4

first of all i have a basic questions regarding network traffic:

All Devices in the network are connected with WLAN and a Router. If i send a message from my computer to a other device in the network per IP my computer looks in the arp table for the mac adress of that ip. If not found send arp broadcast looking for that ip. If found, form a packet with destination mac from the target device(NOT the mac from the router) and send it. The Router receives this packet and (now acting as a layer 2 switch) looks in his mac adress table (sat) for this target mac and send it there.

Is this correct?

Now to my Problem with arpspoofing. Three Devices are involved:

Attacker running Kali: x.x.x.105 (34:F3:xx:xx:xx:xx)
Target running Win10: x.x.x.107 (80:56:xx:xx:xx:xx)
Router: x.x.x.1 (44:6e:xx:xx:xx:xx)

Attacker has IP Forwarding enabled.

I now started two instances of arpspoof:

arpspoof -i wlan0 -t x.x.x.107 x.x.x.1

arpspoof -i wlan0 -t x.x.x.1 x.x.x.107

At the attackers Wireshark i can see all outgoing arp replies. They also say multiple IP usage detected! Arp Table cleared after arpspoof started. Spoof is running for nearly an hour.

However at my targets Wireshark i can't see incoming arp messages from attacker.

enter image description here

The arp table at windows does not change. Also my Router don't seem to update it's arp table.

I can't find the Problem here. Is Win10 blocking arp replies not requested?

This is for education purposes only. Thank you

Saueee
  • 41
  • 1
  • 2

1 Answers1

2

There are some better explanations here, below is an educated guess : ARP poisoning between a wired and wireless network

The spoof should work almost immediately if it is working properly. New devices will see the gratuitous arp from the attacker and automatically update their cache. A victim will not detect duplicate IP, they should just update the mapping. The problem is likely at the router.

Arpspoof works through a switch because the switch has no way of knowing which port the legitimate IP address/MAC mapping is, so without any form of port security/DHCP snooping/Dynamic arp inspection, it has to trust that a device is who it says it is when it claims "192.168.1.1 is at aa:bb:cc:dd:ee:aa" in its arp reply/gratuitous arp.

I'm not sure about wireless networks but it seems to me that a router, even if it is operating at layer 2, switching traffic within the network, would likely analyze arp packets, just like a switch does, so that it could also update its own arp table. It may be dropping these gratuitous arps from the attacker because its plain for it to see that they are not legitimate, because they are using its address and advertising a different mac than its own.

flerb
  • 450
  • 2
  • 14