Full Disclosure mailing list archives
Re: The ArpSucker is b0rn! Be yourself, be the net.
From: H D Moore <fdlist () digitaloffense net>
Date: Wed, 15 Sep 2004 20:01:28 -0500
There are actually some legitimate uses for this kind of stuff. The attached Perl script will enforce IP/MAC combinations on the local subnet. It was designed to catch ARP spoofing attacks and discourage[1] unauthorized systems from connecting to the segment that it monitors. If you run this script on an external segment, it will convince your router that each non-used address address exists and that it should forward the IP packet on. This can be useful when you want to monitor ALL traffic destined for your external network and don't have an upstream tap. This script requires the Net::Pcap module and uses the Linux-specific SOCK_PACKET interface, YMMV. The configuration file looks suspiciously like the output of arp -n. To use it, send an IP packet to each host on your local subnet, dump your ARP cache, and manually add your own IP address: # nmap -sP 192.168.0.0/24 # arp -n | grep -v Address > arpguard.conf # ifconfig < read IP + MAC > # echo -e "192.168.0.XXX ether 00:11:22:33:44:55 C eth0" >> arpguard.conf # perl arpguard.pl -i eth0 -f arguard.conf -t [.. test it out ..] # nohup perl arpguard.pl -i eth0 -f arguard.conf & Then watch syslog for messages like: arpguard.pl: ethernet address mismatch for XXX: real=XXX fake=XXX If you change the DEFACEDFEEDD MAC address to your own, it will provide the exact same functionality as ArpSucker (just in a cleaner package). To use it in this fashion, the configuration file should only contain your IP and that of the default gateway. If you would like to exclude any other address from the attack, just add the corresponding entries to the configuration file. -HD 1. Any Windows/MacOS system trying to connect to the network segment will received "Address already in use" error messages, regardless of what range they try to use on the monitored segment. If you don't see the alert generated by arpguard and they keep fighting for the address at the ARP level, there is a decent chance they can get away with using the segment anyways. It should also be obvious that anyone spoofing their MAC address would be able to defeat this system. Then again, anyone who first connects to the system may not notice arpguard until it has already thrown an alert... On Monday 13 September 2004 15:05, Alpt wrote:
Freaknet Death C is pride to present ya: }----------------- (The ArpSucker) ----------------{ Hi folks, Did you ever dreamed to become the net, to be a big, bad, black, black, black hole? Yep! I did.
Attachment:
arpguard.pl
Description:
Current thread:
- The ArpSucker is b0rn! Be yourself, be the net. Alpt (Sep 13)
- Re: The ArpSucker is b0rn! Be yourself, be the net. Stefan . Laudat (Sep 14)
- Re: Re: The ArpSucker is b0rn! Be yourself, be the net. VX Dude (Sep 14)
- Re: Re: The ArpSucker is b0rn! Be yourself, be the net. nirvana (Sep 14)
- Re: Re: The ArpSucker is b0rn! Be yourself, be the net. Barrie Dempster (Sep 14)
- Re: Re: The ArpSucker is b0rn! Be yourself, be the net. Syke (Sep 14)
- Re: Re: The ArpSucker is b0rn! Be yourself, be the net. VX Dude (Sep 14)
- Re: The ArpSucker is b0rn! Be yourself, be the net. H D Moore (Sep 16)
- <Possible follow-ups>
- RE: The ArpSucker is b0rn! Be yourself, be the net. Compton, Rich (Sep 14)
- Re: The ArpSucker is b0rn! Be yourself, be the net. Gregory Steuck (Sep 15)
- Re: The ArpSucker is b0rn! Be yourself, be the net. Stefan . Laudat (Sep 14)