NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
GS110EMX ARP poison problem
Hi,
I couldn't believe my eyes when I saw an ARP request from the management port (port 1) on vlan4 of my router when tracing another device. port 1 and vlan 4 are not bonded on my switch but I see the ARP request. So then I turned up my evil ARP spoof program to this and sent on vlan4 a gratuious ARP to the management IP with a fake MAC address of the gateway address that it was trying to reach.
What happens then is the managed switch becomes unmanaged, you can't reach it unless you send it another gratious ARP request with the right MAC address of the gateway. I would assume it works on any vlan port too but that's just an assumption right now it's just vlan4 and port 1 for some reason. Here is my command history:
154 cb -lvlan4 -ais-at -saa:aa:aa:aa:aa:aa,192.168.1.254 -d sw:it:ch:ce:ns:or,192.168.1.1
This sends ARP 192.168.1.254 is at AA:AA:AA:AA:AA:AA to 192.168.1.1
155 cb -lvlan4 -ais-at -sro:ut:er:ce:ns:or,192.168.1.254 -d sw:it:ch:ce:ns:or,192.168.1.1
This sends ARP 192.168.1.254 is at router MAC to 192.168.1.1 to unpoison the ARP cache of netgear switch.
I also tested these commands while browsing the switch and it is interrupted.
It would really be nice to have been able to contact netgear privately but I ran out of support. I deserve lifetime support.
Regards,
12 Replies
OK I have confirmed that I see these ARP's on other vlans too. I'm wondering if I've done something wrong in the config. To show the community what I have in terms of VLANS's I made screenshots:
So on VLAN 4 and 5 (confirmed) I see traffic from VLAN 24, I assume that on vlan5 I can also poison vlan 24 from vlan 5 although I haven't tried that (only on vlan 4).
I run the latest firmware. Either my config is messed up or this is indeed a problem with the switch(es). I realise that port 1 is the only member of vlan 24 and thus the switch may broadcast all ports with this, how would I stop that though?
The router has 3 interfaces, one dedicated to port 1, one uplink and one that has vlan 5 untagged and a bunch of tagged ones. There should be no leakage of ARP.
Any suggestions welcome.
I get it, and I'm scared of this switch now. One can give it ARP answers that an IP is at FF:FF.FF:FF:FF:FF (broadcast) and it will reply through the switch fabric as I hav e seen with a packet dumper. This function is dangerous, if my router didn't have anti-spoof filters I think it could be used to do covert messaging between vlans, although I haven't thought this out fully. My router played weird too after the switch started writing to broadcast for an IP. For a while it was DUP'ing after I had restored it.
I don't expect Netgear to fix this, but I'm poor as hell and don't have too many switches around here, I'm stuck.
Dear Customer,
You have contacted the German-speaking NETGEAR Community.
We are able to support you only in this particular language. If you decide to contact us in German, please rewrite your question and/or describe your issue/problem so everybody can understand and participate if they want.
Kind Regards,
DamianM
NETGEAR Community
NETGEAR Academy
Steigern Sie Ihre Fähigkeiten mit der Netgear Academy - Lassen Sie sich schulen, zertifizieren und bleiben Sie mit der neuesten Netgear-Technologie auf dem neuesten Stand!
Machen Sie mit!
ProSupport for Business
Umfassende Supportpläne für maximale Netzwerkverfügbarkeit und geschäftliche Sicherheit