Arp Attack

[Spook]

I recently watched one of the Hack5 videos which took us through using an Arp attack to fool the firewall/router into thinking my PC was another, thus capturing its network traffic

Im trying this on my ISP's network, Im trying to test this on an IP thats on the same gateway as me

Its not working, I dont appear to be recieving any packets from the remote PC

Im on XP, using Cain & Able to poisin which Ive done exactly as demonstrated, then used ethereal to sniff the packets

Im connected direct, no router using only XP's firewall

Im just wondering if this isnt working because Im trying to fool a heavy shit Cisco router used by my ISP.  Do they have extra security that defends its network from the Arp attack as apposed to your average joe netgear or belkin

Feedback would be great !

Spook.

[deleted]

It only really works on a LAN. Not an External Network (as to my undrestanding) it works on a different principle.

[Spook]

Yeh I would have thought that, so just to clarify it is because the ISP heavy shit routers arnt suceptable to these kind of attacks where as the cheapy routers are

[Sparda]

Routers aren't vulnerable to this at all. Switches are the only device that are.

[Spook]

In the hack5 video they use an example where 192.168.1.1 is the acting firewall/router and attack 192.168.1.102

Also go into an internet cafe and do the same there

Thats what I dont understand, so surely the router is vulnerable

[Sparda]

Routers are often now multiple devices. It's very common to get a box with a switch and a router together. The switch is the vulnerability.

Speaking of the wireless, a ARP attack is unnecessary to capture data. Nor is connection to the network. That is if you have access to the first layer of the net stack of wireless network adapter (i.e. the physical layer).

[Spook]

Ahh I see, so the switch is the target

So how in the hack5 example do they have it working on a router?

[Sparda]

So how in the hack5 example do they have it working on a router?

As in wireless?

[Spook]

Both, they did it on a wired and wireless LAN

[Sparda]

In the case of the wired they where attacking a box with a switch and a router combined, they where abusing the switch.

In the case of the wireless all they where doing was having the AP relabel the packets to there computer, there bypassing the need to be able to 'see' the packets physically becasue as fare as the wireless card is concerned the packets are for there computer. As for attacking a wireless network this is actually the wrong way to do it, this is a very intrusive method. The correct way is just to have the network card not drop any received packets even if they are labeled to be received by another computer. APs are, effectively, a wireless HUB.

[Spook]

I see, so basically a heavy cisco router is not going to have an exploitble switch built in?

[moonlit]

No, basically.

Oh, and it's "Hak.5", no "c".

Welcome.

[Spook]

My bad about the Hak  :-?

So just to conclude its the switch that deals with the Arp table?

[Sparda]

So just to conclude its the switch that deals with the Arp table?

Aye, only switches have ARP tables. Also, routers drop broadcast packets, which are what is used to poison arp tables. So, if you try to poison the non-existent arp table on a ISP router, the router will just (effectively) go "oh, it's a board cast packet, DELETED" (all routers have a LED on them that has the word "DELETED" next to it don't you know :P)

[Spook]

Ok I see now

But you mentioned in the example of Hak.5 the router obviously has a switch built in.. great!

However, although it has a poisonable switch the router is also designed to drop  the broadcast packets

So how are they still able to do this if the broadcast packets are being dropped before they can nest into the switches Arp table

[Sparda]

However, although it has a poisonable switch the router is also designed to drop  the broadcast packets

So how are they still able to do this if the broadcast packets are being dropped before they can nest into the switches Arp table

The router drops the packets, not the switch. When you send a packet to the 'router' (the box that is both a switch and a router) the switch 'sees' all traffic. So if the router dose drop a packet, it must have already passed though the switch.

[Spook]

Thank you!

Can you think of anyway to achieve the same sort targetting a Cisco router?

[Sparda]

Can you think of anyway to achieve the same sort targetting a Cisco router?

Physical rewire. Or figure out what the su password is and edit the routing tables.