Is This ARP Spoofing?

[Florida1]

I live alone. I own a duel modem/router, and I have four devices on my network. Laptop, Desktop, Tablet, & Smartphone. I also own a Roku and I have Google Play, but I believe those are set-up on a separate network automatically during the set-up process?

I'm confused at to why my MAC address in my ARP cache doesn't match the actual MAC address on my modem/router, and I am also curious where these static 224 and 239 subnets come from.

Is this what an ARP Poisoning / Man-In-The-Middle set-up looks like?

If it is, wouldn't this require physical access (or be within wireless range), to some degree, to make use of?

 

[lyner10]

The addresses 224.x.x.x and 239.x.x.x are multicast address.

http://www.firewall.cx/networking-topics/general-networking/107-network-multicast.html

Read this .

 

[bill001g]

Not sure where you are getting this display but the ip in this table should match the mac address. The one you show are very close in range it is not uncommon for a device to actually have more than 1 mac address....especially if it has multiple physical interfaces.

It is almost easier for someone to break into your house and hook up a ethernet cable than to break into wireless. As long as you are using WPA2 and a good key and have WPS disabled it tends to be impossible for someone to break in. They would have to first get past that to even attempt a ARP spoof and it is not as easy as it sounds.

All the 224 addresses mean is you have some device that has the ability to run multicast. These are just the addresses used to setup multicast sessions. Some security cameras send the traffic out via mulitcast so you can watch on any pc in your network without a lot of special configuration. Many PC have it enabled by default and many cable boxes can also use it. It might be your roku, some of those have the ability to stream data to another device it very well could use multicast to do it.

 

[Florida1]

Funny you mention the break in. I had a break in my first week living here. With no sign of forced entry and nothing stolen the police decided not to pursue it further.

My assumption was that it was my neighbor who was a board member. Board members have keys to every unit, and has a unit next to mine.

Would that change things?

The first screenshot is from my arp cache. Windows command prompt, 'arp -a'.

I ran this program I found xARP. It's telling me it is detecting an ARP attack. I blocked my WAN IP in the screenshot below.

I'm still confused. Any help would be great. Thank you!

 

[bill001g]

I would hope you would see a ethernet cable running out of your house.

So go into the router turn off the wireless and plug only your 1 pc into the ethernet unplug everything else. Clear the arp entries on the PC and ping the gateway ip which should be your router. You should get a brand new arp entry. That should be the mac of the router....what else could it possibly be there is no way anything else is connected.

You can always put in permanent arp entries in your PC to prevent it.

 

[Florida1]

I do see cables running out of my condo. The strange thing is, I live on the ground, the cables loop upstairs and are covered. I'll take pictures.

 

[bill001g]

I would unplug everything until you figure out where it all goes.

That XARP thing has me confused a lot. I assume you ran this on your PC. You should never see a entry in the arp table for the wan ip of the router. It is on a completely different network and I assume is on coax not ethernet in the first place. You should never see entries in arp table for ip outside your subnet. If the IP is outside the subnet it should send the traffic to the gateway. Even for a arp poison attack the pc should never put entries in for other subnets.

I would verify you have the correct subnet mask on your PC and on your router. I would suspect it is going to be something like 10.0.0.x with a mask of 255.255.255.0

 

[Florida1]

I should never see my WAN IP in my ARP table?

I do see my WAN IP in my ARP table.

Below is from my desktop, 'arp -a'.

I block the last two numbers in my IP Address.

What does that mean?

 

[bill001g]

That is very strange. The only time I have seen this was if the subnet mask was incorrect or if you have put static routes in the routing table.

 

[Florida1]

Here is a picture I had handy outside of my condo from October.

My cable came out the bottom right and looped up stairs as you can see in the picture.

 

[Florida1]

I am 100% sure my laptop is on the 10.*.*.* subnet. Here is my IP Config /all screen shot.

 

[bill001g]

The coax cable will do that you and all your neighbors share the cable that goes to the ISP. The cable company will make sure it stays secure. Very technically on a cable system every packet for every device sharing the connection to the ISP comes into your house. Your cable modem just ignores anything that is not for its mac and the traffic is encrypted so even if you were to somehow get it you could not see what it really was.

Now if ethernet cable goes outside your condo then you need to be very worried.

 

[Florida1]

I don't know how to put in static routes in my arp table, and we have verified that I am on the 10.0.0.* subnet.

How would a static route get on my computer? What would be the point?

 

[bill001g]

I have no clue. To get that arp entry either the PC asked for it which it should never have or it was send in unsolicited by the router.

I am starting to suspect your router is sending you a bunch of crap. I again would unplug everything except for the one pc and disable the wireless. Clear the arp entries and see how many you get. The only device that can send you stuff is the router. If you get this junk with only the router I suspect you can ignore it as stupid stuff the router does. Its not like someone can attack you when they can not connect to your router so anything you see with just the router itself. You would then look at what appears as you connect stuff up one by one.

 

[bill001g]

See arp -? it shows the format of the command.

You put in static arp entries to stop a ARP spoof. If you do not have ARP spoof exposure then you don't bother because it is a pain

If you say ip x.x.x.x goes to yy-yy-yy-yy-yy-yy it will always go there it is impossible for someone to override it. So if your pc always knows the mac of the router it will always send the traffic to the router and nobody can intercept it.

 

[Florida1]

I have a strange theory.... we already know on my network in the screenshots above that my ARP entries do not match the ARP entries on my cable modem EXCEPT for the WAN IP. To go off of, " Your cable modem just ignores anything that is not for its mac " as far as the decryption of traffic. Then would it be possible to set-up a home network to reroute traffic for wiretapping after the modem has decrypted it?

 

[Florida1]

Why would I have all of these static routes in my home network?

01-00-5E-00-00-02, 01-00-5E-00-00-16, 01-00-5E-00-00-02, 01-00-5E-00-00-FB, 01-00-5E-00-00-FC.

The 10.0.0.1 ARP entry doesn't exactly match any MAC address displayed on my modem/router.

Could I be sending unencrypted information to a different wireless receiver spoofed to be my router's MAC address and then the that traffic gets captured and rerouted back out of my actual WAN IP?

This is all very strange.

 

[bill001g]

The static one are multicast and can be ignored they are special.

I don't know why the mac would not match for 10.0.0.1 but it has to be the router. You need to unplug everything and turn off the wireless radios. If it still works it can't be going to another machine since there is no way for another machine to connect.

 

[Florida1]

Update. I shut off my wireless radio. I cleared my ARP Cache. I plugged my ethernet cable from my router to my laptop. I then couldn't get connected to the internet. I had to call comcast to have signals reset/resent. I was then able to reconnect.