Write your own ARP spoof detector in Python : Coding For Cyber Security ( Program №4)

Anandita
3 min readNov 6, 2020

--

Now that I have explained how to develop our own tools for performing MITM attacks such as ARPSPOOF and DNSPOOF, We will explore how to build a program to detect the ARP Spoof attacks being performed on our machine. This is a basic beginner friendly program.

HOW DOES AN ARP SPOOF DETECTOR WORK?

If we look at how our ARP spoofer program works, we will be able to notice that we created a function to send ARP responses that used to poison the ARP table of the victim machine. We will be making some changes in that function and edit it so that if the packets have a layer of spoofed ARP, the program could detect it. We will use the following code in order to do so :

import scapy.all as scapy

def sniff(interface):
scapy.sniff(iface=interface, store=False, prn=process_sniffed_packet)

def process_sniffed_packet(packet):
if packet.haslayer(scapy.ARP) and packet[scapy.ARP].op == 2:
print(packet.show())


sniff("eth0")

Function for getting the MAC address :

def mac(ipadd):
arp_request = scapy.ARP(pdst=ipadd)
br = scapy.Ether(dst="ff:ff:ff:ff:ff:ff")
arp_req_br = br / arp_request
list_1 = scapy.srp(arp_req_br, timeout=5, verbose=False)[0]
return list_1[0][1].hwsrc

Function to process the sniffed packet and get the values of old MAC in “originalmac” variable and the value of MAC in the response as “responsemac” variable.

def process_sniffed_packet(packet):
if packet.haslayer(scapy.ARP) and packet[scapy.ARP].op == 2:
originalmac = mac(packet[scapy.ARP].psrc)
responsemac = packet[scapy.ARP].hwsrc

Now we will compare both the values to check whether they are similar or not, if not then it is obvious that the values have been spoofed.

if originalmac != responsemac:
print("[*] ALERT!! You are under attack, the ARP table is being poisoned.!")

After performing the above steps, our code will look like this :

DEMONSTRATION OF THE TOOL

I have used two kali machines to perform this practical.

  1. 10.0.2.8 — — — — — — Attacker machine
  2. 10.0.2.15 — — — — — — Victim Machine

Step 1 : Run the following commands on the attacker machine :

# git clone https://github.com/An4ndita/ARP-Spoofer.git
# cd ARP-Spoofer
# python3 arp.py
Enter the target IP >
Enter the gateway IP >

Meanwhile, open another terminal on the attacker machine and run the following command :

# echo 1 > /proc/sys/net/ipv4/ip_forward

Step 2 : I have run “arp -a” before performing the attack as well as after performing the attack on the victim machine (10.0.2.15) and the results clearly show that spoofing is being performed.

Step 3 : Next, you can download my github tool on your victim machine or use your own tool for this purpose, following are the commands to use my tool :

# git clone https://github.com/An4ndita/arpspoof-detector.git
# cd arp-detector
# python3 arpdetector.py
Enter the Interface >

Above are the results for successful detection of an ARP poisoning attack on the victim machine.

Happy Hacking. 😀

Remember that this content is made available for educational & informational purposes only!🌼

--

--