DIY DNS/ARP Spoofing Detection

draft on-going - this produces too many files. We need a more elegant way to track and handle the ARPs

Warning

Instead of actively searching for peers with nmap as shown in the script below, you might want to do that on a gateway instead. In an case you will get only a defined subnet. We are not monitoring the whole LAN.

Also this is not live monitoring. The cron job may be setup at a five minute rate or so (even though the scan itself takes a few seconds and depending on the scan method chosen in the script).

The arp -a command also does name resolution (static and dynamic), so we can check against both DNS and ARP cache poisoning at once.

Requirement

First, you need to make sure you will receive crontabs' output by email

tail -F /var/log/mail.log
tail -F /var/log/maillog
date | mail -s `hostname` root

Install

Prepare a first shot

mkdir -p $HOME/arp/
cd $HOME/arp/
arp -a | sort > `date +%s`

get the script up and running in a cron job

cd ~/bin/
wget http://pub.nethence.com/bin/backup/arpcheck.ksh.txt
mv -i arpcheck.ksh.txt arpcheck.ksh
chmod +x arpcheck.ksh
vi arpcheck.ksh

subnet=x.x.x.x/xx

and check

$HOME/bin/arpcheck.ksh

Automate

crontab -e

PATH=/usr/local/sbin:/usr/local/bin:/usr/pkg/sbin:/usr/pkg/bin:/usr/sbin:/usr/bin:/sbin:/bin:$HOME/bin
*/5     *       *       *       *       /root/bin/arpcheck.ksh

Resources

What are the reasons for seeing an incomplete ARP? https://networkengineering.stackexchange.com/questions/50843/what-are-the-reasons-for-seeing-an-incomplete-arp

Command-line tool to obtain OUI vendor info from MAC address? https://unix.stackexchange.com/questions/248769/command-line-tool-to-obtain-oui-vendor-info-from-mac-address


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun