Jump to content

The "arp -a" Command

billyblaxsta

By billyblaxsta
in Security

 Share

Recommended Posts

billyblaxsta Newbie

billyblaxsta

Posted
Posted

Hello,

Let's assume that someone was arpspoofing a network and ran (using Ubuntu) arp -a. The network is a large open wireless and many clients have joined it. An edited version of the results is:

? (192.168.5.206) at 76:ca:34:bb:13:52 [ether] on wlan0

? (192.168.2.122) at 22:7d:8f:26:c6:9f [ether] on wlan0

? (192.168.3.239) at <incomplete> on wlan0

? (192.168.2.242) at 00:1f:24:51:d6:c4 [ether] on wlan0

nameofcompany.com (192.168.4.1) at 00:12:11:44:13:f1 [ether] on wlan0 #this is the gateway

? (192.168.4.29) at 00:14:0d:22:18:ec [ether] on wlan0

? (192.168.4.25) at 00:14:0d:22:18:01 [ether] on wlan0

? (192.168.4.39) at 00:14:0d:22:18:c7 [ether] on wlan0

Three questions.

a) I assume these are the IPs and MAC addresses of the people going through the arpspoofer (as he is the MITM)? Correct?

B) What does <incomplete> signify - why is there no MAC?

c) You will notice that 192.168.4.29, 192.168.4.25, and 192.168.4.39 have very similar MAC addresses and all begin 192.168.4.x. The AP the hypothetical arpspoofer was connected to was 00:14:0d:22:18:05. Obviously these three IPs are on the same subnet as the gateway device (192.168.4.1). I assume these are clients that are quite possibly permanently connected. Could they be wired machines?

Thanks.

Link to comment
Share on other sites
hexophrenic Newbie

hexophrenic

Posted
Posted

Hello,

Let's assume that someone was arpspoofing a network and ran (using Ubuntu) arp -a. The network is a large open wireless and many clients have joined it. An edited version of the results is:

? (192.168.5.206) at 76:ca:34:bb:13:52 [ether] on wlan0

? (192.168.2.122) at 22:7d:8f:26:c6:9f [ether] on wlan0

? (192.168.3.239) at <incomplete> on wlan0

? (192.168.2.242) at 00:1f:24:51:d6:c4 [ether] on wlan0

nameofcompany.com (192.168.4.1) at 00:12:11:44:13:f1 [ether] on wlan0 #this is the gateway

? (192.168.4.29) at 00:14:0d:22:18:ec [ether] on wlan0

? (192.168.4.25) at 00:14:0d:22:18:01 [ether] on wlan0

? (192.168.4.39) at 00:14:0d:22:18:c7 [ether] on wlan0

Three questions.

a) I assume these are the IPs and MAC addresses of the people going through the arpspoofer (as he is the MITM)? Correct?

B) What does <incomplete> signify - why is there no MAC?

c) You will notice that 192.168.4.29, 192.168.4.25, and 192.168.4.39 have very similar MAC addresses and all begin 192.168.4.x. The AP the hypothetical arpspoofer was connected to was 00:14:0d:22:18:05. Obviously these three IPs are on the same subnet as the gateway device (192.168.4.1). I assume these are clients that are quite possibly permanently connected. Could they be wired machines?

Thanks.

a) No, it shows the IP-MAC ARP cache for the machine it was ran on. It likely reflects a list of actively spoofed hosts as well as other hosts (gateway, etc.) that it is not spoofing.

B) imcomplete means it cannot perform a proper ARP transaction, meaning the host may not be up any longer or it is showing an entry that has not yet completed and is in timeout countdown.

c) It may be filtered by the AP itself. This would be more common in WIPS, isolated networks, or a separate WLAN network. It may also be that some machines have MAC addresses assigned manually and get granted other access because of that (very unlikely though, IMHO).

Link to comment
Share on other sites
billyblaxsta Newbie

billyblaxsta

Posted
  • Author
Posted

a) No, it shows the IP-MAC ARP cache for the machine it was ran on. It likely reflects a list of actively spoofed hosts as well as other hosts (gateway, etc.) that it is not spoofing.

B) imcomplete means it cannot perform a proper ARP transaction, meaning the host may not be up any longer or it is showing an entry that has not yet completed and is in timeout countdown.

c) It may be filtered by the AP itself. This would be more common in WIPS, isolated networks, or a separate WLAN network. It may also be that some machines have MAC addresses assigned manually and get granted other access because of that (very unlikely though, IMHO).

OK. Thanks. So for point A) you are saying the ARP cache is both spoofed and non-spoofed machines? Because obviously the gateway is not being spoofed but is included in the table.

I am not quite sure what you mean in point C. I don't think there is any filtering going on. It's just that some machines in that list are wireless clients while others have very similar MAC addresses to the MAC of the AP to which I was connected. Maybe they are other APs? Would that be a viable interpretation?

Link to comment
Share on other sites
hexophrenic Newbie

hexophrenic

Posted
Posted

Yes to your understanding of point A. Point C - the thing I was mentioning is that the AP is either responding with its own MAC addresses (each wireless profile will have a unique mac address) or is masquerading virtual MAC addresses in some sort of layer 2 translation or protection. So, it could be multiple APs with the same SSID or multiple SSIDs on the same AP, or some variation therein is the most likely scenario.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...