Find the true ARP response from gateway to get it’s MAC address or getting its MAC from another system or logging on it directly.Catch all ARP replies saying it’s from default gateway, but from different mac address.The filter for this is: arp.duplicate-address-detected Usually Wireshark show these as duplicate IP address detected for IP of default gateway. Find similar ARP response from some machines telling IP of gateway, but with a different mac address.With PCAP file, fine the Mac address of default gateway.However, attacker will not see actual data if it’s encrypted such as ssl unless they can get encryption key by some way.Attacker then forward request to default gateway as usual, but it see all communications between client and default gateway, which clients use to connect to everything on the internet Also, in the pcap examples it is said that something like this should get your IP but it gives you your network address. Client machine will send traffic to gateway by using MAC address of attacker. Is there a way how to get an IP address of an interface in Linux using libpcap I have found this, Get IP address of an interface on Linux, but that doesnt use pcap.
Attacker machine send Gratuitous ARP to broadcast its MAC address as Default Gatewa MAC address.
0 kommentar(er)
