• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Is This ARP Spoofing?

F

Florida1

Junior Member
I live alone. I own a duel modem/router, and I have four devices on my network. Laptop, Desktop, Tablet, & Smartphone. I also own a Roku and I have Google Play, but I believe those are set-up on a separate network automatically during the set-up process?

I'm confused at to why my MAC address in my ARP cache doesn't match the actual MAC address on my modem/router, and I am also curious where these static 224 and 239 subnets come from.

Is this what an ARP Poisoning / Man-In-The-Middle set-up looks like?

If it is, wouldn't this require physical access (or be within wireless range), to some degree, to make use of?

kcHomeModemRouter.jpg


kcHomeNetworkARPCache.jpg
 
The 224/4 subnet is used for multicast traffic. Nothing exciting there. Your router has several network interfaces, each has its own MAC address, and they don't bother printing all of them on the box. If you have command line access to it it shouldn't be to hard to figure those out. These are usually in a series, as you have b3, b4, b5, b7 and b9. A router is likely to have pseudo-interfaces for internal use, which could explain why you don't see b6 and b8 on your network.

Of course, picking a MAC address very similar to your actual router would be a good idea for an attacker in order to avoid detection. And yes, that kind of attack requires physical/local access.
 
Funny you mention the physical/local access. I had a break in my first week living here. With no sign of forced entry and nothing stolen the police decided not to pursue it further.

My assumption was that it was my neighbor who was a board member. Board members have keys to every unit, and has a unit next to mine.

Would that change things?

The first screenshot is from my ARP cache. Windows command prompt, 'arp -a'.

I ran this program I found xARP. It's telling me it is detecting an ARP attack. I blocked my WAN IP in the screenshot below.

I'm still confused. Any help would be great. Thank you!

XArpScreenShotKCHomeNetwork.JPG
 
Last edited:
Never heard of Xarp, don't know what makes it decide an attack is occuring. The screenshot of it doesn't tell me anything interesting. I do know that many wireless repeater devices would likely trigger ARP spoofing alarms, because many basically do NAT with MAC addresses. One MAC address will appear to be tied to (unusually) many IP addresses. Probably other things too could cause it.

If you suspect unauthorized devices in your local network, disable Wi-Fi completely. That limits your search to devices with physical cables connected, which is a lot easier.

Assuming your router has local address 10.0.0.1, what is 10.0.0.2? It has a MAC address seemingly related to your router, but I don't see why your router would have two local addresses. Figuring that out might be a good start, unless you already know why that is.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top