1

If you watch traffic in real time, you can see that an attacker doing a MiTM attack does ARP spoofing because MAC addresses will be duplicated, etc. And, well, you can see all MAC addresses and see who is a router and check if MAC addresses of the router match.

But what if we know that an attack was done yesterday, for example? How can we find out which MAC address was ARP spoofing and sending fake certificates (let's assume user accepted that)? Let's say an attacker stole some bank account credentials on a site that uses HTTPS. Is it even possible?

avgvstvs
  • 940
  • 1
  • 7
  • 19
andrea
  • 13
  • 3

2 Answers2

2

Checking logs. The great secret of dissecting what happened after an attack. Pouring over logs to find the malicious activity and see what it is. If there are no logs, you can't tell.

Where to look for the logs is also half the battle because depending on the exact nature of the attack, you could need logs from the client, a server or a router or some combination of the 3. It really depends on how the attack was performed.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • But are logs of requests stored in the client somewhere? And does router do store logs too (it would require lots of space I guess..)? And server thinks all actions were done by the user if he accepted a fake certificate or https was stripped I believe, no? Let's assume arp spoofing (ettercap to send fake requests) was used with sslstrip to find user's credentials. – andrea May 05 '14 at 15:28
  • Andrea - logs could be anywhere, they could be nowhere. It all depends on the configuration of the environment and what hardware was actually involved. Different devices are configured with different levels of logging and may or may not have captured the details needed. Piecing it all together is a very non-trivial task. – AJ Henderson May 05 '14 at 15:32
1

To find out that an ARP attacks was occurred you need simply to view the contents of the kernel's ARP tables, and try to find , for example, a suspect duplicated IP address or a spoofed one. To display ARP table in Linux system : 

# arp -a
TMR_OS
  • 208
  • 2
  • 10