choll / packetpeeper / issues / #24 - Add ARP spoofing support — Bitbucket

Issue #24 new

choll repo owner created an issue 2014-04-23

So previously my view on this was `just use arpspoof from the command line' but another mac sniffer is doing this and it is actually pretty neat.

Comments (9)

choll reporter
Ping broadcast address then do arp -a to list devices

How to handle ping being ignored tho?
- 2014-05-01T09:26:29+00:00
choll reporter
- changed milestone to Post-Revival Release 4
- 2014-05-12T20:00:33+00:00
choll reporter
- changed milestone to PRR 4
- 2014-05-12T20:05:15+00:00
choll reporter
Rough notes:
- libnet would be useful for this but would mean the helper program can't drop root privileges
- Can enable packet forwarding via sysctl: sysctl -w net.inet.ip.forwarding=1 (needs root)
  - Will need to be managed at app level not document level (as it is a global option)
- Will need to either launch a separate helper program or the current helper won't be able to drop privileges (due to the forwarding sysctl, for writing packet data the bpf file descriptor can just be opened rw)
  - Separate helper means the user gets asked for a password again
  - Not dropping privileges is less secure
- Code that turns on IP forwarding can't drop privileges because it will need to turn it off again when exiting
- 2014-05-13T11:41:45+00:00
choll reporter
So given the above it might be best to have the helper tool fork another process which handles injecting ARP packets and turning IP forwarding on and off. Then the main helper can still drop privileges. i.e. follow the basic principle of minimising the amount of code that runs with elevated privileges.

The main helper can then receive commands from the GUI which it passes on to the arp-helper.

There will need to be commands like:
- Turn IP forwarding on/off
  - AppController will need to decide this, by maintaining a list or count of which interfaces are spoofing. This is because if you have two captures on the same interface you don't want one of them to turn off forwarding when it quits if the other is still running.
- Set the list of addresses to spoof (so an empty list means stop spoofing)
- 2014-05-13T11:44:40+00:00
choll reporter
When documenting this, probably want to describe:
- Static IP/MAC mappings in router
- Cisco port security
Both from the POV of "if this concerns you, here are the countermeasures" and "why doesn't this work for me?"
- 2014-05-13T18:46:57+00:00
choll reporter
also Arpwatch
- 2014-05-13T19:52:22+00:00
choll reporter
libnet is actively maintainted here: https://github.com/sam-github/libnet/tree/master/libnet
- 2014-05-13T20:34:09+00:00
choll reporter
- changed milestone to PRR 5
- 2014-06-15T20:43:48+00:00
Log in to comment

Assignee: choll

Type: proposal

Priority: major

Status: new

Milestone: PRR 5

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!