Windows method to detect ARP Poisoning in my local network (LAN)?

windows networking security arp
9,516

(This answer is an adaptation of this one to make it non-WiFi dependant, simpler, faster, and more appropriate to this other question)

Indeed, there is a simple method that is supposed to work in all cases. Under ARP Poisoning cases, there should necessarily be a duplicate MAC Address (AKA Physical Address) on your local network (AKA subnetwork or LAN), so the trick to detect it is simple: just list the ARP Table (this is: all the MACs that your computer knows) and check for duplicates.
The usual duplicate uses to be the gateway (router, that connects you to internet).
Method:

1.- Open Shell as Administrator:

cmd

2.- Clear ARP cache (for possible remaining disconnected devices on your network) and wait a few seconds (30 seconds should enough): arp -d -a 3.- List ARP Table by executing (the output is just an example case of poisoning):

c:\>arp -a
Interface: 192.168.11.108 --- 0x2
Internet Address IP Physical Address    Type
192.168.0.1         00-17-31-3f-d3-a9   dynamical
192.168.0.102       50-e5-49-c5-47-15   dynamical
192.168.0.107       00-17-31-3f-d3-a9   dynamical
192.168.0.108       00-0a-e4-a0-7f-78   dynamical

4.- Look for duplicates in the ARP table. In my example, the router 192.168.0.1 and the device at 192.168.0.107 share the same MAC, so the chances are very high that the computer 192.168.0.107 is the poisoner.

NOTE: the cmd shell as administrator is only needed for step 2 (Clear ARP cache). The rest of the process can be done from normal unprivileged shell.

  • There could be more than one device poisoning on my LAN? Well... it is not usual, and lacks some sense: the poisoning process could (not allways) slowdown (maybe not much) or even crash the entire network, and poisoning the router uses to send a lot of traffic to the poisoner (could ever hang the poisoner device). But it could happen. Anyway, you still can detect it using this method. Just search for more duplicates.
  • Could any other device but the router be the poisoned one? Yes. Sometimes the interesting part is to intercept data sent to a network printer, a NAS, files sent between computers... etc.
  • The poisoner is not a router. Why, if the data are sent to the poisoner instead of to the router, I still have internet running? Because the poisoner resends the traffic to the router, in an attempt that you won't notice anything. This is a part of what is usually called "Man in the Middle (MITM)" attack.
Share:
9,516

Related videos on Youtube

Sopalajo de Arrierez
Author by

Sopalajo de Arrierez

Updated on September 18, 2022

Comments

  • Sopalajo de Arrierez
    Sopalajo de Arrierez over 1 year

    (This question comes from this thread, and is intended to remain as a reference question/answer pair for more generic ARP network detection not limited to WiFi, or without the need of the specific explanations given to that original poster of the question)

    As long as the ARP Poisoning attack is becoming more usual (dSploit for Android, Cain&Abel for Windows, or several methods for Linux) in public places (Bar, Pubs, Restaurants, Commercial Centers, Cybers... etc), I would like to know about some fast and simple method to detect it from my Windows laptop computer, whether I am in a cable or wireless network.

    Do I need for WireShark captures and long readings of cryptic traffic data? Do I need of a FireWall (sometimes they disturb more than they help)? It is mandatory to have something like Snort and become a guru capable of understanding all that data?
    Isn't there any simple method that even works in out-of-the-stock Windows computers?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to protect from ARP spoofing
For Windows 10 update, what are the IP address for firewall?
How to quickly Enable/Disable Internet Traffic so that it ONLY goes to ONE program?
Bizarre caching of "dead" DNS entries; where is this cache stored?
How to hide or disable "allow PC to be discoverable on this network"?
What are the purposes of the addresses in this ARP table?
Different ARP results between host and virtual machine
How to block everything (all incoming and outgoing internet access) except those applications are in firewall white-list?
How to block all traffic but one IP in Windows Firewall?
How to access files over a network using local accounts?