Write your own ARP spoof detector in Python : Coding For Cyber Security ( Program №4)

Now that I have explained how to develop our own tools for performing MITM attacks such as ARPSPOOF and DNSPOOF, We will explore how to build a program to detect the ARP Spoof attacks being performed on our machine. This is a basic beginner friendly program.

HOW DOES AN ARP SPOOF DETECTOR WORK?

import scapy.all as scapy

def sniff(interface):
scapy.sniff(iface=interface, store=False, prn=process_sniffed_packet)

def process_sniffed_packet(packet):
if packet.haslayer(scapy.ARP) and packet[scapy.ARP].op == 2:
print(packet.show())


sniff("eth0")

Function for getting the MAC address :

def mac(ipadd):
arp_request = scapy.ARP(pdst=ipadd)
br = scapy.Ether(dst="ff:ff:ff:ff:ff:ff")
arp_req_br = br / arp_request
list_1 = scapy.srp(arp_req_br, timeout=5, verbose=False)[0]
return list_1[0][1].hwsrc

Function to process the sniffed packet and get the values of old MAC in “originalmac” variable and the value of MAC in the response as “responsemac” variable.

def process_sniffed_packet(packet):
if packet.haslayer(scapy.ARP) and packet[scapy.ARP].op == 2:
originalmac = mac(packet[scapy.ARP].psrc)
responsemac = packet[scapy.ARP].hwsrc

Now we will compare both the values to check whether they are similar or not, if not then it is obvious that the values have been spoofed.

if originalmac != responsemac:
print("[*] ALERT!! You are under attack, the ARP table is being poisoned.!")

After performing the above steps, our code will look like this :

DEMONSTRATION OF THE TOOL

  1. 10.0.2.8 — — — — — — Attacker machine
  2. 10.0.2.15 — — — — — — Victim Machine

Step 1 : Run the following commands on the attacker machine :

# git clone https://github.com/An4ndita/ARP-Spoofer.git
# cd ARP-Spoofer
# python3 arp.py
Enter the target IP >
Enter the gateway IP >

Meanwhile, open another terminal on the attacker machine and run the following command :

# echo 1 > /proc/sys/net/ipv4/ip_forward

Step 2 : I have run “arp -a” before performing the attack as well as after performing the attack on the victim machine (10.0.2.15) and the results clearly show that spoofing is being performed.

Step 3 : Next, you can download my github tool on your victim machine or use your own tool for this purpose, following are the commands to use my tool :

# git clone https://github.com/An4ndita/arpspoof-detector.git
# cd arp-detector
# python3 arpdetector.py
Enter the Interface >

Above are the results for successful detection of an ARP poisoning attack on the victim machine.

Happy Hacking. 😀

Remember that this content is made available for educational & informational purposes only!🌼

Cyber Security Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store