Windows method to detect ARP Poisoning in my local network (LAN)?

(This question comes from this thread, and is intended to remain as a reference question/answer pair for more generic ARP network detection not limited to WiFi, or without the need of the specific explanations given to that original poster of the question)

As long as the ARP Poisoning attack is becoming more usual (dSploit for Android, Cain&Abel for Windows, or several methods for Linux) in public places (Bar, Pubs, Restaurants, Commercial Centers, Cybers... etc), I would like to know about some fast and simple method to detect it from my Windows laptop computer, whether I am in a cable or wireless network.

Do I need for WireShark captures and long readings of cryptic traffic data? Do I need of a FireWall (sometimes they disturb more than they help)? It is mandatory to have something like Snort and become a guru capable of understanding all that data?
Isn't there any simple method that even works in out-of-the-stock Windows computers?


Solution 1:

(This answer is an adaptation of this one to make it non-WiFi dependant, simpler, faster, and more appropriate to this other question)

Indeed, there is a simple method that is supposed to work in all cases. Under ARP Poisoning cases, there should necessarily be a duplicate MAC Address (AKA Physical Address) on your local network (AKA subnetwork or LAN), so the trick to detect it is simple: just list the ARP Table (this is: all the MACs that your computer knows) and check for duplicates.
The usual duplicate uses to be the gateway (router, that connects you to internet).
Method:

1.- Open Shell as Administrator:

cmd

2.- Clear ARP cache (for possible remaining disconnected devices on your network) and wait a few seconds (30 seconds should enough): arp -d -a 3.- List ARP Table by executing (the output is just an example case of poisoning):

c:\>arp -a
Interface: 192.168.11.108 --- 0x2
Internet Address IP Physical Address    Type
192.168.0.1         00-17-31-3f-d3-a9   dynamical
192.168.0.102       50-e5-49-c5-47-15   dynamical
192.168.0.107       00-17-31-3f-d3-a9   dynamical
192.168.0.108       00-0a-e4-a0-7f-78   dynamical

4.- Look for duplicates in the ARP table. In my example, the router 192.168.0.1 and the device at 192.168.0.107 share the same MAC, so the chances are very high that the computer 192.168.0.107 is the poisoner.

NOTE: the cmd shell as administrator is only needed for step 2 (Clear ARP cache). The rest of the process can be done from normal unprivileged shell.

  • There could be more than one device poisoning on my LAN? Well... it is not usual, and lacks some sense: the poisoning process could (not allways) slowdown (maybe not much) or even crash the entire network, and poisoning the router uses to send a lot of traffic to the poisoner (could ever hang the poisoner device). But it could happen. Anyway, you still can detect it using this method. Just search for more duplicates.
  • Could any other device but the router be the poisoned one? Yes. Sometimes the interesting part is to intercept data sent to a network printer, a NAS, files sent between computers... etc.
  • The poisoner is not a router. Why, if the data are sent to the poisoner instead of to the router, I still have internet running? Because the poisoner resends the traffic to the router, in an attempt that you won't notice anything. This is a part of what is usually called "Man in the Middle (MITM)" attack.