Jump to content

Recommended Posts

Posted

Hi,

what I would like to know is if there is any way I can check if someone is attacking my wifi network with MITM or ARP poisoning, is it possible and any app I could use or what should I look for?

thanks

Posted

Highly unlikely, but you would notice a big difference in lag when browsing. Also if the computer doing the attack goes out of range, you wont have internet period until you clear your arp cache on your PC and router.

Posted

Highly unlikely, but you would notice a big difference in lag when browsing. Also if the computer doing the attack goes out of range, you wont have internet period until you clear your arp cache on your PC and router.

thanks

I posted the question cause yesterday happened something I have never seen before on this computer, I could browse the internet but could not scroll the page with the mouse or use scroll bar, there was a lot of scroll lagging on any web broswer, I don't know what caused it but came to my mind my computer was under attack! anyway I rebooted and the problem was gone.

by the way how do I clear the arp cache on th PC and router, (Ubuntu 10.10, chromium, opera and firefox)

Posted

thanks

I posted the question cause yesterday happened something I have never seen before on this computer, I could browse the internet but could not scroll the page with the mouse or use scroll bar, there was a lot of scroll lagging on any web broswer, I don't know what caused it but came to my mind my computer was under attack! anyway I rebooted and the problem was gone.

by the way how do I clear the arp cache on th PC and router, (Ubuntu 10.10, chromium, opera and firefox)

Arp has nothing to do with a browsers functionality with scrolling. Its merely a way for another person to peek at all your traffic. They could however control what pages you see and even serve you fake versions of sites you tried to visit, such as gmail, banks, etc. but the scrolling issue I think might have just been a bug on the page you were on or the pc itself. Rebooting fixed it, so hard to say if it was an actual attack or not.

Look up the arp command from a terminal or the man pages for more info, but if you are paranoid, you can set static entries for your router/gateway so no one can arp poison you.

Under windows its "arp -s xx:xx:xx:xx:xx:xx" where xx is the mac address you want to add. I don't have linux open at the moment, so I don't know the exact command, but its similar. Disabling and re-enabling the nic resets this under windows, but not sure under linux. Do delete your arp cache in windows, type "arp -d *" and then do an "arp -a" to list your arp table. Again, linux commands are similar but I don't have it in front of me a the moment, and I'm too lazy to google it for you...

Posted

Under windows its "arp -s xx:xx:xx:xx:xx:xx" where xx is the mac address you want to add. I don't have linux open at the moment, so I don't know the exact command, but its similar. Disabling and re-enabling the nic resets this under windows, but not sure under linux. Do delete your arp cache in windows, type "arp -d *" and then do an "arp -a" to list your arp table. Again, linux commands are similar but I don't have it in front of me a the moment, and I'm too lazy to google it for you...

Don't you worry my friend, got your back covered.

http://linux.about.com/library/cmd/blcmdl8_arp.htm

Posted (edited)

I want to make a note here, if you are trying arp -s commands under a 64-bit Windows 7 (and possibly Vista, but haven't tested this) you can't do arp -s to add static entries.

Even when doing a "run as administrator" for the cmd prompt, you need to use

"netsh interface ipv4 add neighbors "Local Area Connection" x.x.x.x xx-xx-xx-xx-xx-xx

instead, where x.x.x.x is the IP of your gateway or device you want to add and xx-xx-xx-xx-xx-xx is the mac address of the device. "Local Area Connection" is the name of the adapter in use, and this can vary depending on how many NICs you have in use and what they are named.

What you can do is throw that command string into a bat script, and then right click it and select "run as administrator". The nice thing about this, is that evne when disabling and re-enabling the NIC, it seems to save the static entry, unlike the old way through arp -s, which seems to clear when disabling and re-enabling the NIC.

Edited by digip
Posted

There are tools like ArpWatch or ArpON that can alert you if you gateway ip address changes. if it changes, chances are someone is arp poisoning the network.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...