Snifffer in Network

Thanks for the info. but i can't get the mac address of our gateway, is there any way I can get this? I believe it is the ethernet interface of router in our network.

gagamboy, Try "ping <gateway IP>" then "arp -a". Do it on a PC other than yours. You should be able to get the MAC this way as described above in step 1. (Provided that the other PC is not also ARP poisoned)

I am now trying to search for a cain in registry. Hope this will work.

Even if you don't find it in the registry. The attacker could be (and most probably) running Cain from his own machine and sniffing the network from there. He does not need to install it on your PC to sniff you.

Thanks Solo. Yes you are correct, the attacker may run it in his/her machine.

Bad news is I did'nt find any cain in my registry, the attacker may used other method. :

As I have tried doing the arp -a and the gateway I get is OK. I think the whole network is being attacked?! I am not sure of it, but lets hope not.

Is there any method I can used to check/verify that our network is not being attacked?

Your feedback is highly appreciated. Thanks in advance.

regards,
Gagamboy

Your welcome gagamboy

Is there any method I can used to check/verify that our network is not being attacked?

As mentioned above, when you do "arp -a" you should get the same MAC for the gateway IP on each PC. If you get different MACs then at least one of the PCs are being ARP spoofed.

You could also use "Snort", an intrusion detection and prevention tool: www.snort.org/

Hi Solo, thanks for the info. I'll will research on that tools and start looking/wiping for the attacker on my network.

Thanks to you guys. I appreciate your help!

Hi Gents,

The info provided by S0lo is quite precise. For ARP Poisioning to work, you don't need to have physical access to the machines in question. This is simply because the ARP Process doesn't do any security checks and the HACKERS machine can simply reply to ARP requests with bogus information in order to redirect the traffic through the hackers computer.

Its worth noting that this type of attack would be performed internally as they would need access to the same lan segment that your target machines are attached to (or atleast broadcast domain).

Also, even with an interface card in premiscuous mode, you are limited to what traffic you can see because of the switch. The switch is designed to only pass traffic to specific switch ports depending on the swiches CAM table which has a switchport to MAC address mapping. This is how switches can perform better.

On a side note, our hacking courses that we have developed does look at this technique and caine and abel if you are interested in this area.

Cheers

Wayne

It means even I used a Switch (cisco 3750) my network can be arp poisoned?