system. In my system, it is eth1. It may be different for your system.
On clicking on start, a window will appear where you can see the source IP address and the destination IP address of each packet, along with a few other information.
Select any TCP or UDP packet. You will see a window like the one already shown above.
Here, I have selected a packet whose source IP is 74.125.200.189 and whose destination is my IP.
Now, click on the Ethernet II field below.
If we look carefully, source IP 74,125.200.189 is mapped with MAC address 00.1f.3a.bc.7b.58.
Now, open a terminal and type
# sudo arp-scan --interface=eth1 –localnet
It will show a list of IP addresses like below :
# sudo arp-scan --interface=eth1 --localnet Interface: eth1, datalink type: EN10MB (Ethernet) Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/) 192.168.1.133 00:1f:3a:bc:7b:58 Pr_bc Ind.Co., Ltd. 192.168.1.138 *** (Unknown) 192.168.1.1 *** (Unknown)
So, you can see, the packet that I selected has actually come from MAC address 00.1f.3a.bc.7b.58, which is mapped to IP 192.168.1.133 and not to IP address 74.125.200.189. The IP address 192.168.1.133 is an IP address on the local network.
This would mean that a falsified ARP message has been sent to link the IP of my device with the MAC address of another device, which is an ARP spoofing attack.
We can confirm the same with tcpdump also.
Open terminal and type:






0 Comments