4

I am a student trying to demonstrate an ARP spoofing attack. To test whether my attack was working I decided to use wireshark to sniff the packets on the attacking machine. At first I thought I was able to intercept traffic with my ARP spoofed setup, but I came to find that the reason I was able to see the packet was because wireshark is able to sniff promiscuously.

Now I'm reading some information about ARP Spoofing on Wikipedia, which says the following:

Generally, the goal of the attack is to associate the attacker's host MAC address with the IP address of a target host, so that any traffic meant for the target host will be sent to the attacker's host. The attacker may choose to inspect the packets (spying), while forwarding the traffic to the actual default destination to avoid discovery, modify the data before forwarding it (man-in-the-middle attack), or launch a denial-of-service attack by causing some or all of the packets on the network to be dropped.

If the ARP spoof spying only works on a local network because it is at layer2 and I'm able to sniff promiscuously on the same local network, is there any reason to prefer the ARP method? I recognize that it can be used for a MITM attack, but I'm asking about purely for spying. Is it possible to disable promiscuous listening? Using the commands ifconfig enp0s25 -promisc and ifconfig enp0s25 promise I am able to change this mode on my interface, but I don't notice anything immediately.

Matt
  • 143
  • 5
  • Are you sniffing on an Ethernet switch or a wireless network? Ethernet switches only send traffic to the port with the destination MAC address, not the other ports (else it would be a hub and not a switch). – user Dec 09 '19 at 20:50
  • I am sniffing on a wireless network. I have an ethernet connection from my 'victim' computer to a router (google pods). The attacker is in a VM that is connected on the WiFi and I'm able to verify it is on the same network by pinging its address then using `arp` to show the MAC address. – Matt Dec 09 '19 at 20:53
  • If you're JUST worried about sniffing packets, then there are limited benefits when you can already see the traffic. It's possible you might miss wireless packets, in which case an ARP spoof attack might cause the dropped packet to retransmit (if TCP). You might end up missing it if you didn't insert yourself between the client and access point. – user Dec 09 '19 at 20:57
  • Thank you for your insight. There are a lot of retransmissions. – Matt Dec 09 '19 at 21:52

1 Answers1

2

On modern networks, passive sniffing (e.g. an interface in promiscuous mode) is typically not enough to sniff traffic of other devices on the network.

On a wired network, switches are generally used to link multiple devices together at layer 2. Switches learn what MAC addresses are connected to each port, and will only send frames out of the port that has the destination device attached. Therefore, an attacker who is connected to a switch will not receive traffic destined to other devices while in promiscuous mode. Here, ARP spoofing is necessary to convince the other devices to send their traffic to your MAC address, which will allow the switch to forward it to you.

If a hub is used instead of a switch (i.e. an old network), it sends all frames out of all ports, regardless of where the destination is. In this case, sniffing in promiscuous mode is sufficient.

Wireless networks get a little more complicated. On WPA2 networks, you simply cannot receive packets destined for other devices (since they each have their own encrypted session), and even on open networks, your wireless card shouldn't receive/process other traffic, promiscuous mode or not. In this case, you'd need ARP spoofing to sniff.

However, some wireless cards can be put in monitor mode, which allows all 802.11 frames on the current channel to be captured while not associated to any given network. If you capture a client's 4-way WPA2 handshake and have knowledge of the network's pre-shared key, you can decrypt the traffic. ARP spoofing is not needed here for sniffing.

So as you can see, there are different network scenarios that may or may not require an active attack like ARP spoofing in order to sniff.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42