UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Target selection (our IP is 172.16.189.136, default gateway is ifconfigĮth0 Link encap:Ethernet HWaddr 00:0c:29:ab:b2:2c Simply put, we use arpspoof to convince the gateway that we are the target, and the target that we are the gateway. This is a combination of skillz in my SSLSTRIP post and the Image Extraction post. So here is the easy way to capture traffic from the network for investigation later. As most networks these days will be switched, its no longer a case of plug in & dump packets. If the attack succeeds, identify weak points in your defensive measures and remediate them.We all know the difference between a hub & a switch (if not, this is not the blog for you).
If the table contains two different IP addresses that have the same MAC address, this indicates an ARP attack is taking place. The output will look something like this: Internet Address Physical Address
Use the following command to display the ARP table, on both Windows and Linux: arp -a Start an operating system shell as an administrator. Here is a simple way to detect that a specific device’s ARP cache has been poisoned, using the command line.
How to Detect an ARP Cache Poisoning Attack
The attacker is now secretly in the middle of all communications.
The two devices update their ARP cache entries and from that point onwards, communicate with the attacker instead of directly with each other.This fools both router and workstation to connect to the attacker’s machine, instead of to each other. The forged responses advertise that the correct MAC address for both IP addresses, belonging to the router and workstation, is the attacker’s MAC address.The attacker uses a spoofing tool, such as Arpspoof or Driftnet, to send out forged ARP responses.
They scan the network to determine the IP addresses of at least two devices-let’s say these are a workstation and a router.