s your topology? Generally the Service Providers sell public IP addresses through a fiber optic interface and they give you a terminal (Optical Network Terminal), that technically speaking includes a router, a switch, a firewall and wireless interfaces, all in the same box.

An example of a home topology is:

(Internet)—> ISP—>ONT (“Router”)—>Switch—>PC

If your switch is on a different box, all the interfaces will have Internet access with the public IP.

I’m understanding your computer is plugged in one of that switch interfaces, right? Is that fe:dc:05:41:38:8k?

Remember the number of MAC addresses a switch has depends on the number of physical network interfaces, so if your switch has 4 Ethernet and 1 wireless card, it will have 5 MAC addresses in total.

Now, the answer of your question depends on the network topology, what else is plugged in your switch, another switch(es)? A lot of wireless devices? Do you recognize the IPs T2 is being asked for by fe:dc:05:41:38:8k? Are they private addresses in a segment/VLAN you recognize?

In any way, the solution is to filter by MAC and only allow known MACs access the switch. This can be configured in the router or switch, if it’s an administrable one.

edit flag offensive delete link

Comments

Thanks or reply. my connection diagram is as below:

 ------->Switch(1 input  3 output)>> To other home (Suspected Hacker)
                                                  >> To other home
                                                  >> To my home(PCE/LAN) >> Laptop

Yes fe:dc:05:41:38:8k is MAC address of Switch. In wireshark I am seeing two completely different IP addresses and some times 3 at same MAC address fe:dc:05:41:38:8k in arp requests. Wireshark dissector show that as ARP spoofing. But above is log of lots of IP addresses.

wolvo ( 2022-03-23 13:01:10 +0000 )edit

Hi. By definition that topology is insecure, the definitive solution could be buying your own Internet service (own public IP address), so you can have your own DHCP pool, segment, VLAN, etc. In the meantime you can use a VPN software for your personal devices.

If you are seeing more than 1 IP binded to fe:dc:05:41:38:8k, that attack is called ARP Poisoning and as you mention, Wireshark default dissector should mark them as yellow and a message like "Duplicate IP Address detected (...)"

mr_chispa ( 2022-03-23 17:06:10 +0000 )edit

I used these plugins https://github.com/pentesteracademy/p... The plung-in showing it is ARP spoofing

wolvo ( 2022-03-23 18:10:11 +0000 )edit

That plugin looks pretty good! I'll give it a try. Another option is to buy a layer 3 switch for your devices, but now that you are sure that this person does attacks, you definitely don't want to share LAN with him, much less share public IP to the Internet...

mr_chispa ( 2022-03-23 21:19:25 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

would it be called ARP Spoofing or not?

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

would it be called ARP Spoofing or not? edit

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

would it be called ARP Spoofing or not?