Add ARP spoofing support

Issue #24 new
repo owner created an issue

So previously my view on this was `just use arpspoof from the command line' but another mac sniffer is doing this and it is actually pretty neat.

Comments (9)

  1. choll reporter

    Rough notes:

    • libnet would be useful for this but would mean the helper program can't drop root privileges
    • Can enable packet forwarding via sysctl: sysctl -w net.inet.ip.forwarding=1 (needs root)
      • Will need to be managed at app level not document level (as it is a global option)
    • Will need to either launch a separate helper program or the current helper won't be able to drop privileges (due to the forwarding sysctl, for writing packet data the bpf file descriptor can just be opened rw)
      • Separate helper means the user gets asked for a password again
      • Not dropping privileges is less secure
    • Code that turns on IP forwarding can't drop privileges because it will need to turn it off again when exiting
  2. choll reporter

    So given the above it might be best to have the helper tool fork another process which handles injecting ARP packets and turning IP forwarding on and off. Then the main helper can still drop privileges. i.e. follow the basic principle of minimising the amount of code that runs with elevated privileges.

    The main helper can then receive commands from the GUI which it passes on to the arp-helper.

    There will need to be commands like:

    • Turn IP forwarding on/off
      • AppController will need to decide this, by maintaining a list or count of which interfaces are spoofing. This is because if you have two captures on the same interface you don't want one of them to turn off forwarding when it quits if the other is still running.
    • Set the list of addresses to spoof (so an empty list means stop spoofing)
  3. choll reporter

    When documenting this, probably want to describe:

    • Static IP/MAC mappings in router
    • Cisco port security

    Both from the POV of "if this concerns you, here are the countermeasures" and "why doesn't this work for me?"

  4. Log in to comment