Catch all ARP replies saying it’s from default gateway, but from different mac address.The filter for this is: arp.duplicate-address-detected Usually Wireshark show these as duplicate IP address detected for IP of default gateway. ![]() Find similar ARP response from some machines telling IP of gateway, but with a different mac address.With PCAP file, fine the Mac address of default gateway.However, attacker will not see actual data if it’s encrypted such as ssl unless they can get encryption key by some way.Attacker then forward request to default gateway as usual, but it see all communications between client and default gateway, which clients use to connect to everything on the internet Client machine will send traffic to gateway by using MAC address of attacker.Attacker machine send Gratuitous ARP to broadcast its MAC address as Default Gatewa MAC address.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |