Simple arp spoofing detector
After I read some information and tried out ARP poisioning (ARP spoofing), I am very impressed on how easy and dangerous sniffing/man-in-the-middle (MITM) attacks are.
And how can we protect ourselves and our data from being seen by other "hackers"?
Well first of all, we have to understand how ARP spoofing based sniffing/MITM attacks work:
Basically it's something like this:
For example, we are trying to attack the data data stream from Host A to Host B and the other way round (usually, it's a host and its gateway).
For normal communication, host A knows that host B (IP 192.168.0.1) can be physically found under the mac address 12:34:56:78:90:AA, and host B know that host A (IP 192.168.0.2) has mac address 00:11:22:33:44:55.
If we want to intercept communication, we tell host A "Hello, host B moved to 33:33:33:33:33:33 (attackers mac)", and to host B we send "Hello, host A moved to 33:33:33:33:33:33".
Now both computers send their packets to the attackers computer, and we forward them, so our attack doesn't get detected.
With this connection setup, we can sniff and/or modify the data.
To protect against ARP spoofing attacks we actually only have to check if our gateway's mac address changes.
This can be implemented with arp -a
. I did this in a very simple shell script:
#!/bin/bash # sleeptime="5"; watchip="192.168.0.1"; while [ $# -gt 0 ] ; do case "$1" in -t) watchip=$2 ; shift 2 ;; -e) command=$2 ; shift 2 ;; -s) sleeptime=$2 ; shift 2 ;; -h) echo "Usage: $0 [-t host] [-e command] [-s sleep-time (secs)]" ; exit 1 ;; --help) echo "Usage: $0 [-t host] [-e command] [-s sleep-time (secs)]" ; exit 1 ;; *) shift 1 ;; esac done hwaddr=`arp -a | grep "$watchip" | sed -r "s/.*(..:..:..:..:..:..).*/\1/"` if [ "$hwaddr" == "" ] then echo "There is no such ip/host \"$watchip\"" exit fi echo "Correctly initialized on IP/Host $watchip, currently running at mac address $hwaddr..." while true do tmphwaddr=`arp -a | grep "$watchip" | sed -r "s/.*(..:..:..:..:..:..).*/\1/"` if [ "$tmphwaddr" != "$hwaddr" ] then echo "" echo "`date`" echo "***************************" echo "*** ARP ALERT! ***" echo "*** The target is now ***" echo "*** under mac address ***" echo "*** $tmphwaddr ***" echo "***************************" $command fi sleep $sleeptime done
To execute the script, chmod
it (chmod +x scriptname
), and run it like:
./arpprotector -t 192.168.0.1 -s 10 -e "beep -r 3"
This would check host 192.168.0.1 for ARP spoofing every 10 seconds and execute "beep -r 3
" in case of an attack.
There are also other solution approaches that also work with static mac tables, such as the Open Source project ArpON.
Basically, to add a static aspect, you can use
arp -s 192.168.0.1 11:22:33:44:55:66
This permanently connects "192.168.0.1" with the mac address 11:22:33:44:55:66, which seems to be spoof-resistant.
Attachment | Size |
---|---|
arpprotector | 1.02 KB |