4

I'm a computer security student whom has recently been tasked with conducting an arp spoofing attack on a couple devices on a test network. The issue I'm facing is that none of the devices seem to be responding to any sort of arp spoofing. I can run nmap and scan through the network and see all the devices that are connected to the same AP as I am, so I know I can at least see the devices.

Note: The network is a PEAP network with mschapv2

So my question is: When conducting an arp-spoof attack on a network, can a router detect, and then throw away bogus arp-replys?

user71642
  • 41
  • 2
  • how often are you sending ARP spoofing replies? – schroeder Apr 02 '15 at 17:21
  • So I've been using MITMF from kali, and it looks like it sends it out every second. – user71642 Apr 02 '15 at 17:43
  • when you run a packet capture, can you see traffic from the other devices? – schroeder Apr 02 '15 at 17:49
  • No I haven't been able to see any traffic – user71642 Apr 02 '15 at 17:56
  • If you have not been able to see traffic from them, it is possible that the network is set up in such a way that you need to address the ability to communicate directly with the hosts before you can poison their ARP caches. – schroeder Apr 02 '15 at 18:10
  • You need at least 3 devices of which you see the mac- and ip-address. Then you can try to tell device 1 that device 2's ip is now at your mac-address. – ott-- Sep 13 '15 at 21:12

2 Answers2

2

Is your computer in the same subnet than the target devices? Because ARP only works between devices in the same IP subnet.

But if the two IP Addresses are on different subnets, the device will follow a completely different logic: it will look in its routing table for a route to the destination network, and then it will send its packet to the appropriate router (or to its default gateway if no more specific route is present); in this scenario, ARP will be used to find the hardware address of the router, because the destination IP address has already be deemed to not be directly reachable, so the packet must be delivered to a router which can take care of it.

Look in here for a better explanation.

Community
  • 1
pedromendessk
  • 918
  • 1
  • 6
  • 19
0

You mention PEAP with MSCHAPv2. This is WPA2 Enterprise?

In the university I work at, our network (eduroam) blocks all packets between clients. That is, you can't ARP spoof someone else on the network.

If you happen to be using that network (IST/ULisboa?), or a network where the same was made, I'd tell you to get a real test network.

Otherwise:

You don't mention the operating system of the target device. The only thing that occurs to me is that, if you are sending gratuitous ARP replies, whether they are respected or not depends on the operating system.

I know that some Windows and MacOS X (that I've tested) respect them by default. At least the vanilla Debian Linux Wheezy/Jessie don't accept them by default.

$ cat /proc/sys/net/ipv4/conf/all/arp_accept
0

If you want that device to respect gratuitous ARPs,

$ sudo tee /proc/sys/net/ipv4/conf/all/arp_accept <<< 1
1

and then test again.

Valmiky Arquissandas
  • 123
  • 7