Of Astrophotography and Cyber Security
Previous Post
Next Post
Apr 02
2013 in Cyber Security, Cyber War, Infosec, Tech 0 Comments tags: wifi, network, security, man, in, the, middle, coffe, shop, shops, arp, table, spoofing, poisoning, detect, prevent, cyber, script, tool, software
Moophz's picture

Man in the middle attack detection & prevention scripts

Disclaimer: Those scripts only operate if the network got MiTMmed after you joining it, they do not protect you if it was compromised before you join it 

Most often you find yourself in a coffee shop surfing the internet, uploading files to your FTP server or updating your blog.

In case you are familiar with Man in the middle attacks I don't expect you doing any of those stuff under untrusted WiFi (same for wired ones), else you should think twice before executing any activity under public access points.
Scared? You should be!

Usually coffee shops (places you go to buy/drink coffee from) cannot afford expensive APs that prevent such attacks, having in mind that executing them can be easily done by script kiddies using hacking tools with few clicks.
To avoid being prey for such attacks you can make use of the below script that I developed and use in Public networks.

About the script

The most special part about this script is that it uses native commands and tools where you don't need to install any 3rd party software. The script monitors your local ARP table looking for MAC address modification and immediately disconnects your internet interface whenever a spoof is detected. This prevents your machine from sending confidential information (such as passwords) through unsecured monitored channels.

NOTE: Only attackers inside your network can execute ARP Poisoning attacks, this script only detects and drops your connection when your workstation notices explicit ARP modification.

This does not protect you from :

  • Eavesdrops such as the cases of enabled switch portmirroring
  • ISP/Government spy operations.

As a recommendation: never use HTTP/FTP/POP/IMAP even from home (since those protocols are easily monitorable by ISPs, Governments and hackers).

Usage

Launch it before plugging to the new WiFi, it should have admin/root to grant the script disabling your network interface in case of emergency. 

Feel free to submit/share bugs/updates/suggestions w heik.

Code

 

Linux standalone Bash file (MAC version will be soon released):

#!/bin/bash
tmpFile=/tmp/arpcheck
tmptmpFile=/tmp/arpcheckt
echo "" > $tmpFile
echo "" > $tmptmpFile
while :
do
arp -n>>$tmpFile
sort -h $tmpFile |uniq|sed '/Address/d ' | sed '/incomplete/d ' > $tmptmpFile
mv $tmptmpFile $tmpFile
awk -F' ' '{ print $1 }' $tmpFile|uniq -d > $tmptmpFile
dup=$(head -1 $tmptmpFile)
if [ "$dup" == "" ]; then
echo "No MAC Spoofing detected till now"
else
awk -F' ' -v P=$dup '$1==P {system("ifconfig " $5 " down && echo A possible Man in the Middle attack was detected, Shutting down your internet interface "$5"!")}' $tmpFile|head -1
break
fi
sleep 1

 

Windows standalon Batch file:

@Echo off
:: SetLocal
SET OldLine=initial_value_to_be_neglected
Rem Create name of output file
SET FileName=arp
SET OutFileAlt=%tmp%\arpAlt
SET OutFileAltAlt=%tmp%\arpAltAlt
SET FileExt=.txt
SET Infile=%tmp%\%FileName%%FileExt%
SET OutFile=%tmp%\%FileName%_NODUPL%FileExt%
echo. 2>%Infile%
echo. 2>%OutFile%
:Loop
:: Filing input file with current ARP tableIf NOT Exist %OutFile%
arp -a -v | findstr dynamic >> %Infile%
SET N=0;
SET J=1;
If Exist %OutFile% DEL %OutFile%
If Exist %OutFileAlt%%FileExt% DEL %OutFileAlt%%FileExt%
Rem Process file
sort %Infile% /O %Infile%
For /F "tokens=*" %%L In (%Infile%) Do SET Line=%%L&Call :NoDupL
EndLocal
GoTo flush
:err
Echo File %1 not found!
GoTo EOF
:NoDupL
If "%Line%" == "%OldLine%" GoTo EOF
Echo %Line%>>%OutFile%
SET OldLine=%Line%
GoTo EOF
:flush
del %Infile% /Q
rename %OutFile% %FileName%%FileExt%
GoTo FillDiff
:: Get IP addresses from the filtered ARP table
:FillDiff
For /F "tokens=1 delims= " %%L In (%Infile%) Do SET Line=%%L
GoTo CheckForDup
:: Checking for duplicate IP addresses for different MAC addresses in order to signal it
:CheckForDup
SET OldLine=initial_value_to_be_neglected
For /F "tokens=1 delims= " %%L In (%Infile%) Do SET Line=%%L&Call :DupL
GoTo flush2
:DupL
If "%Line%" == "%OldLine%" Echo %Line%>>%OutFileAlt%%FileExt%
SET OldLine=%Line%
GoTo EOF
:: Export to screen
:flush2
:: echo in2
If NOT Exist %OutFileAlt%%FileExt% Echo No MAC Spoofing detected till now&GoTo TakeYourTime
For /F "tokens=1 delims= " %%L In (%OutFileAlt%%FileExt%) Do Echo %%L was found with a duplicate MAC Address&
::del %Infile% /Q
:: rename %OutFile% %Infile%
GoTo Trigger
:: take your time, don't hurry up
:TakeYourTime
ping localhost -n 2 -w 1000 >nul
GoTo Loop
:: Trigger a system command whenever a MAC spoof has been detected
:Trigger
Echo Disabling your WiFi interface NOW !
wmic path win32_networkadapter where NetConnectionID="Wireless Network Connection" call disable>nul
Pause
:EOF

 

Share this:
887
Moophz's picture
About the Author:
I fix things that are not broken, I create things that do not exist, I break perfectly working unbreakable stuff

Leave a comment!

More information about text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.

Social Media

 

Astronomy Picture of the Day

IC 348 and Barnard 3
IC 348 and Barnard 3