billyblaxsta Posted August 14, 2011 Share Posted August 14, 2011 Hello, Let's assume that someone was arpspoofing a network and ran (using Ubuntu) arp -a. The network is a large open wireless and many clients have joined it. An edited version of the results is: ? (192.168.5.206) at 76:ca:34:bb:13:52 [ether] on wlan0 ? (192.168.2.122) at 22:7d:8f:26:c6:9f [ether] on wlan0 ? (192.168.3.239) at <incomplete> on wlan0 ? (192.168.2.242) at 00:1f:24:51:d6:c4 [ether] on wlan0 nameofcompany.com (192.168.4.1) at 00:12:11:44:13:f1 [ether] on wlan0 #this is the gateway ? (192.168.4.29) at 00:14:0d:22:18:ec [ether] on wlan0 ? (192.168.4.25) at 00:14:0d:22:18:01 [ether] on wlan0 ? (192.168.4.39) at 00:14:0d:22:18:c7 [ether] on wlan0 Three questions. a) I assume these are the IPs and MAC addresses of the people going through the arpspoofer (as he is the MITM)? Correct? B) What does <incomplete> signify - why is there no MAC? c) You will notice that 192.168.4.29, 192.168.4.25, and 192.168.4.39 have very similar MAC addresses and all begin 192.168.4.x. The AP the hypothetical arpspoofer was connected to was 00:14:0d:22:18:05. Obviously these three IPs are on the same subnet as the gateway device (192.168.4.1). I assume these are clients that are quite possibly permanently connected. Could they be wired machines? Thanks. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted August 14, 2011 Share Posted August 14, 2011 Doesn't sound too "Hypothetical" Quote Link to comment Share on other sites More sharing options...
billyblaxsta Posted August 15, 2011 Author Share Posted August 15, 2011 Doesn't sound too "Hypothetical" It was done on my friend's office network with his permission. So it's not hypothetical in one sense but it's hypothetical inasmuch as it's not an actual attack. I would still like to know the answers. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted August 15, 2011 Share Posted August 15, 2011 If your friend owns the network, he should be able to explain what the devices are. And with that you can determine what is shown in the log. Quote Link to comment Share on other sites More sharing options...
hexophrenic Posted August 15, 2011 Share Posted August 15, 2011 Hello, Let's assume that someone was arpspoofing a network and ran (using Ubuntu) arp -a. The network is a large open wireless and many clients have joined it. An edited version of the results is: ? (192.168.5.206) at 76:ca:34:bb:13:52 [ether] on wlan0 ? (192.168.2.122) at 22:7d:8f:26:c6:9f [ether] on wlan0 ? (192.168.3.239) at <incomplete> on wlan0 ? (192.168.2.242) at 00:1f:24:51:d6:c4 [ether] on wlan0 nameofcompany.com (192.168.4.1) at 00:12:11:44:13:f1 [ether] on wlan0 #this is the gateway ? (192.168.4.29) at 00:14:0d:22:18:ec [ether] on wlan0 ? (192.168.4.25) at 00:14:0d:22:18:01 [ether] on wlan0 ? (192.168.4.39) at 00:14:0d:22:18:c7 [ether] on wlan0 Three questions. a) I assume these are the IPs and MAC addresses of the people going through the arpspoofer (as he is the MITM)? Correct? B) What does <incomplete> signify - why is there no MAC? c) You will notice that 192.168.4.29, 192.168.4.25, and 192.168.4.39 have very similar MAC addresses and all begin 192.168.4.x. The AP the hypothetical arpspoofer was connected to was 00:14:0d:22:18:05. Obviously these three IPs are on the same subnet as the gateway device (192.168.4.1). I assume these are clients that are quite possibly permanently connected. Could they be wired machines? Thanks. a) No, it shows the IP-MAC ARP cache for the machine it was ran on. It likely reflects a list of actively spoofed hosts as well as other hosts (gateway, etc.) that it is not spoofing. B) imcomplete means it cannot perform a proper ARP transaction, meaning the host may not be up any longer or it is showing an entry that has not yet completed and is in timeout countdown. c) It may be filtered by the AP itself. This would be more common in WIPS, isolated networks, or a separate WLAN network. It may also be that some machines have MAC addresses assigned manually and get granted other access because of that (very unlikely though, IMHO). Quote Link to comment Share on other sites More sharing options...
billyblaxsta Posted August 16, 2011 Author Share Posted August 16, 2011 a) No, it shows the IP-MAC ARP cache for the machine it was ran on. It likely reflects a list of actively spoofed hosts as well as other hosts (gateway, etc.) that it is not spoofing. B) imcomplete means it cannot perform a proper ARP transaction, meaning the host may not be up any longer or it is showing an entry that has not yet completed and is in timeout countdown. c) It may be filtered by the AP itself. This would be more common in WIPS, isolated networks, or a separate WLAN network. It may also be that some machines have MAC addresses assigned manually and get granted other access because of that (very unlikely though, IMHO). OK. Thanks. So for point A) you are saying the ARP cache is both spoofed and non-spoofed machines? Because obviously the gateway is not being spoofed but is included in the table. I am not quite sure what you mean in point C. I don't think there is any filtering going on. It's just that some machines in that list are wireless clients while others have very similar MAC addresses to the MAC of the AP to which I was connected. Maybe they are other APs? Would that be a viable interpretation? Quote Link to comment Share on other sites More sharing options...
hexophrenic Posted August 16, 2011 Share Posted August 16, 2011 Yes to your understanding of point A. Point C - the thing I was mentioning is that the AP is either responding with its own MAC addresses (each wireless profile will have a unique mac address) or is masquerading virtual MAC addresses in some sort of layer 2 translation or protection. So, it could be multiple APs with the same SSID or multiple SSIDs on the same AP, or some variation therein is the most likely scenario. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.