2

as one can see on the following screen photos / screenshots, I'm permanently getting ARP-spoofed:

My router's MAC adress should be "90:5C:44:E2:8D:24", as can be seen on the screenshot of my router's Web-GUI and on the sticker attached to the router (Compal ConnectBox).

However, under Windows Comodo CIS and xARP continue to warn me that I'm getting ARP-spoofed, while "arp /a" shows that 192.168.0.1 is resolved to "90:5c:44:d5:ee:65", which obviously differs after the third segment of the MAC address: ARP spoofing

Under Linux "ip r", "arpwatch" and "tcpdump" show the same evidence for this ongoing ARP spoofing. Flushing the ARP cache or deleting a specific entry in the cache won't work, my router's real MAC address does not even appear anymore.

Normally I would assume that someone is 'branching off' the cable connection between my router/modem and the distribution box, which is located in the building I live in in order to spoof me. Even under normal circumstances doing so would be quite difficult, but I'm customer of Unitymedia, which is a German broadband company also providing internet access via Modular CMTS over their coaxial cable broadband network.

Wouldn't it require an extremely high level of technological knowledge, skill and advanced hardware to 'branch off' a modulated signal (transmitted over a coaxial cable) in order to perform ARP spoofing?

Does anyone know what performing ARP spoofing in a scenario like this would require regarding these aspects?

Maybe it would also require or could involve a manipulation of my router's firmware and/or its configuration. Therefore I uploaded the configuration to my GoogleDrive, which can be extracted and saved locally, but which has a binary format that can probably only be read by my provider (Unitymedia), unlesss someone would be able to do so. Moreover this is only the configuration, it's not possible to extract the firmware using the web interface.

Matthew Peters
  • 3,592
  • 4
  • 21
  • 39
c128linux
  • 21
  • 1
  • I can't read your screencap, but it looks like it might say Cable MAC Address. If so that's the MAC address on the cable side, which is NOT the MAC address that your computers/devices connect to. If ARP spoofing is occurring, it can't be upstream of the router. – dave_thompson_085 Jul 05 '17 at 07:08
  • Sorry, it should be readable in my shared GoogleDrive folder then. There are three MAC addresses printed on the router and none of these is the MAC address which 192.168.0.1 gets resolved to. How can it occur then (Comodo etc. warn me about this all the time), if it's not upstream of the router? – c128linux Jul 05 '17 at 07:36
  • It can be downstream of the router, on the same network segment as your computer; that's _why_ a program on your computer can see it. You need to look at the local-side (WiFi and/or LAN) config on your router; usually in consumer devices these are pretty obvious but if not I don't know anything about your particular model -- although googling the model does find me reports last year of a vulnerability. – dave_thompson_085 Jul 05 '17 at 10:49

0 Answers0