Sign in to follow this  
Followers 0
Tressel12

Cain and Able Sniffer Difficulties – Too Many IP Addresses!

8 posts in this topic

Admittedly, I am completely inexperienced with Cain and Able so please bear with me. I’ve been able to successful use the sniffer and APR tools to poison my local network which includes a secondary computer. However, I’ve been struggling with scanning Mac Addresses for public networks.

I select configure from the menu and select my device which has the IP address and press OK. I subsequently press the Sniffer button and Blue Plus Sign. During the scan, every IP address apparently shows up on the menu. Example

10.0.0.0.1 00180A021709 Meraki, Inc.

10.0.0.0.2 00180A021709 Meraki, Inc.

10.0.0.0.3 00180A021709 Meraki, Inc.

10.0.0.0.4 00180A021709 Meraki, Inc.

10.0.0.0.5 00180A021709 Meraki, Inc. etc…

Any ideas?

0

Share this post


Link to post
Share on other sites

Try checking "Don't use promiscuous mode" option in the settings.

It looks like a certain host is answering all the ARP requests Cain sends to enumerate hosts on the subnet. Try taking the machine with that mac address off the network. Other than those suggestions just look at the network traffic in Wireshark to see what' going on.

0

Share this post


Link to post
Share on other sites

Try checking "Don't use promiscuous mode" option in the settings.

It looks like a certain host is answering all the ARP requests Cain sends to enumerate hosts on the subnet. Try taking the machine with that mac address off the network. Other than those suggestions just look at the network traffic in Wireshark to see what' going on.

Thanks Tekio. Unfortunately checking the don't use promiscuous mode option failed to change anything. Given that it's a public network with multiple machines, I'm not sure how I would go about taking it off the network. I've just installed Wireshark, but am entirely lost. I watched over the first tutorial and plan on looking more into it, but was hoping someone could look over my recent capture and shine some light onto this problem. I've attached the file. (Note: Had to change the file extension in order to allow the upload, switch back to .pcap)

Thanks.

Test 1-14-11.txt

0

Share this post


Link to post
Share on other sites

Looking at the capture 00180A021709, the MAC address that keeps responding to every IP address is you. But it is not actually responding to the ARP requests on the LAN.

I can see there is one one host responding on the LAN, 10.114.41.16 is replying to your ARP requests.

Do you have a host based firewall running? if not idk, maybe try reinstalling winpcap.

0

Share this post


Link to post
Share on other sites

I have a question. So when I use Cain and Abel it works but along with getting IPs from a lobby or something that I'm in I get tons of other IPs that say half-routing. Does anyone know how to fix this?

0

Share this post


Link to post
Share on other sites

"Half Routing" means you are probably  DOSing hosts on the LAN.  If you are in a "lobby" there will probably be a Sys Admin walking around with a shotgun looking for you (really, probably only a few security guards).

0

Share this post


Link to post
Share on other sites

well what im saying is that like when i join a lobby i get all the lobby members ips and those are full routing but i also have a tone of other ips that are half routing and the lobb y ips are scattered throughout this list

0

Share this post


Link to post
Share on other sites

Once they come up try re-scanning, then re-adding into your ARP Poisoning list. Perhaps they were not responding to Mac Address probes. Are they on the same broadcast domain as APR? Could the switch these hosts are on be preventing ARP Poison Routing?

 

If I remember, a host may not be found for some reason when ARP scanning (like just came up or didn't respond ton MAC Scans). Then when ARP Poisoning it can be detected. However may not have been assigned in the ARP Poisoning Dialog where hosts are assigned to be "spoofies" of the "spoofed" They may be receiving Poisoned ARP requests/replies but not in Caine's table to route.  

 

Test this in a lab. It has been a while since I've played with C&A.

 

Also, there are lots of other networking scenarios. What operating system are they? Windows sometimes would still allow ARP poisoning with static ARP entries, but Linux and BSD would not. Unsure if Windows has changed.  It could be the TCP/IP stack getting confused and then sending traffic to the real gateway based on a host IPS.  So many possibilities.

 

But make sure these are being assigned after your MAC Address Scan. Then look for a host-based contingency, finally check network traffic in Wireshark to see what is happening on the LAN.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0