gandaran Posted February 10, 2011 Posted February 10, 2011 Hi, what I would like to know is if there is any way I can check if someone is attacking my wifi network with MITM or ARP poisoning, is it possible and any app I could use or what should I look for? thanks Quote
Mr-Protocol Posted February 10, 2011 Posted February 10, 2011 Highly unlikely, but you would notice a big difference in lag when browsing. Also if the computer doing the attack goes out of range, you wont have internet period until you clear your arp cache on your PC and router. Quote
gandaran Posted February 11, 2011 Author Posted February 11, 2011 Highly unlikely, but you would notice a big difference in lag when browsing. Also if the computer doing the attack goes out of range, you wont have internet period until you clear your arp cache on your PC and router. thanks I posted the question cause yesterday happened something I have never seen before on this computer, I could browse the internet but could not scroll the page with the mouse or use scroll bar, there was a lot of scroll lagging on any web broswer, I don't know what caused it but came to my mind my computer was under attack! anyway I rebooted and the problem was gone. by the way how do I clear the arp cache on th PC and router, (Ubuntu 10.10, chromium, opera and firefox) Quote
digip Posted February 12, 2011 Posted February 12, 2011 thanks I posted the question cause yesterday happened something I have never seen before on this computer, I could browse the internet but could not scroll the page with the mouse or use scroll bar, there was a lot of scroll lagging on any web broswer, I don't know what caused it but came to my mind my computer was under attack! anyway I rebooted and the problem was gone. by the way how do I clear the arp cache on th PC and router, (Ubuntu 10.10, chromium, opera and firefox) Arp has nothing to do with a browsers functionality with scrolling. Its merely a way for another person to peek at all your traffic. They could however control what pages you see and even serve you fake versions of sites you tried to visit, such as gmail, banks, etc. but the scrolling issue I think might have just been a bug on the page you were on or the pc itself. Rebooting fixed it, so hard to say if it was an actual attack or not. Look up the arp command from a terminal or the man pages for more info, but if you are paranoid, you can set static entries for your router/gateway so no one can arp poison you. Under windows its "arp -s xx:xx:xx:xx:xx:xx" where xx is the mac address you want to add. I don't have linux open at the moment, so I don't know the exact command, but its similar. Disabling and re-enabling the nic resets this under windows, but not sure under linux. Do delete your arp cache in windows, type "arp -d *" and then do an "arp -a" to list your arp table. Again, linux commands are similar but I don't have it in front of me a the moment, and I'm too lazy to google it for you... Quote
Infiltrator Posted February 13, 2011 Posted February 13, 2011 Under windows its "arp -s xx:xx:xx:xx:xx:xx" where xx is the mac address you want to add. I don't have linux open at the moment, so I don't know the exact command, but its similar. Disabling and re-enabling the nic resets this under windows, but not sure under linux. Do delete your arp cache in windows, type "arp -d *" and then do an "arp -a" to list your arp table. Again, linux commands are similar but I don't have it in front of me a the moment, and I'm too lazy to google it for you... Don't you worry my friend, got your back covered. http://linux.about.com/library/cmd/blcmdl8_arp.htm Quote
digip Posted February 19, 2011 Posted February 19, 2011 (edited) I want to make a note here, if you are trying arp -s commands under a 64-bit Windows 7 (and possibly Vista, but haven't tested this) you can't do arp -s to add static entries. Even when doing a "run as administrator" for the cmd prompt, you need to use "netsh interface ipv4 add neighbors "Local Area Connection" x.x.x.x xx-xx-xx-xx-xx-xx instead, where x.x.x.x is the IP of your gateway or device you want to add and xx-xx-xx-xx-xx-xx is the mac address of the device. "Local Area Connection" is the name of the adapter in use, and this can vary depending on how many NICs you have in use and what they are named. What you can do is throw that command string into a bat script, and then right click it and select "run as administrator". The nice thing about this, is that evne when disabling and re-enabling the NIC, it seems to save the static entry, unlike the old way through arp -s, which seems to clear when disabling and re-enabling the NIC. Edited February 19, 2011 by digip Quote
Infiltrator Posted February 19, 2011 Posted February 19, 2011 There are tools like ArpWatch or ArpON that can alert you if you gateway ip address changes. if it changes, chances are someone is arp poisoning the network. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.