0

To protect me from ARP spoofing, I tried most of the programs spread here and there and read most of the scientific papers on this subject, but I found a lot of ignorance and evasiveness to hide a bitter truth.

According to my research, all the proposed solutions talk about protecting your computer only, but they completely ignore the protection of the router.

I can divide the attack into two classes:

  1. attacking the victim directly, and this is easy to detect and protect from, and this is what most, if not all, known programs address. (static arp solve this)
  2. attacking the router directly without attacking the victim directly, so the attacker can eavesdrop on all calls with the router made by the victim, without leaving any traces, I could not find any program that detect this attack, but one dead program, which is antiarp.

This way I can throw away all the popular programs like XArp and ARP AntiSpoofer, they are useless for the case 2.

So nice, the problem is that I was able to make a script thanks to Scapy and Python to attack the router, and I was able to eavesdrop on all the calls of the victim without the victim being able to discover me except as I said one program which is antiarp. and it works like that: it reads all the packets and if it discovers that one of the packets did not come from the router, then this is undoubtedly an attack if the src ip is not a local IP. I was able to create a script also using the method used by antiarp, and this rule is enough to detect this attack

sniff(prn=alertme,filter="ip and (ether src not routerMAC and not src net 192.168.1.0/24))"

so far so good.

The problem is that I can easily change the attacker MAC :/, and then the antiarp or my script fails to detect this attack, and I tried to find some way to discover this attack, but I failed in a dramatic way.

Do you know a way to at least detect this type of attack without buying an advanced router, I mean using the simple routers that telecom companies give us. My router does not have any cool features, I am looking for a solution by which I can detect this attack without changing the router.

I tried all of this on Windows, but if there is a solution on Linux, then tell me please, I may find a way from it to apply it on windows.

So my question is how can I detect a MAC spoof like the one used by Scapy by rebuilding the packet?

I know it is easy to detect permanent change of MAC using SMAC...etc, but changing the MAC using Scapy is so dangerous, undetectable and silent like the death, it replicate the router without changing the attacker MAC permanently, so a simple MAC scan will not show me that there is a duplicate MAC in my LAN... any help please? can this even be detected?

reading on Stackoverflow and Stackexchange sites I can find few cryptic comments that show that some professionals know about this, But I have not been able to find anyone who talks about this problem in detail, they always talk in a vague manner without giving details and therefore do not give solutions.

Badr Elmers
  • 149
  • 9
  • The best way to deal with any MITM attacker is to use encrypted connections like TLS. Then, if there is an attacker, they don't get anything of value, and if they tamper with the connection, you'll notice. – bk2204 Jan 30 '22 at 22:15
  • @bk2204 yes, but this will not always work, see for example the bettercap and there SSLStrip version to defeat HSTS ; hstshijack – Badr Elmers Jan 30 '22 at 22:23
  • If you're really that concerned about this attack, then turn on HTTPS-only mode in your browser and other programs and don't use HTTP at all. There's no guaranteed way to detect an MITM attacker. – bk2204 Jan 30 '22 at 22:38
  • @bk2204 yes, but then you lose the ability to access http sites, and most if not all the other programs could not even detect TLS interception as modern browsers do, so one will always be at danger. breaking wifi's is so easy and if one cannot detect this attack then it is a checkmate. – Badr Elmers Jan 30 '22 at 22:52
  • I know that you have put a lot of work into this, and you are concerned, but this is not new, nothing special, and there is a known method to address it: TLS. That's why there was the big push for all sites to use TLS. Why LetsEncrypt became so important. "But it will not always work" -- but only if there is a misconfiguration on the site. "But HTTP sites won't work" -- exactly, but at this point, are any HTTP sites of high enough value to care if they are sniffed? – schroeder Jan 31 '22 at 01:00
  • And you're focused on the home. That's a very limited and localised threat. The Internet is a big place, and sniffing can occur anywhere along the lines. And you cannot detect that at all. – schroeder Jan 31 '22 at 01:01
  • @schroeder yes Gov or ISP sniffing surely happen, but I never heard that some paypal account was stolen by them, but i always hear about this happening on home/cafes. script kiddies are more harmful and dangerous. My fears really started with the fear of the ransom virus, if someone could enter my network, I might be lost, then I found myself in the swamp of the arp spoofing, it is difficult to accept that you live between the walls of your house while you are always afraid. one last question: **say that someone hide himself inside my lan by blocking arp answers, can I at least detect this?** – Badr Elmers Jan 31 '22 at 04:52

0 Answers0