1

All I read when it comes of detecting a man in the middle attack is that the ARP cache table will have duplicated entries for the attacker MAC address, but I can't find the reason why.

The way I think it is (because one is the faked one and the other the normal ARP response) leads me to think: supposing I'm the attacker, would it not be as easy as not sending the real ARP response, but only the fake one?

Anders
  • 64,406
  • 24
  • 178
  • 215
Franzech Domâs
  • 975
  • 1
  • 8
  • 10

2 Answers2

1

Let's say we have a network with Bob, Alice, and the router. You are an attacker, called Eve.

Now, you wish to carry out a MITM between Bob and the router. There are multiple options now:

  1. Capture traffic flowing from Bob to the router (e.g.traffic flowing to Facebook)
  2. Capture traffic flowing from the router to Bob (e.g. traffic flowing from Facebook to Bob)
  3. Capture traffic flowing in both directions (Bob to router and router to Bob)=> most common attack.
  4. ARP poison-bomb all hosts in the network

The victim's (Bob's) ARP table will look differently in each of the above scenario's:

Scenario 1

  • Eve's MAC : router's IP
  • (optional) Eve's MAC : Eve's IP

Scenario 2

  • (optional) Eve's MAC : Eve's IP
  • [On the router, Eve's MAC will now be linked to Bob's IP]

Scenario 3

  • Eve's MAC : router's IP
  • (optional) Eve's MAC : Eve's IP
  • [On the router, Eve's MAC will now be linked to Bob's IP]

Scenario 4

  • Eve's MAC : router's IP
  • Eve's MAC : Alice's IP
  • (optional) Eve's MAC : Eve's IP
  • [On the router, Eve's MAC will now be linked to Bob's IP]
Michael
  • 5,393
  • 2
  • 32
  • 57
  • What do you mean exactly when you say "optional"? – Franzech Domâs Jun 15 '16 at 15:07
  • For stealth reasons, t's possible that the attacker is not (yet) included in the ARP table of the other network hosts, by not responding to ARP requests (ARP ignore mode). – Michael Jun 15 '16 at 18:20
  • So, in that case, in the case that the attacker enables the ARP ignore mode, how could the victim be aware of it's victim condition? (because, there will not be any duplicated entry) – Franzech Domâs Jun 15 '16 at 18:45
  • 2
    There will be a duplicated entry in scenario 4. If your question is 'how to detect ARP spoofing', then that's an entirely different question than the one you asked now (why are there duplicated entries in my arp table). ARP poisoning can be detected by monitoring ARP tables for unexpected changes, by monitoring gratuitous ARP broadcasts, by defining specific MAC-IP relations that should not change, etc.. Typically the monitoring is done over several hosts (the entire network). – Michael Jun 15 '16 at 20:09
0

What you might be describing is ARP Poisoning (or spoofing), where the attacker "poisons" the ARP caches of the hosts on the subnet by sending out lots and lots of ARP packets containing the attacker's layer-2 (MAC) address and the victim's layer-3 (IP Address), causing them to send their data to the attacker's MAC when the ethernet frame is assembled instead of the victim's MAC.

I'd imagine if you were to scan the ARP tables of affected machines, you'd find two entries for the same MAC address, one for the Attacker's true IP address, and one for the Victim's IP address, both to the same MAC (The attackers.)

Desthro
  • 1,007
  • 5
  • 5
  • As an aside, that means the Attacker will receive all traffic destined to their machine and the victim. The attacker can then forge the ethernet frame and send the data back to the victim after it's been read, copied, malformed, etc. – Desthro Jun 14 '16 at 22:53