ARPSPOOF_DETECTOR
Watch value for gateway mac in the arp table
Nice and simple, but will not detect an attack if the tool is executed after the attack.
Analyze "is-at" ARP responses:
Check if IP is gateway IP.
Check if source mac is actually the gateway's mac.
This method will detect attacks even if the attack was launched before the execution of the tool.
#!/usr/bin/env python
import scapy
from scapy.layers.l2 import ARP
from scapy.sendrecv import sniff
def sniff(interface):
scapy.sendrecv.sniff(iface=interface, store=False, prn=process_sniffed_packet)
def process_sniffed_packet(packet):
if packet.haslayer(ARP) and packet[ARP].op == 2:
print(packet.show())
sniff("eth0")Update the Python code to detect the real attack!
#!/usr/bin/env python
import scapy
from scapy.layers.l2 import ARP, Ether
from scapy.sendrecv import sniff, srp
def get_mac(ip):
arp_request = ARP(pdst=ip)
broadcast = Ether(dst="ff:ff:ff:ff:ff:ff")
arp_request_broadcast = broadcast / arp_request
answered_list = srp(arp_request_broadcast, timeout=1, verbose=False)[0]
return answered_list[0][1].hwsrc
def sniff(interface):
scapy.sendrecv.sniff(iface=interface, store=False, prn=process_sniffed_packet)
def process_sniffed_packet(packet):
try:
real_mac = get_mac(packet[ARP].psrc)
response_mac = packet[ARP].hwsrc
if real_mac != response_mac:
print("[+] You are under attack!!")
except IndexError:
pass
sniff("eth0")