The situation is: a hall full of 200-300 people, one of them is performing an arp-cache poisioning attack. Or messing with my network over wifi in any way. Is there a way how to determine the location of him? Using some kind of directional antenna or something? I dont need to be very accurate, when I have the direction, I will probably find the suspicious one. I know that this is almost impossible, but if anyone know something to suggest and try, I would really appriciated that. Thanks for any ideas.
Asked
Active
Viewed 3,100 times
3 Answers
0
Play around with kismet - with a directional antenna or a bit of walking around you should be able to locate where the sources of the arp traffic are strongest - one of them being a legitimate user, the other not so much.
pacifist
- 794
- 3
- 8
0
Without any hardware but your PC (with linux), you could
determine his mac address with Wireshark and look his signal strength with airodump-ng as you go through the hall. Problem: it's a hall, so probably highly resonating.
check the vendor of his wifi card (with his mac address) to know what PC he has, although he surely used mac-changer (and even if he didn't that would force you to verify all the manufacturers that embedded this specific wifi-card)
Honeypot. Run a little webserver on your computer with some Metasploit' http auxiliarys embedded and connect to it from another computer. With some luck if he is monitoring the traffic with Wireshark he will see it and will connect to it (a tiny little server without domain name, running locally is always something curious and worth checking). If he uses the same browser for his everyday routine, you will be able to catch his Gmail adress, Facebook name and maybe even his passwords (yet, it's been several years since i tested this and i don't know if you can still grab passwords with those modules).
Yet if he is a careful attacker, none of these will work (except maybe the first one to some extent)
Good luck !
zX8iqV
- 413
- 2
- 12