Exam 312-50v11 topic 1 question 316 discussion

Be careful of how option A is phrased. Chatgpt will tell you the answer is A. But if you ask it again whether it is possible for an ARP table to have ONE IP address with TWO different MAC addresses, it will clarify that it is not possible. You can detect ARP spoofing using ARP table if there are TWO IP addresses sharing ONE MAC address (i.e. the attacker's original IP address and it's spoofed IP address). So B is the correct answer. Simply do a ping sweep with nmap [nmap -sn 192.168.1.0/24 (replace with the network address)] and it will show you the IP / MAC addresses.

A - ARP spoofing check.

If EC-Council has an incorrect answer, which one are we supposed to pick in the exam?

The correct option is B. In the arp table, it is not possible to have two identical ip's, because it is overwritten. In the case of mac addresses, however, it is possible to get two entries with equal macs.

The correct option is A The option B only search duplicated MAC's.

The question is "how would you identify whether someone is performing an ARP spoofing attack on YOUR laptop". With B you don't know if they are doing something in your laptop. I go with A.

ARP Spoofing Attack ARP packets can be forged to send data to the attacker’s machine.Attackers flood a target computer’s ARP cache with forged entries, which is also known as poisoning. (P.1143/1127)

arp -a "ARP poisoning can be detected in several different ways. You can use Windows’ Command Prompt, an open-source packet analyzer such as Wireshark, or proprietary options such as XArp. You can check the ARP attack in Command Prompt. First, open Command Prompt as an administrator. In the command line, enter: arp -a If the table contains two different IP addresses that share the same MAC address, then you are probably undergoing an ARP poisoning attack."

The answer is A. ARP spoofing works by an attacker adding their MAC address to a valid IP address on the arp table so they can get the information meant for that IP address. Checking the arp table for an IP address having two MAC addresses will be the solution.

look arp table or scan to find duplicate MAC with 2x different IP.

https://www.comparitech.com/blog/information-security/arp-poisoning-spoofing-detect-prevent/ The table shows the IP addresses in the left column, and MAC addresses in the middle. If the table contains two different IP addresses that share the same MAC address, then you are probably undergoing an ARP poisoning attack.

No, ARP spoofing will have two *IP addresses* with the same MAC, the attack machine will send a gratuitous ARP updating the MAC address of the router to ITS MAC address. The correct answer is B

A. You should check your ARP table and see if there is one IP address with two different MAC addresses.