In this post, I will be discussing how to detect hackers on your network and keep yourself safe in the malicious internet world.

Nowadays it is very easy to to get malicious softwares and viruses on our computer as whenever we download something from internet it always possesses a risk of having malicious programme.

Also many people nowadays install pirated software and pirated movies which are the most potent source of malicious software nowadays in internet.

DETECTING THE ARP SPOOFING ATTACK

How to detect Hackers on your network?

First of all you should know that detecting a hacker on your network is not a easy task as the hacker on the other end is trying its best to not get caught. Also the hacker is trained to hide in a system but in general we are not trained to find such hacker on our system so this becomes a bit of a challenging task.

What is ARP spoofing?

ARP Spoofing is a type of attack in which the hacker fools the router into believing that it is the client and fools the client into believing that is the router.

Thus hacker becomes the Man In the Middle and is able to intercept the data and analyse it.

Why does ARP spoofing work?

ARP Spoofing attack works due to the following reasons :

1. Clients accept the responses even if they have not sent any request
2. Clients also trust the responses without any kind of verification

In this tutorial, the windows machine is the machine of the victim and the kali Linux machine is the hacker’s  machine

Now every computer has an ARP table which can be seen by the command “arp -a”

What is an ARP table?

So ARP table is just a table which contains the IP and MAC addresses of different computers.

It associates the IP addresses of the computers with the MAC address of the computers.

What happens during an ARP Poisoning Attack?

During an ARP poisoning attack, the ARP table of the victim is updated and its router MAC changes and becomes the MAC address of the hacker machine.

Now I will perform a ARP Spoof attack from the hacker machine and then we will see how the MAC gets changed in the victim’s machine

Running the ARP Spoof attack 

The updated arp table in victims computer

This is the easiest way to check the ARP poisoning attack but it is not at all practical as we have to constantly run the arp -a command and monitor it 

So for this there is a very good tool called XArp which is available for both linux and windows 

We can download it from the link below  

https://xarp.en.softonic.com/

Now for the time being I have stopped the ARP Spoofing / Poisoning attack and we will run the tool 

Now I will again start the ARP attack and we can see that XArp as detected the attack 

If you are interested on how you can also perform this ARP spoofing attack you can check my post below

=0=0=0=0=0=0=0=0=0=0=0=0=0=0=0=0=0=0=0=0=0=0=0

USING WIRESHARK TO DETECT SUSPICIOUS ACTIVITIES

 First, we will open Wireshark in our victim machine which can be easily downloaded from Google or you can use the link below to directly go to the Wireshark download page

https://www.wireshark.org/download.html

Now we will go to Edit -> Preferences -> protocols -> ARP 

We will check on the Detect ARP request storms

And now we will start the capture

Now I will go to my hacker machine and start discovering client attack using netdiscover

>> netdiscover -i eth0 -r IP range/24

Now we will go to our victim windows machine and see the generated packets

We can see under the info column the last column that it is asking who has this IP and tell to this IP 

Now we will click on Analyse -> Expert information

We will be able to see that it has detected a ARP storm. This means that there was a single device that have sent many packets. This gives us the signal that someone is trying to detect all the devices in its range and probably trying to perform a attack.

Now I will perform a ARP spoofing attack from my hacker machine 

We will now check in Wireshark that what it has detected 

We will again go on Analyse -> Expert Information

We will see a warning that a duplicate IP address configured. This means that someone is trying to perform a ARP Poisoning attack and trying to place them in middle of the connection 

PREVENTING ARP ATTACK 

First we will go to the victim machine and keep in mind that the victim machine is we the normal user who are surfing the internet on a day-to-day basis

We will do the command “arp -a”

In the table we can see on the first internet address that under the type column it is written as dynamic which means the values can be changed

There we can also see are some static values which the system will never allow to change

We can use static ARP table in which we have to manually map  the IP address to the MAC address and after that even if the Hacker uses the best tools it will not be able to perform the ARP spoofing attack 

But this has a downside which is whenever you will connect to a new network or a device wants to join to your computer each time you have to manually configure the table

It is not practical to use if you are in a big company or a large network. But form small organisations and home network this can be useful.

Other useful ways to prevent these attacks it to always :

1. Use HTTPS over HTTP
2. Use a VPN if possible

I will be covering the above two ways also soon.

Do not forget to comment with your doubts related to the topic and we will reply to you as soon as possible. Also, comment with your feedback related to the content.

Also, do not let your curiosity fade away and increase your knowledge on ethical hacking and networking only on Hackers Paradise. Click below to learn more :