Jump to content


Photo
- - - - -

Cain and Able Sniffer Difficulties – Too Many IP Addresses!


  • Please log in to reply
3 replies to this topic

#1 Tressel12

Tressel12

    Will I break 10 posts?

  • Members
  • 2 posts
  • Gender:Male

Posted 13 January 2011 - 06:20 PM

Admittedly, I am completely inexperienced with Cain and Able so please bear with me. I’ve been able to successful use the sniffer and APR tools to poison my local network which includes a secondary computer. However, I’ve been struggling with scanning Mac Addresses for public networks.

I select configure from the menu and select my device which has the IP address and press OK. I subsequently press the Sniffer button and Blue Plus Sign. During the scan, every IP address apparently shows up on the menu. Example

10.0.0.0.1 00180A021709 Meraki, Inc.
10.0.0.0.2 00180A021709 Meraki, Inc.
10.0.0.0.3 00180A021709 Meraki, Inc.
10.0.0.0.4 00180A021709 Meraki, Inc.
10.0.0.0.5 00180A021709 Meraki, Inc. etc…

Any ideas?

#2 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,095 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 13 January 2011 - 10:51 PM

Try checking "Don't use promiscuous mode" option in the settings.

It looks like a certain host is answering all the ARP requests Cain sends to enumerate hosts on the subnet. Try taking the machine with that mac address off the network. Other than those suggestions just look at the network traffic in Wireshark to see what' going on.

#3 Tressel12

Tressel12

    Will I break 10 posts?

  • Members
  • 2 posts
  • Gender:Male

Posted 14 January 2011 - 03:04 PM

Try checking "Don't use promiscuous mode" option in the settings.

It looks like a certain host is answering all the ARP requests Cain sends to enumerate hosts on the subnet. Try taking the machine with that mac address off the network. Other than those suggestions just look at the network traffic in Wireshark to see what' going on.


Thanks Tekio. Unfortunately checking the don't use promiscuous mode option failed to change anything. Given that it's a public network with multiple machines, I'm not sure how I would go about taking it off the network. I've just installed Wireshark, but am entirely lost. I watched over the first tutorial and plan on looking more into it, but was hoping someone could look over my recent capture and shine some light onto this problem. I've attached the file. (Note: Had to change the file extension in order to allow the upload, switch back to .pcap)

Thanks.

Attached Files



#4 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,095 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 14 January 2011 - 04:30 PM

Looking at the capture 00180A021709, the MAC address that keeps responding to every IP address is you. But it is not actually responding to the ARP requests on the LAN.

I can see there is one one host responding on the LAN, 10.114.41.16 is replying to your ARP requests.

Do you have a host based firewall running? if not idk, maybe try reinstalling winpcap.




BinRev is hosted by the great people at Lunarpages!