Saturday, April 11, 2009

Updated ARP sniffer to also get dhcp packets....Slowly becoming a passive IDS

I am slowly making a very passive intrusion detection system...I guess. I added the ability to sense DHCP requests on a LAN, as well as the original arp requests. The updated script is below. I am probably going to expand this to have a gui and while it will run on linux and windows, you still need to manually change the ethernet device, or dev => "en0";...probably to eth0 on linux and Local Area Connection on windows. Well I guess I am going to listen to some rilo kiley and cry now....or something. Happy Easter if I don't catch you tomorrow.
So the pre tagging made some of my code get cut off it still works if you select and copy right but I am just going to paste the code sloppy style then the pre will be under that:


use Net::Pcap::Easy;
my @internalMac = qw( 0023329dcdf5 0023120914f9 );
my $dhcpr = '0.0.0.0';
# all arguments to new are optoinal
my $npe = Net::Pcap::Easy->new(
dev => "en0",
packets_per_loop => 10,
bytes_to_capture => 1024,
timeout_in_ms => 0, # 0ms means forever
promiscuous => 0, # true or false

default_callback => sub {
my ($npe, $ether, $po, $spo) = @_;
if( $po ) {
if( $po->isa("NetPacket::IP") ) {
if( $spo ) {
if( $spo->isa("NetPacket::UDP") && $po->{src_ip} eq $dhcpr ) {
print "DHCP packet requested: $po->{src_ip}:$spo->{src_port} -> ",
"$po->{dest_ip}:$spo->{dest_port}\n";
}
}
}elsif( $po ) {
if( $po->isa("NetPacket::ARP") ) {
print "ARP packet: $po->{sha} -> $po->{tha}\n";
my $element = $po->{sha};
print $element;
if (grep {$_ eq $element} @internalMac) {
print " ARP address is yours"."\n" ;
}else{
print " intruder!\n";
}
}


}
}
}
);
1 while $npe->loop;





use Net::Pcap::Easy;
my @internalMac = qw( 0023329dcdf5 0023120914f9 );
my $dhcpr = '0.0.0.0';
# all arguments to new are optoinal
my $npe = Net::Pcap::Easy->new(
dev => "en0",
packets_per_loop => 10,
bytes_to_capture => 1024,
timeout_in_ms => 0, # 0ms means forever
promiscuous => 0, # true or false

default_callback => sub {
my ($npe, $ether, $po, $spo) = @_;
if( $po ) {
if( $po->isa("NetPacket::IP") ) {
if( $spo ) {
if( $spo->isa("NetPacket::UDP") && $po->{src_ip} eq $dhcpr ) {
print "DHCP packet requested: $po->{src_ip}:$spo->{src_port} -> ",
"$po->{dest_ip}:$spo->{dest_port}\n";
}
}
}elsif( $po ) {
if( $po->isa("NetPacket::ARP") ) {
print "ARP packet: $po->{sha} -> $po->{tha}\n";
my $element = $po->{sha};
print $element;
if (grep {$_ eq $element} @internalMac) {
print " ARP address is yours"."\n" ;
}else{
print " intruder!\n";
}
}


}
}
}
);
1 while $npe->loop;

1 comment:

samuraitux said...

Hey Dusty, I posted a link back to here on linuxquestions which is where I usally hang out. Hope you don't care.