Cain Beats ARP Binding

Discussion in 'Tomato Firmware' started by spykeyz, Apr 16, 2011.

  1. spykeyz

    spykeyz Networkin' Nut Member


    i wanted to stop ARP Poisoning so i switched to tomato-ND-1.28.7617-Toastman-K24-Std with the following basic setup:

    Client 1:
    Client 2:

    DHCP Range (only 1 IP)

    Added all IPs/MACs to Static DHCP & ARP Binding

    Both "Enable ARP Binding" & "Limit unlisted machines" are checked

    now when i start Cain (from Client 1) & set a new ARP Poison Routing between Router( & Client 2( i can hijack the traffic.

    what am i doing wrong ?
  2. jsmiddleton4

    jsmiddleton4 Network Guru Member

    I don't know CAIN but if your client is listed in the acceptable, or unlimited, table why would you not be able to hijack traffic? Wouldn't you need to try it with a machine that matches the limit criteria? Your client matches the unlimited criteria. Yes?
  3. spykeyz

    spykeyz Networkin' Nut Member

    yes both clients are in the unlimited table .. i just assumed ARP binding will be applied to all.

    so i tried another test, i removed Client1 from both static DHCP & ARP binding then gave it static IP (

    now Client1 ( can not ping or access the router ( .. so far so good. then i tried Cain to hijack traffic between the router ( & Client2 (, unfortunately i was able to hijack the traffic.
  4. mstombs

    mstombs Network Guru Member

    Arp protocol is ancient, all based on honesty and trust, only way to avoid MIM attacks is physical security on LAN. Tomato router doesn't know it isn't talking to the client, client doesn't know it isn't talking to Tomato router.
  5. TexasFlood

    TexasFlood Network Guru Member

    I would say what you're doing wrong is letting a malicious program run on a trusted client on your network. All static ARP does is define which client ARP/IP combinations are valid, making it harder to add an undefined PC to your network. If you're on a defined trusted client then it's not going to prevent you from doing anything you want.
  6. jsmiddleton4

    jsmiddleton4 Network Guru Member

    While all that may be true still isn't the issue is by restricted access to unlisted clients, he is NOT restricting access to listed clients. His test clients are all listed as unrestricted yes? Why would ARP do anything about what is happening with those safe or authorized clients. ARP only cares about "on the list" or "not on list".
  7. Toastman

    Toastman Super Moderator Staff Member Member

    Are these clients communicating on the LAN - i.e. using the switch ports? Can you get access to the internet?

    ARP binding on the router prevents unauthorized clients gaining access to the router or the internet using ARP spoofing. That is what is is supposed to do, no more, no less.
  8. TexasFlood

    TexasFlood Network Guru Member

    You got to the heart of the issue a lot more succinctly than I did, :wink:.
  9. TT76

    TT76 Networkin' Nut Member

    You have to make a ARP binding( bind the gateway' mac and ip) on your client machine as well.
  10. jsmiddleton4

    jsmiddleton4 Network Guru Member

    I guess I still don't get it. All ARP does is act like a stop/go light. It doesn't care what a client is doing. It only cares IF a client is restricted or unrestricted. Its is a very basic and gross form of security. So if you have a client that is on the unrestricted table/list, whether that table is in the router or in a client, how will that stop any unrestricted or unlimited client from acting rudely?
  11. spykeyz

    spykeyz Networkin' Nut Member

    i don't have control over what users install/run on their machines.

    no they are all wireless. both clients can access the internet, but once i remove a client from ARP binding table then that client can not ping/access the router.

    router's IP/MAC already in the table .. do you mean i have to copy that table to all clients machines ?
  12. TexasFlood

    TexasFlood Network Guru Member

    jsmiddleton4, I think you get it. Either you get it or we both don't as I completely agree with your posts.
  13. TT76

    TT76 Networkin' Nut Member

    ARP cheat is to send a fake ARP response to the gateway and a client, so all packets between them will be sent to that malicious client. ARP binding is to create a correct ARP table, so the gateway and the clients will communicate according to the correct ARP entries in the table so as to avoid an ARP cheat.
  14. jsmiddleton4

    jsmiddleton4 Network Guru Member

    Again all fine and true. But the testing being done in this original post is between clients IN the ARP table. He needs to get a client outside who he is telling is approved/unlimited/unrestricted. Yes?
  15. Toastman

    Toastman Super Moderator Staff Member Member

    TT76 - can you test this way. Put your machines in the static list as normal, enable ARP binding and also "restrict unlisted machines". Then change the IP of one of your machines, so it's now unlisted - it should then be excluded from internet access.

    Working or not?

    Probably not possible to prevent that fake response being sent to another machine on the LAN.
  16. TT76

    TT76 Networkin' Nut Member

    you have to use the command "arp -s <ip address> <mac address>" on windows to append a static arp entry, and you can create a batch file including these entries and setup it to run on windows startup automatically.
  17. Toastman

    Toastman Super Moderator Staff Member Member

    What has that got to do with the router?
  18. TexasFlood

    TexasFlood Network Guru Member


    In my home I do have the luxury of for the most part preventing anyone from running anything harmful and cutting them off if they do.

    If you don't, then If you have critical devices of your own on your core LAN and your clients are all wireless, you might want to take a look at this recent thread for ideas on segregating them off to a different VLAN to protect yourself. Allowing uncontrolled users access to your LAN is a risk I wouldn't want to take myself. If you want to provide wireless access either out of the goodness of your heart or for profit then fine, but I'd advise isolating them from your core network.

    Static ARP really only makes it more difficult for unknown clients to access your wireless network. If you've already given them access then not sure there is a point to enabling it and maybe just more work for you.
  19. spykeyz

    spykeyz Networkin' Nut Member


    thank you for the tip, looks interesting i will give it a try
  20. jsmiddleton4

    jsmiddleton4 Network Guru Member

    "If you've already given them access then not sure there is a point to enabling it and maybe just more work for you."

    That's the point Texas and I have been making. Once a client has access you aren't really testing anything other than the fact that ARP says they can have access. ARP is very rudimentary. Not useless. Just not all that fancy.

    So if you are trying to test if your ARP settings are keeping unwanted traffic/clients off your network, you have to use a client IP/MAC that ARP says is restricted. Any clients allowed through ARP must be trusted because the routers says they ARE trusted.
  21. spykeyz

    spykeyz Networkin' Nut Member

    i did that test .. it's on the first page of this thread. a client that is not listed under ARP table will not have access to the router.

    i guess VLAN is the way to go.

    thank you all for your valuable input.
  22. Toastman

    Toastman Super Moderator Staff Member Member

    Then it's doing what it is supposed to do. It prevents access to the router and the internet when you change a client's IP address to one that is not bound to the MAC address in the table. It doesn't stop clients communicating with each other on the LAN.

    How could it ?
  23. spykeyz

    spykeyz Networkin' Nut Member

    isn't this related to "Limit unlisted machines" option ?

    my problem is with ARP Poisoning/Spoofing, i thought by selecting "Enable ARP Binding" it will solve this

  24. Toastman

    Toastman Super Moderator Staff Member Member

    You see the words "the router" in there? Isn't that clear? Seems very clear to me. Why keep insisting on how you think it should work instead of how it is?
  25. TexasFlood

    TexasFlood Network Guru Member

    That only means that the router will ignore an ARP spoofing attempts and rely on it's tables. Again, the router static ARP helps to some extent as mentioned earlier in that a "rouge" computer can't just plug into your network and start talking immediately assuming it's MAC won't be in the router ARP table. But it does nothing to stop clients you have added to the table so are trusted.

    But IIRC all you need for ARP poisoning to work is for the other clients to respond. With clients on the same LAN, the router is just doing layer 2 forwarding based on MAC address. One client is free to query another for it's MAC and IP address and then assume that identity.

    You could also set up static MAC tables on your clients to extent that control to that level. But you'll need access and privileges to do so and also must assure that the clients don't have privileges to override that. As I understand it, you don't have this level of control on the client computers. So again, I think you're expecting more security from this approach than is achievable in your situation.

    There are higher end, much more expensive, routers that add various features designed to combat ARP spoofing such as DHCP snooping and dynamic ARP inspection but to my knowledge you will not find these features on consumer grade home routers today, even those with nice 3rd party firmware like Tomato.
  26. spykeyz

    spykeyz Networkin' Nut Member

    great so we have a featureless feature.

    by the way thank you very much for the virtual network tip .. very convenient.
  27. TexasFlood

    TexasFlood Network Guru Member

    Although router static ARP won't do what you assumed or hoped it would, it does have benefits as has been described in this thread. With a bit of googling & reading about ARP poisoning, as I did to reply to your posts, you will find how ARP poisoning works as well as the benefits and limitations of router static ARP in this regard - on any router including high end Cisco data center gear, not just a Tomato home router. I understand it's been a frustrating exercise for you, but seems like a somewhat negative (and inaccurate IMHO) thing to say in a free forum in which developers participate, for freely available firmware that provides considerable enhanced functionality. I'm just saying, :smile:. Just my two cents, I'll get off my soapbox...

    As I said, I had to do a bit of reading to understanding this well enough to answer so as a result I understand it better than I did when this thread started so I got some benefit out it, so thanks! :biggrin:

    YW :wink:.
  28. Toastman

    Toastman Super Moderator Staff Member Member

    Yes, it's a featureless feature. It has absolutely no function, other than to restrict access to the both the internet and the router to people ("trusted" or otherwise) trying to evade controls by changing their IP address and MAC.

    No function at all, really. We just like to add pages that don't do anything for the fun of it :biggrin:

    Now can we lay this to rest?
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice