Arpspoof Disconnected Host

[skillview]

I tried to use arpspoof as presented in the following episode:

http://hak5.org/hack/arp-spoofing-with-dsniff

After:

arpspoof -t 10.13.37.1 10.13.37.124

arpspoof -t 10.13.37.124 10.13.37.1

host 10.13.37.124 got disconnected from the network. I had to restart the host to bring it back online.

What am I doing wrong?

Thanks

[digip]

Are you using screen to keep the sessions alive? Anyway, some switches, go crazy with arp attacks, and host up the network if its on a wired network. Wifi usually works much better for these attacks. Just make sure you re-watch and do all the steps Darren covered, setup IP forwarding, etc.

By the way, you use the same subnet/netowrk as darren does at home? 10.13.37.0/24 ??

Edited September 26, 2012 by digip

[bobbyb1980]

ARP based attacks are very "noisy" and can be stopped and/or detected at multiple levels. It's a good way to learn how to redirect traffic, but don't expect it to work in the wild very often.

[skillview]

By the way, you use the same subnet/netowrk as darren does at home? 10.13.37.0/24 ??

Sorry, I should have been more clear about it. I just used the above commands as an example from the video. My actual IP addresses were:

arpspoof -t 192.168.1.1 192.168.1.4

arpspoof -t 192.168.1.4 192.168.1.1

The Win7 host (192.168.1.4) is connected to a NetGear router. It worked for a little while after I ran the arpspoof commands from Ubuntu 11.10 but then lost the network.

Thanks.

[digip]

You are arp attacking the router and another machine on the network though, right, and not yourself? Just want to be clear on that. As for switches, they learn the MAC address of each device and put it in their arp table. On wireless, if all clients you are attacking are wireless, this generally works pretty well. On wired networks, this can be problematic, since the the router and client can relearn each other much easier, and in the process can even see two mac addresses with the same IP, and start to hose up the network and drop pacekts to both you and the client or victim, which if you stop the attack, after bringing down and up the NIC on the victim machine, and a few minutes for the router to update its arp table(all routers have an interval they recheck for say DHCP leases and arp checks, with DCHP I think its every 15 minutes and arp is like every 5 minutes) everything will go back to normal. Wired networks always seem to get hosed up though when using arp attacks. Especially on newer equipment, which is much faster and operating systems that are much smarter.

Conversely, you can actually somewhat protect against these kinds of attacks, by adding static ARP entries in your OS, like on windows for example, I add my routers MAC in a static entry, so it can't be spoofed.

Open a command prompt (right click and run as administrator on windows 7) and enter the following to add a static arp entry to your router or gateway:

netsh interface ipv4 add neighbors "Local Area Connection"  a.a.a.a xx-xx-xx-xx-xx-xx[/CODE]

where a.a.a.a is your routers IP address and xx-xx-xx-xx-xx-xx is your routers MAC address. Then do an arp -a, and you will see its set statically now, and will still be there on reboot ;)

In XP you can set it with "arp -s a.a.a.a xx-xx-xx-xx-xx-xx" but in XP, it will be gone after a reboot. You can try the same netsh command in XP, but I forget if it works without being administrator on the system. arp -s no longer works in vista and 7, you need to use the netsh command to make them stick.

[skillview]

You are arp attacking the router and another machine on the network though, right, and not yourself?

I ran the arp commands from a different system, Ubuntu at 192.168.0.5.

bringing down and up the NIC on the victim machine, and a few minutes for the router to update its arp table

By the way how do you do it in Windows 7? I tried

ipconfig /release

ipconfig /renew

and it didn't help. I'm sure I had waited more than a few minutes. Only the restart helped.

Thanks for the useful info.

[digip]

ipconfig /release *

ipconfig /renew *

use the * to specify all nics, or you need to type out something like icponfig /release "Local area connection 1" or whatever the adapter name is set to.

but also, you can go into the network adapter itself, and disable it, and then re-enable it. How you get to it is different on windows XP vs Vista and 7, but I keep a shortcut on my desktop to my network adapter fromt he control panel, so I can disable and re-enable it as needed.

You might also have to do a DNS flush with the ipconfig command, or you can open services.msc and restart both the DHCP and DNS services and that will pretty much reset your NIC. Sometimes you also need to be administrator, so right click the command prompt and click "run as administrator" and then try the " ipconfig /release * " then " ipconfig /renew * "

Edited September 28, 2012 by digip

[Infiltrator]

You might also have to do a DNS flush with the ipconfig command, or you can open services.msc and restart both the DHCP and DNS services and that will pretty much reset your NIC. Sometimes you also need to be administrator, so right click the command prompt and click "run as administrator" and then try the " ipconfig /release * " then " ipconfig /renew * "

Just adding to what Digip suggested, if bringing the interfaces down and then up, doesn't clear the ARP cache. Run the following commands.

ipconfig /flushdns[/CODE]

Then,

[CODE]
netsh->interface->ip delete arpcache
[/CODE]

The netsh command requires elevated priveleges, so make sure you run CMD as administrator.