Page 1 of 1

ARP poisoning

PostPosted: Fri May 09, 2008 3:44 pm
by Mortecai4
I've heard of this network hack called ARP poisoning,
and i was wondering if someone could explain it to me,
and if you can use cain and abel for it.

Re: ARP poisoning

PostPosted: Sun May 11, 2008 4:33 pm
by yourmysin
Alright, before you can truly understand ARP poisoning you must ask yourself "What is ARP?". ARP stands for Address Resolution Protocol. Just as it sounds, ARP is used to resolve an IP address to MAC address.

ARP is a broadcast protocol, which means it sends a broadcast message to everyhost in that broadcast domain. This message pretty much says "Who has the ip address 192.168.0.3". Each host checks their IP address against the IP address in the ARP packet. The host who has the correct IP address will respond with something like "I have that IP address, my mac address is 00f3:faf0:ab03". Now that the original device knows the destination devices mac address they can communicate.

Now, What would happen if we could lie about our IP address? Remember, all hosts in the broadcast domain receive the ARP broadcast. If we lie about our IP address, we will then be able to communicate using our MAC address. Of course, the host will still assume us to be legitimate.

We can take this one step further and perform a MITM attack using ARP poisoning. But that's a bit more advanced.

Anyways, yes, you can use Cain for this. Sas01 wrote a decent article on criticalsecurity demonstrating this.

Re: ARP poisoning

PostPosted: Mon Sep 15, 2008 1:56 am
by leonidas_heaven
Hey can anybody tell me from where i can see the captured packets using Cain..I mean to say i have captured some packets about 2241 just for trial..and i need to know where are they stored and how can i see what information is present in them...

Re: ARP poisoning

PostPosted: Thu Sep 18, 2008 9:30 am
by leonidas_heaven
I have found some HTTP request,some emails,certificates,passwords,etc
But most of the thing looks encrypted can anyone tell me what they are..or what they represent.

In APR-HTTPS they are the information like "closed by server ".So anyone can explain this also.

I have got HTTP(258)-But only one visible email address and password.all other looks like rubbish as i already said.
I am using Cain for this.

Re: ARP poisoning

PostPosted: Sun Oct 26, 2008 2:22 am
by theChameleon
leonidas_heaven wrote:Hey can anybody tell me from where i can see the captured packets using Cain..I mean to say i have captured some packets about 2241 just for trial..and i need to know where are they stored and how can i see what information is present in them...



i dun think u can do that using Cain and Abel. if memory serves, i think u can see the really low level packet stuff if u use Ethereal or some other packet analysers.

maybe u can write to oxid and ask them to provide this function... shouldnt be a problem since they are so 1337 and stuff.