19

I am having some issues at work and there is a new network admin in place. I think I am being monitored so decided to run ArpSpy X in two scenarios:

  1. Over WiFi bridge plugged into Cisco router to took a note of the router IP and MAC address. Then I did a vendor look up and it shows as a Cisco router (which it should) but I also have another Mac entry for the same IP (the router IP) of FF:FF:FF:FF:FF.
  2. Then through Hardwired via Ethernet I only see the FF:FF.... address for the router IP.

At the moment I only use the network via VPN (OpenVPN) to an external VPN provider to be safe.

Can someone please tell me if the double MAC address via wired and the single FF:FF:FF.... is normal or am I just being paranoid?

Alexander O'Mara
  • 8,774
  • 6
  • 34
  • 38
user20214
  • 191
  • 1
  • 1
  • 3

4 Answers4

25

FF:FF:FF:FF:FF:FF is the broadcast MAC address and is associated with the broadcast IP address in the ARP table (arp -a command). Somebody could be poisoning you but you might have mistaken the broadcast IP address for the Gateway IP address.

Here are tools that provide ARP security by alerting or stopping attacks:

  • XArp: Advanced ARP spoofing detection, active probing and passive checks. Two user interfaces: normal view with predefined security levels, pro view with per-interface configuration of detection modules and active validation. Windows and Linux, GUI-based.
  • Snort: Snort preprocessor Arpspoof, detects arp spoofing.
  • Arpwatch: the ethernet monitor program; for keeping track of ethernet/ip address pairings,
  • ArpON: Portable handler daemon for securing ARP against spoofing, cache poisoning or poison - routing attacks in static, dynamic and hybrid networks.
  • Antidote: Linux daemon, monitors mappings, unusually large number of ARP packets.
  • Arp_Antidote: Linux Kernel Patch for 2.4.18 - 2.4.20, watches mappings, can define action to take when.
  • ArpAlert: It listens on a network interface (without using 'promiscuous' mode) and catches all conversations of MAC address to IP request. It then compares the mac addresses it detected with a pre-configured list of authorized MAC addresses. If the MAC is not in list, arpalert launches a pre-defined user script with the MAC address and IP address as parameters. This software can run in deamon mode; it's very fast (low CPU and memory consumption). It responds at signal SIGHUP (configuration reload) and at signals SIGTERM, SIGINT, SIGQUIT and SIGABRT (arpalert stops itself)
  • ArpwatchNG: monitors mac adresses on your network and writes them into a file. last know timestamp and change notification is included. use it to monitor for unknown (and as such, likely to be intruder's) mac adresses or somebody messing around with your arp_/dns_tables.

https://en.wikipedia.org/wiki/ARP_spoofing

Pablo A
  • 123
  • 5
Cristian Dobre
  • 9,797
  • 1
  • 30
  • 50
8

There exists also a Bro script that passively detects ARP spoofing. It monitors ARP requests and replies for potential spoofing. This is how the author describes it:

  1. An attacker using ARP spoofing as their method can either send gratuitous replies (which lie about an existing IP to MAC correspondence) or by sending many requests to one or more victims with spoofed sender hardware address and/or sender protocol address fields. This script checks for both gratuitous ARP packets which are unsolicited replies, as well as ARP requests sent many times with the same information. An attacker will need to send many of either type of spoofed packet in order to continue the attack (otherwise the victim will stop directing its traffic to an attacker-supplied location).

  2. This script leverages knowledge of DHCP transactions, a consistent state of ARP requests and replies, and other metrics in order to provide more accurate information regarding potential attacks. For an attacker to deny a victim service or to initiate a MITM attack, the attacker will need to provide a spoofed MAC address of the victim's gateway. In order to maintain a continuing attack, the attacker will send many spoofed packets, which can be counted. It is possible that these spoofed packets will change IP to MAC mappings, which can be detected as well.

It currently sits in a separate github repository, but we will integrate eventually into master.

mavam
  • 501
  • 3
  • 6
5

The best and most reliable way, if you are familiar with networking, is to boot up a copy of wireshark and look for suspicious requests.

You can also look at a simple traceroue printout between you and the internet, if you see hops that shouldn't be there then its possible you're being attacked.

Additionally, By simply pinging all the local machines (nmap -sP 192.168.1.0/24 will do this quickly) and then checking the ARP table (arp -an) for duplicates, you can detect ARP poisoning quite quickly.

The following links should help:

StarDotHosting

OSTalks.com

Hope that helps!

NULLZ
  • 11,426
  • 17
  • 77
  • 111
  • 2
    How reliable is the traceroute method? I would imagine there might be ARP poisoning toolkits that don't increment the hop count on packets they inspect and forward. Those would be invisible to traceroute. – us2012 Jan 31 '13 at 12:35
-1

For wireless connections you can use the commandline tool 'arp'.

This tool has the unintended property of displaying your router in the first line of its output. The output printed with this ordering was apparently accidental (I learned this from someone who purportedly communicated with the developers about that), but it is reliable .

Again, on wireless connections only, this command will list your gateway, spoofed or not, in the first line of output. If that line matches someone else's computer on the network other than the router, you're arp table is poisoned.

Rondo
  • 217
  • 1
  • 4
  • Why would you use cron to fire a script every second, when you can just loop inside the script itself. This just doesn't make any sense. – not2qubit Dec 28 '17 at 13:27
  • You would have to make it run during startup, then. I wanted to avoid doing a system startup script. That's the "any sense" it makes. – Rondo Jan 03 '18 at 01:03
  • If you are downvoting for reasons unrelated to security (architecture), plz tell me how would you fulfill the req's 1) no startup scripts (root) 2) any loop run could kill the script so it must restart, 3) no matter when or who has logged in, the script should run upon wakeup because 4) wifi is configured to connect automatically. This 'run every minute' is pretty bullet proof. Let me know when it starts to make sense. – Rondo Jan 16 '18 at 04:08