caveat: This was written on OS X but I believe it will work just fine if you put your MAC addresses and replace the name of my interface with your interface. Make sure you have root/administrator privelages when you launch the program, IE sudo/no uac.
THANK YOU PAUL MILLER. For making the perl module Net::Pcap::Easy. I made this arp sniffer, which really is to say I just pasted some of the Net::Pcap::Easy documentation down. But anyway I am going put this code in my robot's code, so that, in the event of a wireless intruder, he will find them...and kill them.
The Technical stuff...
So why arp, why not just do a ping sweep or query a udp port or something? Well port's can be blocked, and ping(ICMP) can also be blocked. ARP is required for communication and is broadcast. I could have used dhcp but an intruder could statically set an ip address.
use Net::Pcap::Easy;
my @internalMac = qw( 0023329dcdf5 0023120914f9 );
# all arguments to new are optoinal
my $npe = Net::Pcap::Easy->new(
dev => "en0",
packets_per_loop => 10,
bytes_to_capture => 1024,
timeout_in_ms => 0, # 0ms means forever
promiscuous => 0, # true or false
default_callback => sub {
my ($npe, $ether, $po, $spo) = @_;
if( $po ) {
if( $po->isa("NetPacket::ARP") ) {
print "ARP packet: $po->{sha} -> $po->{tha}\n";
my $element = $po->{sha};
print $element;
if (grep {$_ eq $element} @internalMac) {
print " ARP address is yours"."\n" ;
}else{
print " intruder!\n";
}
}
}
}
);
1 while $npe->loop;
Oh and if your curious the output kind of looks like this:
ARP packet: 0023329dcdf5 -> 000000000000
0023329dcdf5 ARP address is yours
ARP packet: 001c10f48be6 -> 0023329dcdf5
001c10f48be6 intruder!
ARP packet: 0023120914f9 -> 000000000000
0023120914f9 ARP address is yours
ARP packet: 0023120914f9 -> 000000000000
0023120914f9 ARP address is yours
ARP packet: 0023120914f9 -> 000000000000
0023120914f9 ARP address is yours
ARP packet: 0023120914f9 -> 000000000000
0023120914f9 ARP address is yours
ARP packet: 0023120914f9 -> 000000000000
0023120914f9 ARP address is yours
ARP packet: 0023120914f9 -> 000000000000
0023120914f9 ARP address is yours
ARP packet: 0023329dcdf5 -> 000000000000
0023329dcdf5 ARP address is yours
ARP packet: 001c10f48be6 -> 0023329dcdf5
001c10f48be6 intruder!
ARP packet: 0023120914f9 -> 000000000000
0023120914f9 ARP address is yours
ARP packet: 0023120914f9 -> 000000000000
0023120914f9 ARP address is yours
ARP packet: 0023120914f9 -> 000000000000
0023120914f9 ARP address is yours
ARP packet: 0023120914f9 -> 000000000000
0023120914f9 ARP address is yours
ARP packet: 0015af772a39 -> 000000000000
0015af772a39 intruder!
ARP packet: 001c10f48be6 -> 000000000000
001c10f48be6 intruder!
ARP packet: 0023329dcdf5 -> 001c10f48be6
0023329dcdf5 ARP address is yours
2 comments:
You did this just to kill me. No one else uses your wireless network within stabbing range. Jerk.
You realize, of course, that the intruder could watch your traffic for a while, get an idea of your seqnos, spoof your MAC and wander your network with impunity?
There really isn't a way to tie a PC, NIC, or person to a single identy-number. It's an unsolved problem in information security, imo.
Post a Comment