Title: My "action" today
Post by: Determ on August 30, 2010, 09:11:52 AM
Last week we had a problem with web browsing. Since I made static ARP entry on few machines I knew that it is the same symptom like someone doing ARP poisoning. I started wireshark which showed massive activity on destination port 137 from one internal IP adress (machine).
So for the weekend I made my computer vulnerable for ARP attack and set up XARP on it. Today when I was working, XARP started with continious alarm. I opened wireshark to locate IP address (it was the same as last week). Then I started NMAP to identify computer brand and OS. Firstly I was sure, someone started C&A. So I went to the office where this computer was in use. It wasn't C&A; computer from a young girl obviously has a lot of malware. I made netstat -an but didn't go checking IPs. Later I want to deliberately get ARP attack with this computer, but it didn't show up. Only massive knocking on 137/138. I will make fresh install of OS at that computer.
So this is it. Have you been in situation were someone used C&A and you detected it?
Title: Re: My "action" today
Post by: zeroflaw on August 30, 2010, 01:10:20 PM
I've used it on my home network. Brothers started complaining about lag and stuff, was kinda funny :P Also tried it in the CISCO labs at college once but no one noticed it.