If you watch traffic in real time, you can see that an attacker doing a MiTM att

Question

If you watch traffic in real time, you can see that an attacker doing a MiTM attack does ARP spoofing because MAC addresses will be duplicated, etc. And, well, you can see all MAC addresses and see who is a router and check if MAC addresses of the router match.

But what if we know that an attack was done yesterday, for example? How can we find out which MAC address was ARP spoofing and sending fake certificates (let's assume user accepted that)? Let's say an attacker stole some bank account credentials on a site that uses HTTPS. Is it even possible?

Explanation / Answer

Checking logs. The great secret of dissecting what happened after an attack. Pouring over logs to find the malicious activity and see what it is. If there are no logs, you can't tell.

Where to look for the logs is also half the battle because depending on the exact nature of the attack, you could need logs from the client, a server or a router or some combination of the 3. It really depends on how the attack was performed.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.