Hello,
I posted a question in the Programming section about the awk syntax in a mitm detector. My followup questions about the detector itself are more appropriate here.
The first script prints a warning if a duplicate mac address appears in /proc/net/arp
Why would a mitm produce a duplicate entry in /proc/net/arp?
The second script warns if mac address (of the router, I think) changes.
Am I right that this script is pointless unless I can be sure my initial connection is to the intended router?
Is it true that a mitm produces either a duplicate mac or a new one? It can't really be that simple, right?
Note: I have no need to use these, I would just like to understand how (or if) they work. Thanks in advance.
Simple man-in-the-middle detectors?
I'd like to understand that too but first"mitm" stands for "man in the middle" and it is where an alien invasive web site inserts itself as a part of the line of communication on the internet ?
So how is that done . Each site has an IP so another hooking in must show somewhere.Mac numbers are supposed to be unique so I would have thought a change of IP would be looked for.
So how is that done . Each site has an IP so another hooking in must show somewhere.Mac numbers are supposed to be unique so I would have thought a change of IP would be looked for.
My understanding of this is limited, which is why I'm asking about it . I believe the possibility addressed by the scripts is this:
I see this example a lot: the mitm, acting as my router,establishes https to my bank and to me (using its own certificate and a faked web page) and reads private information by allowing me to log in through him.https://www.ab9il.net/wlan-projects/wifi-security2.html wrote:In wireless networking, the MITM scheme is implemented in a number of ways. One is to operate a rogue access point resembling a legitimate wireless hotspot. Often the real access point is jammed or blocked while the rogue, with the same SSID, is in the clear with a strong signal [and a different mac address?]. Another method is to break a client's connection and lure the client's hardware into reconnecting to the middleman. In this case the middleman has faked the access point MAC address.[so, a duplicate in arp?]
read more about ARP spoofing
https://en.wikipedia.org/wiki/ARP_spoofing
quote from that URL
https://en.wikipedia.org/wiki/ARP_spoofing
quote from that URL
Doesn't seem to be posssibel to attack from internet?ARP spoofing attacks can be run from a compromised host on the LAN, or
from an attacker's machine that is connected directly to the target
LAN.