Saturday, April 11, 2009

Updated ARP sniffer to also get dhcp packets....Slowly becoming a passive IDS

I am slowly making a very passive intrusion detection system...I guess. I added the ability to sense DHCP requests on a LAN, as well as the original arp requests. The updated script is below. I am probably going to expand this to have a gui and while it will run on linux and windows, you still need to manually change the ethernet device, or dev => "en0";...probably to eth0 on linux and Local Area Connection on windows. Well I guess I am going to listen to some rilo kiley and cry now....or something. Happy Easter if I don't catch you tomorrow.
So the pre tagging made some of my code get cut off it still works if you select and copy right but I am just going to paste the code sloppy style then the pre will be under that:


use Net::Pcap::Easy;
my @internalMac = qw( 0023329dcdf5 0023120914f9 );
my $dhcpr = '0.0.0.0';
# all arguments to new are optoinal
my $npe = Net::Pcap::Easy->new(
dev => "en0",
packets_per_loop => 10,
bytes_to_capture => 1024,
timeout_in_ms => 0, # 0ms means forever
promiscuous => 0, # true or false

default_callback => sub {
my ($npe, $ether, $po, $spo) = @_;
if( $po ) {
if( $po->isa("NetPacket::IP") ) {
if( $spo ) {
if( $spo->isa("NetPacket::UDP") && $po->{src_ip} eq $dhcpr ) {
print "DHCP packet requested: $po->{src_ip}:$spo->{src_port} -> ",
"$po->{dest_ip}:$spo->{dest_port}\n";
}
}
}elsif( $po ) {
if( $po->isa("NetPacket::ARP") ) {
print "ARP packet: $po->{sha} -> $po->{tha}\n";
my $element = $po->{sha};
print $element;
if (grep {$_ eq $element} @internalMac) {
print " ARP address is yours"."\n" ;
}else{
print " intruder!\n";
}
}


}
}
}
);
1 while $npe->loop;





    use Net::Pcap::Easy;
    my @internalMac = qw( 0023329dcdf5 0023120914f9 );
    my $dhcpr = '0.0.0.0';
    # all arguments to new are optoinal
    my $npe = Net::Pcap::Easy->new(
        dev              => "en0",
        packets_per_loop => 10,
        bytes_to_capture => 1024,
        timeout_in_ms    => 0, # 0ms means forever
        promiscuous      => 0, # true or false

 default_callback =>          sub {
        my ($npe, $ether, $po, $spo) = @_;
                if( $po ) {
                        if( $po->isa("NetPacket::IP") ) {
                                if( $spo ) {
                                        if( $spo->isa("NetPacket::UDP") && $po->{src_ip} eq $dhcpr ) {
                                                        print "DHCP packet requested: $po->{src_ip}:$spo->{src_port} -> ",
                                                        "$po->{dest_ip}:$spo->{dest_port}\n";
                                        }
                                }
                                        }elsif( $po ) {
                                                if( $po->isa("NetPacket::ARP") ) {
                                                print "ARP packet: $po->{sha} -> $po->{tha}\n";
                                                my $element = $po->{sha};
                                                print $element;
                                                        if (grep {$_ eq $element} @internalMac) {
                                                                print " ARP address is yours"."\n" ;
                                                        }else{
                                                                print " intruder!\n";
                                                        }
                                                 }


                                        }
                }
        }
);
1 while $npe->loop;

Posted by bsdpunk at 1:38 PM
Labels: , , , , , , , ,

1 comment:

Unknown said...

Hey Dusty, I posted a link back to here on linuxquestions which is where I usally hang out. Hope you don't care.

April 11, 2009 at 6:12 PM

Post a Comment

Subscribe to: Post Comments (Atom)