ARP.exe confused??

[concrete_hed]

I recently discovered ARP.exe (windows version). I have heard that using arp you can route all data coming in and out of your computer, this is how many hackers can learn usernames and passwords and listen in on your instant messaging conversations.

 

When i run "arp -a" it returns:

 

Interface: 192.168.0.5 ---- 0x10003

Internet Address Physical Address Type

192.168.0.1 00-0f-b5-7c-7f-20 dynamic

 

My computer(192.168.0.5) is on a local area network and 192.168.0.1 is my default gateway. Can someone please explain to me what the information above means? Does it mean that all information entering and leaving my computer goes through 192.168.0.1? Is the physical address shown above my physical address or 192.168.0.1's physical address? Can i change this to another address? What can i do with arp.exe? If someone could pleas explain this to me without using too much technical terms that would be great.

 

thanks

[bluesmudge]

The reason no one can answer that is the info is slightly too close together, and becuase not everyone is familiar with ARP even though the data shown there is everyday stuff it looks like a forign language presumably copy and paste job?

 

#Interface address is basically the local address i.e. becuase you're on a lan - the 0x10003 that goes with that im not familiar with but i think its the location of the hub/ router / swtich / whatever - its a long time since my networks module but routers give a routing table to basically make it easier to pick the direction it sends data across a network - it picks a direction with the least cost in jumps etc etc etc

 

#Internet address is used to uniquely address you on the Interweb

 

#Physical address is otherwise known as a mac address - represented in hexidecimal (to save all those ones and zeros) its a 'perminant' address and is factory given to your network card (all network devices have one)

 

# Type Dynamic - I assume is how your computer came apon the IP address its using - some networks (but im yet to think of any i've used) give you a static IP which means that your machine keeps the same IP address no matter what Dynamic (yours) basically means everytime you restart the machine / network decived you are given a new IP address - these addresses quite often have a limited life span i.e 24 hours

 

 

Looking into ARP.exe now, but as i have it on my XP machine im assuming its standard

[encipher]

ARP (Address resolution protocol) is used to find out a host's mac address when only the ip address is known. It's mainly used to identify the MAC addresses based on IP and when two computers on a LAN communicate with each other. It's basically a protocol used in routing and communication between systems on a same network. Now 'hackers' use a technique commonly known as ARP poisoning or ARP spoofing to listen in on other computers' traffic. This type of attack sends false (spoofed) ARP packets to a LAN which has its mac address defined for a bunch of IP addresses. (To fool the switch/router) So it will receive the traffic on the network for the designated IP addresses it spoofs. This type of attack is a MITM attack (Man in the middle ). All the traffic that goes to a computer(s) goes through the computer you are spoofing from. Now in order to do this you must already have access to a computer inside the network. Another common method to acheive the same goal is MAC address flooding. A computer floods a router's MAC table until it overloads its memory. At that point the fail-safe mechanism of the switch / router kicks in. It 'drops' down to a layer 1 system (ie. hub) and broadcasts all the incoming/outgoing traffic to all hosts on the network. Newer hardware has built-in systems to prevent such attacks. I will not go into specifics of how each one works because there are enough script kiddies as it is. Hope this helped!

[concrete_hed]

Yes that has helped a bit, i knew basically what it does but you have given me more info. Thanks. one more question, if i were to type "arp -s 192.168.0.7 00-aa-00-62-c6-09" what would that do?

[encipher]

That would be associating the IP address 192.168.0.7 with the MAC address 00-aa-00-62-c6-09. If that wasn't already your IP, it would be like changing it. Note that if you are on a network that uses DHCP to assign IP addresses it will not work or if any IP has been assigned to your network card. ARP.exe is pretty much useless except for diagnostics.

[Gaz]

ARP.exe is pretty much useless except for diagnostics.

 

The arp command is very useful for making static entries when you are on an untrusted network and wish to prevent man in the middle attacks.

 

You can also use the local arp table to discover hosts on a network. Say if you ping sweep a subnet and some machines don't respond due to firewall, they will appear in the arp table

[encipher]

The arp command is very useful for making static entries when you are on an untrusted network and wish to prevent man in the middle attacks.

 

You can also use the local arp table to discover hosts on a network. Say if you ping sweep a subnet and some machines don't respond due to firewall' date=' they [i']will[/i] appear in the arp table

 

Yeah, I do that all the time when I'm on a new network =\

Of course ARP has its uses, so does everything else, but people dont usually go straight for ARP when looking for hosts on a network, and if someone is going to pingsweep a subnet then he/ she is looking for trouble.