My dear Linux lovers, how are you all remember us, you were reading
about cache poisoning, if you don't remember then it doesn't matter. But do
not take tension, after this this blog will not let you forget, yet you
bookmark our website, it is your benefit, so now come back to your on our
topic.
So, first of all lets know about ARP cache poisoning, The
functionality of the protocol ARP (Address Resolution Protocol) was described
in our another Post (https://www.kumaratuljaiswal.in/2021/09/master-local-area-network-lan.html) . A computer that wants to send an IP packet to another host must
beforehand request the mac address of the destination by using the
ARP protocol. This question gets broadcasted to all members of the network. In a perfect
world the only computer that answers is the desired destination. In a not so
perfect world an attacker may send its victim every few seconds such an ARP
reply packet but with its own MAC address as response and thus
redirect the connection to itself.
For More info about ARP cache poisoning attack via practical too -
CLICK HERE
Brought to you by
Hacking Truth
To defend ARP poisoning attacks one could on one side use static ARP entries,
but those could get overwritten by received ARP responses depending on the ARP
handling code of the operating system on the other side one could use a tool
such as ARP watcher).
ARP watcher keeps an eye on the ARP traffic and reports suspicious behavior
but will not prevent it. Nowadays most modern
Intrusion Detection Systems can detect ARP cache poisoning attacks. You
should check the
functionality of your IDS by using the above
scripts to see how it behaves.
So, There are two methods when we talk about arp watching, the first
one is code your own arp watcher and the second thing is used inbuilt tool.
Choice is yours but both are same functionality and purpose.
First we choose a inbuilt tool then we work on code your own arpwatching.
Arpwatch
Arpwatch is an
opensouce computer software program that helps you to monitor
Ethernet traffic activity (like changing IP and MAC Addresses) on your network and maintains a database of ethernet/wlan0/Ip
address pairings. It produces a log of noticed pairing of IP and mac addresses
information along with a timestamps. This tool is specially useful for Network
administrators to keep a watch on ARP activity to
detect ARP spoofing or
unexpected IP/MAC addresses modifications.
Let's Install
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr/arpcache]
└─$ sudo apt-get install arpwatch
[sudo] password for hackerboy:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
arpwatch
0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 49.0 kB of archives.
After this operation, 161 kB of additional disk space will be used.
Get:1 http://ftp.harukasan.org/kali kali-rolling/main amd64 arpwatch amd64 2.1a15-8 [49.0 kB]
Fetched 49.0 kB in 16s (3,125 B/s)
Selecting previously unselected package arpwatch.
(Reading database ... 407952 files and directories currently installed.)
Preparing to unpack .../arpwatch_2.1a15-8_amd64.deb ...
Unpacking arpwatch (2.1a15-8) ...
Setting up arpwatch (2.1a15-8) ...
update-rc.d: We have no instructions for the arpwatch init script.
update-rc.d: It looks like a network service, we disable it.
arpwatch.service is a disabled or a static unit, not starting it.
Processing triggers for man-db (2.9.4-2) ...
Processing triggers for kali-menu (2021.4.2) ...
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/Penetration-tester-jr/arpcache]
└─$
Arpwatch configuration description
Arpwatch on systmed based linux systems does not support a
configuration file, but the systemd unit files shipped with Debian allow to
launch arpwatch with different configurations on each interface.
In
order to do that, create a file called IFNAME.iface which contains variable
assignments in sh syntax (comments are allowed). You can use the following
variables to influence the invocation for that specific interface only:
#
ARGS: overwrite the ARGS from /etc/default/arpwatch
# PCAP_FILTER:
overwrite (or set) the pcap filter
# IFACE_ARGS: additional
options to be passed to arpwatch
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ cat /etc/default/arpwatch
# Global options for arpwatch(8).
# do not use the -i, -f or -u options here, they are added automatically
# Debian: don't report bogons, don't use PROMISC.
ARGS="-N -p"
# if you want to add a pcap filter, uncomment and adjust the option below (you
# will need spaces so adding -F to the ARGS above will cause problems). See -F
# option in man 8 arpwatch for more information
#PCAP_FILTER="not ether host (00:11:22:33:44:55 or 66:77:88:99:aa:bb)"
# Debian: run as `arpwatch' user. Empty this to run as root.
RUNAS="arpwatch"
# when using systemd you have to enable arpwatch explicitly for each interface
# you want to run it on by running:
# systemctl enable arpwatch@IFACE
# systemctl start arpwatch@IFACE
# For the LSB init script, enter a list of interfaces into the list below;
# arpwatch will be started to listen on these interfaces.
# Note: This is ignored when using systemd!
# INTERFACES="eth0 eth1"
INTERFACES=""
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$
I have multiple ethernet interfaces on my debian server and I need
run arpwatch on wlan0 interface:
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ ifconfig 130 ⨯
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether b4:b6:86:47:55:83 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 688 bytes 61882 (60.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 688 bytes 61882 (60.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.249.25 netmask 255.255.255.0 broadcast 192.168.249.255
inet6 fe80::aa80:f129:e78d:aa96 prefixlen 64 scopeid 0x20<link>
inet6 2409:4064:200b:220c:7ad5:600b:2ea3:7963 prefixlen 64 scopeid 0x0<global>
ether fc:01:7c:29:00:77 txqueuelen 1000 (Ethernet)
RX packets 53817 bytes 30589399 (29.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 62412 bytes 47543548 (45.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$
In addition, on the enp5s0 interfaces I need to monitor changes in mac
addresses not only for the 192.168.12.0/24 local network, but also for
networks 192.168.122.0/24, 192.168.80/24 and 192.168.125.0/24. Changes
in mac addresses I need log to file and also mail to email
arpwatch@mydomain.com.
Arpwatch configuration
Go to /etc/arpwatch directory and create file wlan0.iface
(IFNAME.iface) with this content:
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo nano wlan0.iface
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ cat wlan0.iface
INTERFACES="wlan0"
ARGS="-N -p"
IFACE_ARGS="-m arpwatch@mydomain.com -n 192.168.122.0/24 -n 192.168.80/24 -n 192.168.125.0/24"
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$
Here is man page for arpwatch:
https://manpages.debian.org/unstable/arpwatch/arpwatch.8.en.html
# The -m option is used to specify the e-mail
address to which reports will be sent. By default, reports are sent to root on
the local machine.
# The -n flag specifies additional
local networks. This can be useful to avoid bogon warnings when there is more
than one network running on the same wire. If the optional width/mask is not
specified, the default netmask for the network's class is used.
#
The -N flag disables reporting any bogons.
# The
-p flag disables promiscuous operation. ARP broadcasts get through hubs
without having the interface in promiscuous mode, while saving considerable
resources that would be wasted on processing gigabytes of non-broadcast
traffic. Setting promiscuous mode does not mean getting 100% traffic that
would concern arpwatch.
Arpwatch and systemd
Now you can start your arpwatch on
wlan0 interface with systemctl start command:
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo systemctl daemon-reload
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo systemctl start arpwatch@wlan0
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$
You can check arpwatch daemon
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ sudo systemctl status arpwatch@wlan0 2 ⚙
● arpwatch@wlan0.service - arpwatch service on interface wlan0
Loaded: loaded (/lib/systemd/system/arpwatch@.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-01-25 18:10:08 IST; 28min ago
Docs: man:arpwatch(8)
Main PID: 26295 (arpwatch)
Tasks: 1 (limit: 4366)
Memory: 3.1M
CPU: 745ms
CGroup: /system.slice/system-arpwatch.slice/arpwatch@wlan0.service
└─26295 /usr/sbin/arpwatch -u arpwatch -i wlan0 -f wlan0.dat -N -p -m arpwatch@mydomain.com -n 192.168.122.0/24 -n 192.168.80/24 -n 212.158.133.0/24 -F ""
Jan 25 18:10:08 KumarAtulJaiswal systemd[1]: Stopped arpwatch service on interface wlan0.
Jan 25 18:10:08 KumarAtulJaiswal systemd[1]: arpwatch@wlan0.service: Consumed 2.360s CPU time.
Jan 25 18:10:08 KumarAtulJaiswal systemd[1]: Starting arpwatch service on interface wlan0...
Jan 25 18:10:08 KumarAtulJaiswal systemd[1]: Started arpwatch service on interface wlan0.
Jan 25 18:10:08 KumarAtulJaiswal arpwatch[26295]: Running as uid=140 gid=149
Jan 25 18:10:08 KumarAtulJaiswal arpwatch[26295]: listening on wlan0
Jan 25 18:10:26 KumarAtulJaiswal arpwatch[26295]: new station 192.168.249.79 e6:e4:e4:95:1e:27 wlan0
Jan 25 18:10:26 KumarAtulJaiswal arpwatch[26295]: new station 192.168.249.25 fc:01:7c:29:00:77 wlan0
Jan 25 18:34:18 KumarAtulJaiswal arpwatch[26295]: new station 192.168.249.45 08:00:27:67:67:30 wlan0
Jan 25 18:34:18 KumarAtulJaiswal arpwatch[26295]: changed ethernet address 192.168.249.45 fc:01:7c:29:00:77 (08:00:27:67:67:30) wlan0
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$
new activity – This ethernet/ip address pair has been used for the
first time six months or more.
new station – The ethernet
address has not been seen before.
flip flop – The ethernet
address has changed from the most recently seen address to the second most
recently seen address. If either the old or new ethernet address is a DECnet
address and it is less than 24 hours, the email version of the report is
suppressed.
changed ethernet address – The host switched to
a new ethernet address.
check that arpwatch run
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ ps aux|grep arp
hackerb+ 4312 0.1 0.4 545140 18244 ? Sl 08:38 0:03 leafpad /home/hackerboy/Desktop/Penetration-tester-jr/arpcache/arpwatch/arpwatch-content.txt
root 6365 0.0 0.0 11140 3212 pts/1 S+ 08:46 0:00 sudo python3 arpcache.py 192.168.122.45 192.168.122.30
root 6376 0.1 2.0 129852 76892 pts/1 S+ 08:46 0:03 python3 arpcache.py 192.168.122.45 192.168.122.30
arpwatch 14690 0.0 0.1 13680 6700 ? S 09:15 0:00 /usr/sbin/arpwatch -u arpwatch -i wlan0 -f wlan0.dat -N -p -m arpwatch@mydomain.com -n 192.168.122.0/24 -n 192.168.80/24 -n 192.168.125.0/24 -F
hackerb+ 19812 0.0 0.0 6316 2260 pts/3 S+ 09:35 0:00 grep --color=auto arp
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$
arpwatch after reboot
You have to enable arpwatch@wlan0 service unit to start after
system reboot:
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo systemctl daemon-reload 1 ⚙
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo systemctl enable arpwatch@wlan0 1 ⚙
Created symlink /etc/systemd/system/multi-user.target.wants/arpwatch@wlan0.service → /lib/systemd/system/arpwatch@.service.
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$
Create /var/log/arpwatch directory and file arpwatch.log in this
directory:
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo mkdir /var/log/arpwatch 1 ⨯ 1 ⚙
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo touch /var/log/arpwatch/arpwatch.log 1 ⚙
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo chmod 666 /var/log/arpwatch/arpwatch.log 1 ⚙
And restart rsyslog daemon:
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$ sudo systemctl restart rsyslog 127 ⨯ 1 ⚙
┌──(hackerboy㉿KumarAtulJaiswal)-[/etc/arpwatch]
└─$
┌──(hackerboy㉿KumarAtulJaiswal)-[/var/log/arpwatch]
└─$ sudo systemctl status rsyslog 1 ⚙
● rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2022-01-24 09:51:27 IST; 4min 30s ago
TriggeredBy: ● syslog.socket
Docs: man:rsyslogd(8)
man:rsyslog.conf(5)
https://www.rsyslog.com/doc/
Main PID: 23919 (rsyslogd)
Tasks: 4 (limit: 4366)
Memory: 1.6M
CPU: 173ms
CGroup: /system.slice/rsyslog.service
└─23919 /usr/sbin/rsyslogd -n -iNONE
Jan 24 09:51:27 KumarAtulJaiswal systemd[1]: Starting System Logging Service...
Jan 24 09:51:27 KumarAtulJaiswal systemd[1]: Started System Logging Service.
Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.2110.0 try https://www.rsyslog.com/e/2307 ]
Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.2110.0 try https://www.rsyslog.com/e/2307 ]
Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.2110.0 try https://www.rsyslog.com/e/2307 ]
Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.2110.0 try https://www.rsyslog.com/e/2307 ]
Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.2110.0]
Jan 24 09:51:27 KumarAtulJaiswal rsyslogd[23919]: [origin software="rsyslogd" swVersion="8.2110.0" x-pid="23919" x-info="https://www.rsyslog.com"] start
┌──(hackerboy㉿KumarAtulJaiswal)-[/var/log/arpwatch]
└─$
And now you can see messges from working arpwatch daemon:
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ 130 ⨯ 2 ⚙
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ cat /var/log/arpwatch/arpwatch.log
Jan 25 18:10:07 KumarAtulJaiswal arpwatch: exiting
Jan 25 18:10:08 KumarAtulJaiswal arpwatch: Running as uid=140 gid=149
Jan 25 18:10:08 KumarAtulJaiswal arpwatch: listening on wlan0
Jan 25 18:10:26 KumarAtulJaiswal arpwatch: new station 192.168.249.79 e6:e4:e4:95:1e:27 wlan0
Jan 25 18:10:26 KumarAtulJaiswal arpwatch: new station 192.168.249.25 fc:01:7c:29:00:77 wlan0
Jan 25 18:34:18 KumarAtulJaiswal arpwatch: new station 192.168.249.45 08:00:27:67:67:30 wlan0
Jan 25 18:34:18 KumarAtulJaiswal arpwatch: changed ethernet address 192.168.249.45 fc:01:7c:29:00:77 (08:00:27:67:67:30) wlan0
arpwatch mac addresses files
Default directory for arpwatch mac addresses databes is /var/lib/arpwatch.
File is in IFNAME.dat format. You can print databese content:
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$ cat /var/lib/arpwatch/wlan0.dat 1 ⨯ 2 ⚙
fc:01:7c:29:00:77 192.168.122.30 1643114422 wlan0
fc:01:7c:29:00:77 192.168.122.25 1643045197 wlan0
e6:e4:e4:95:1e:27 192.168.122.158 1643045197 wlan0
e6:e4:e4:95:1e:27 192.168.249.79 1643119787 wlan0
fc:01:7c:29:00:77 192.168.249.25 1643119770 wlan0
fc:01:7c:29:00:77 192.168.249.45 1643119787 wlan0
08:00:27:67:67:30 192.168.249.45 1643119391 wlan0
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/python/mymodule]
└─$
NOTE- When you run arpwatch daemon for first time, databese file is
empty. You have to restart arpwatch daemon first to see any content.
Arp-watcher
Now this time we code own arp-watcher.
#!/usr/bin/python
from scapy.all import sniff, ARP
from signal import signal, SIGINT
import sys
arp_watcher_db_file = "/var/cache/arp-watcher.db"
ip_mac = {}
# Save ARP table on shutdown
def sig_int_handler(signum, frame):
print "Got SIGINT. Saving ARP database..."
try:
f = open(arp_watcher_db_file, "w")
for (ip, mac) in ip_mac.items():
f.write(ip + " " + mac + "\n")
f.close()
print "Done."
except IOError:
print "Cannot write file " + arp_watcher_db_file
sys.exit(1)
def watch_arp(pkt):
# got is-at pkt (ARP response)
if pkt[ARP].op == 2:
print pkt[ARP].hwsrc + " " + pkt[ARP].psrc
# Device is new. Remember it.
if ip_mac.get(pkt[ARP].psrc) == None:
print "Found new device " + pkt[ARP].hwsrc + " " + pkt[ARP].psrc
ip_mac[pkt[ARP].psrc] = pkt[ARP].hwsrc
# Device is known but has a different IP
elif ip_mac.get(pkt[ARP].psrc) and ip_mac[pkt[ARP].psrc] != pkt[ARP].hwsrc:
print pkt[ARP].hwsrc + " has got new ip " + pkt[ARP].psrc + " (old " + ip_mac[pkt[ARP].psrc] + ")"
ip_mac[pkt[ARP].psrc] = pkt[ARP].hwsrc
signal(SIGINT, sig_int_handler)
if len(sys.argv) < 2:
print sys.argv[0] + " <iface>"
sys.exit(0)
try:
fh = open(arp_watcher_db_file, "r")
except IOError:
print "Cannot read file " + arp_watcher_db_file
sys.exit(1)
for line in fh:
line.chomp()
(ip, mac) = line.split(" ")
ip_mac[ip] = mac
sniff(prn=watch_arp,
filter="arp",
iface=sys.argv[1],
store=0)
python arpwatch.py iface
python arpwatch.py wlan0
At the start we define a signal handler in sig_int_handler() that gets
called if the user interrupts the program. This function will save all known
IP to MAC resolutions in the ip_mac dictionary to a file. Afterwards we
read those ARP db file to initialize the program with all currently known
resolutions or exit if the file cannot be read. Than we loop line by line
through the files content and split each line into IP and MAC to save them in
the ip_mac dictionary. Now we call the already known function sniff() that
will invoke the callback function
watch_arp for every received ARP
packet.
The function watch_arp implements the real logic of
the program. When the sniffed packet is a is-at packet and therefore an
ARP response than we first check if the IP exists in the ip_mac dictionary. If
we didn’t find an entry the device is new and shows a message to the screen,
otherwise we compare the MAC address with the MAC in our dictionary. If it
differs the response is probably forged and we print a message to the screen.
In both cases the dictionary gets updated with the new information.
Disclaimer
All tutorials are for informational and educational purposes only and have been
made using our own routers, servers, websites and other vulnerable free
resources. we do not contain any illegal activity. We believe that ethical
hacking, information security and cyber security should be familiar subjects to
anyone using digital information and computers.
Hacking Truth is
against misuse of the information and we strongly suggest against it. Please
regard the word hacking as ethical hacking or penetration testing every time
this word is used. We do not promote, encourage, support or excite any illegal
activity or hacking.