[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200409152001.29558@M3T4>
From: fdlist at digitaloffense.net (H D Moore)
Subject: Re: The ArpSucker is b0rn! Be yourself, be the net.
There are actually some legitimate uses for this kind of stuff. The
attached Perl script will enforce IP/MAC combinations on the local
subnet. It was designed to catch ARP spoofing attacks and discourage[1]
unauthorized systems from connecting to the segment that it monitors. If
you run this script on an external segment, it will convince your router
that each non-used address address exists and that it should forward the
IP packet on. This can be useful when you want to monitor ALL traffic
destined for your external network and don't have an upstream tap.
This script requires the Net::Pcap module and uses the Linux-specific
SOCK_PACKET interface, YMMV. The configuration file looks suspiciously
like the output of arp -n. To use it, send an IP packet to each host on
your local subnet, dump your ARP cache, and manually add your own IP
address:
# nmap -sP 192.168.0.0/24
# arp -n | grep -v Address > arpguard.conf
# ifconfig
< read IP + MAC >
# echo -e "192.168.0.XXX ether 00:11:22:33:44:55 C eth0" >> arpguard.conf
# perl arpguard.pl -i eth0 -f arguard.conf -t
[.. test it out ..]
# nohup perl arpguard.pl -i eth0 -f arguard.conf &
Then watch syslog for messages like:
arpguard.pl: ethernet address mismatch for XXX: real=XXX fake=XXX
If you change the DEFACEDFEEDD MAC address to your own, it will provide
the exact same functionality as ArpSucker (just in a cleaner package). To
use it in this fashion, the configuration file should only contain your
IP and that of the default gateway. If you would like to exclude any
other address from the attack, just add the corresponding entries to the
configuration file.
-HD
1. Any Windows/MacOS system trying to connect to the network segment will
received "Address already in use" error messages, regardless of what
range they try to use on the monitored segment. If you don't see the
alert generated by arpguard and they keep fighting for the address at the
ARP level, there is a decent chance they can get away with using the
segment anyways. It should also be obvious that anyone spoofing their
MAC address would be able to defeat this system. Then again, anyone who
first connects to the system may not notice arpguard until it has already
thrown an alert...
On Monday 13 September 2004 15:05, Alpt wrote:
> Freaknet Death C is pride to present ya:
> }----------------- (The ArpSucker) ----------------{
>
> Hi folks,
> Did you ever dreamed to become the net, to be a big, bad, black, black,
> black hole?
> Yep! I did.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: arpguard.pl
Type: application/x-perl
Size: 3901 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040915/1439f2aa/arpguard.bin
Powered by blists - more mailing lists