ARP poisoning detected.

A place where newbies can post without (much) fear of reprisal. All mission posts should still go in the applicable forum.
Forum rules
Older HTS users: Be nice to the new people.

NEW USERS: This is NOT the place to post about missions! Refer to "Missions" category.

ARP poisoning detected.

Post by warnock on Fri Aug 27, 2010 11:59 pm
([msg=44459]see ARP poisoning detected.[/msg])

Greetings, forum

Tonight I downloaded an anti-ARP program named XArp from Cnet.

After I installed it, I set the security level to basic and was good to go.

And like magic, once I re-connected to my LAN it detected ARP spoofing.

So now that I know my LAN is being ARPed, what are the steps I'm supposed to take now?

And thanks in advance.
warnock
New User
New User
 
Posts: 19
Joined: Thu Jun 24, 2010 6:07 am
Blog: View Blog (0)


Re: ARP poisoning detected.

Post by -65536- on Sat Aug 28, 2010 1:58 am
([msg=44463]see Re: ARP poisoning detected.[/msg])

Someone may have access to your network.

To find out more information:

The quick way:
  1. If your router is using DHCP then check the list of leased IPs on your router software.
  2. Find any leased IPs that do not belong to one of your computers.
  3. Your router software may give you more information about that computer.
The long way:
  1. Download wireshark.
  2. Find your computer's MAC address and local IP address. Also find your router's MAC address and local IP.
  3. Find any ARP packets that claim to be your local IP, but do not match your MAC address. Or find any ARP packets that claim to be your router's local IP, but does not match its MAC address.
  4. Congratulations, you just identified the MAC address of your attacker.
  5. Find any ARP packets from the attacker's MAC address that do not match your local IP or router's IP.
  6. Congratulations, you just identified the local IP address of your attacker.
  7. Assuming both you and your attacker are using windows you can try: NBTSTAT -A <ipaddress> to find the computer name of the attacker. Or you can use a number of other utilities to profile the attacking computer. Some google searches should yield something if your interested.
You can check the MAC address and computer name of your attacker and see if it matches one of your computers. If it is, then it is caused by a virus or poorly written program. If not then it is someone connected to your network through wifi or wired.

To fix it:
  • IMPORTANT: Assume that all your online accounts have been compromised. After you fix it change all your passwords and monitor any financial accounts for unauthorized activity. (Any website that you connect to using https should be safe, but better safe rather than sorry.)
  • Check all your computers using a good antivirus and rootkit detector. Check all your installed services and the programs that start on startup.
  • Check if there are any known vulnerabilities for your router, if so you will have to update your firmware.
  • Reset your router's settings.
  • Change your router's password to something difficult to guess.
  • Make sure your wireless network is encrypted using WPA.
  • Setup a MAC address white list if your router supports it.
  • Change your wifi password to something difficult to guess.
  • Make sure all wired computers belong :)
  • Optional: Use a static ARP cache.
If you still have problems then you either still have a virus, someone got your new password, or its a false positive.

Some of this stuff might be hard to figure out. And the instructions in the information section may not work depending on the intelligence of your attacker. Feel free to ask any specific questions if you need help.
-65536-
New User
New User
 
Posts: 4
Joined: Sun Aug 15, 2010 11:52 pm
Blog: View Blog (0)


Re: ARP poisoning detected.

Post by warnock on Sat Aug 28, 2010 2:39 pm
([msg=44470]see Re: ARP poisoning detected.[/msg])

-65536- wrote:[*]Optional: Use a static ARP cache.[/list]



I appreciate the advice.

I set up a static ARP cache, but now I can no longer access the internet at all on that computer (the web browser says server not found).

Can you please give me instructions on how to revert my ARP cache to normal for the time being? I can't find anything about it using google.

I'm using windows 7.

-- Sat Aug 28, 2010 2:29 pm --

Alright, I got my dynamic cache functioning again.

But I would still like to know why I can't use a static cache?

So you know, I followed the instructions on this site to activate my static cache:

http://social.technet.microsoft.com/for ... 581ff60f1/


If the above method is how it is done. Then I'm telling you I did it right.

If this WAS a DoS attack ( like from ettercap: http://www.youtube.com/watch?v=SASLHR8j ... re=related )
How can I get around it?

I really like the idea of a static cache.
warnock
New User
New User
 
Posts: 19
Joined: Thu Jun 24, 2010 6:07 am
Blog: View Blog (0)


Re: ARP poisoning detected.

Post by -65536- on Sat Aug 28, 2010 11:16 pm
([msg=44486]see Re: ARP poisoning detected.[/msg])

ARP spoofing attacks can be unidirectional or bidirectional. By setting up a static ARP cache on your PC you make sure that your packets are going to the router. However, your router does not have a static cache entry so the replies from your requests may not be going to you. That is probably your problem. So if your router doesn't have an option then there isn't much you can do.

BTW. I'm on vacation right now that's why my reply is a little late :)

EDIT:
Static ARP will prevent people from ARP spoofing, but you still have someone on your local network. If you don't get rid of them they can just use a different attack. I would suggest that you get some information on them to see if it might be a neighbor or something then make sure you secure your local network.
-65536-
New User
New User
 
Posts: 4
Joined: Sun Aug 15, 2010 11:52 pm
Blog: View Blog (0)



Return to NZone

Who is online

Users browsing this forum: No registered users and 0 guests