Sunday, March 22, 2009

ARP sniffer in perl, killing wireless intruders...literaly

caveat: This was written on OS X but I believe it will work just fine if you put your MAC addresses and replace the name of my interface with your interface. Make sure you have root/administrator privelages when you launch the program, IE sudo/no uac.

THANK YOU PAUL MILLER. For making the perl module Net::Pcap::Easy. I made this arp sniffer, which really is to say I just pasted some of the Net::Pcap::Easy documentation down. But anyway I am going put this code in my robot's code, so that, in the event of a wireless intruder, he will find them...and kill them.


The Technical stuff...

So why arp, why not just do a ping sweep or query a udp port or something? Well port's can be blocked, and ping(ICMP) can also be blocked. ARP is required for communication and is broadcast. I could have used dhcp but an intruder could statically set an ip address.


use Net::Pcap::Easy;
my @internalMac = qw( 0023329dcdf5 0023120914f9 );
# all arguments to new are optoinal
my $npe = Net::Pcap::Easy->new(
dev => "en0",
packets_per_loop => 10,
bytes_to_capture => 1024,
timeout_in_ms => 0, # 0ms means forever
promiscuous => 0, # true or false

default_callback => sub {
my ($npe, $ether, $po, $spo) = @_;

if( $po ) {
if( $po->isa("NetPacket::ARP") ) {
print "ARP packet: $po->{sha} -> $po->{tha}\n";
my $element = $po->{sha};
print $element;
if (grep {$_ eq $element} @internalMac) {
print " ARP address is yours"."\n" ;
}else{
print " intruder!\n";
}
}


}
}
);
1 while $npe->loop;



Oh and if your curious the output kind of looks like this:




ARP packet: 0023329dcdf5 -> 000000000000
0023329dcdf5 ARP address is yours
ARP packet: 001c10f48be6 -> 0023329dcdf5
001c10f48be6 intruder!
ARP packet: 0023120914f9 -> 000000000000
0023120914f9 ARP address is yours
ARP packet: 0023120914f9 -> 000000000000
0023120914f9 ARP address is yours
ARP packet: 0023120914f9 -> 000000000000
0023120914f9 ARP address is yours
ARP packet: 0023120914f9 -> 000000000000
0023120914f9 ARP address is yours
ARP packet: 0023120914f9 -> 000000000000
0023120914f9 ARP address is yours
ARP packet: 0023120914f9 -> 000000000000
0023120914f9 ARP address is yours
ARP packet: 0023329dcdf5 -> 000000000000
0023329dcdf5 ARP address is yours
ARP packet: 001c10f48be6 -> 0023329dcdf5
001c10f48be6 intruder!
ARP packet: 0023120914f9 -> 000000000000
0023120914f9 ARP address is yours
ARP packet: 0023120914f9 -> 000000000000
0023120914f9 ARP address is yours
ARP packet: 0023120914f9 -> 000000000000
0023120914f9 ARP address is yours
ARP packet: 0023120914f9 -> 000000000000
0023120914f9 ARP address is yours
ARP packet: 0015af772a39 -> 000000000000
0015af772a39 intruder!
ARP packet: 001c10f48be6 -> 000000000000
001c10f48be6 intruder!
ARP packet: 0023329dcdf5 -> 001c10f48be6
0023329dcdf5 ARP address is yours

2 comments:

Mary said...

You did this just to kill me. No one else uses your wireless network within stabbing range. Jerk.

jettero said...

You realize, of course, that the intruder could watch your traffic for a while, get an idea of your seqnos, spoof your MAC and wander your network with impunity?

There really isn't a way to tie a PC, NIC, or person to a single identy-number. It's an unsolved problem in information security, imo.