billyblaxsta Posted August 14, 2011 Share Posted August 14, 2011 Hello, Let's assume that someone was arpspoofing a network and ran (using Ubuntu) arp -a. The network is a large open wireless and many clients have joined it. An edited version of the results is: ? (192.168.5.206) at 76:ca:34:bb:13:52 [ether] on wlan0 ? (192.168.2.122) at 22:7d:8f:26:c6:9f [ether] on wlan0 ? (192.168.3.239) at <incomplete> on wlan0 ? (192.168.2.242) at 00:1f:24:51:d6:c4 [ether] on wlan0 nameofcompany.com (192.168.4.1) at 00:12:11:44:13:f1 [ether] on wlan0 #this is the gateway ? (192.168.4.29) at 00:14:0d:22:18:ec [ether] on wlan0 ? (192.168.4.25) at 00:14:0d:22:18:01 [ether] on wlan0 ? (192.168.4.39) at 00:14:0d:22:18:c7 [ether] on wlan0 Three questions. a) I assume these are the IPs and MAC addresses of the people going through the arpspoofer (as he is the MITM)? Correct? B) What does <incomplete> signify - why is there no MAC? c) You will notice that 192.168.4.29, 192.168.4.25, and 192.168.4.39 have very similar MAC addresses and all begin 192.168.4.x. The AP the hypothetical arpspoofer was connected to was 00:14:0d:22:18:05. Obviously these three IPs are on the same subnet as the gateway device (192.168.4.1). I assume these are clients that are quite possibly permanently connected. Could they be wired machines? Thanks. Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.