Add ARP spoofing support
So previously my view on this was `just use arpspoof from the command line' but another mac sniffer is doing this and it is actually pretty neat.
Comments (9)
-
reporter -
reporter - changed milestone to Post-Revival Release 4
-
reporter - changed milestone to PRR 4
-
reporter Rough notes:
- libnet would be useful for this but would mean the helper program can't drop root privileges
- Can enable packet forwarding via sysctl:
sysctl -w net.inet.ip.forwarding=1
(needs root)- Will need to be managed at app level not document level (as it is a global option)
- Will need to either launch a separate helper program or the current helper won't be able to drop privileges (due to the forwarding sysctl, for writing packet data the bpf file descriptor can just be opened rw)
- Separate helper means the user gets asked for a password again
- Not dropping privileges is less secure
- Code that turns on IP forwarding can't drop privileges because it will need to turn it off again when exiting
-
reporter So given the above it might be best to have the helper tool fork another process which handles injecting ARP packets and turning IP forwarding on and off. Then the main helper can still drop privileges. i.e. follow the basic principle of minimising the amount of code that runs with elevated privileges.
The main helper can then receive commands from the GUI which it passes on to the arp-helper.
There will need to be commands like:
- Turn IP forwarding on/off
- AppController will need to decide this, by maintaining a list or count of which interfaces are spoofing. This is because if you have two captures on the same interface you don't want one of them to turn off forwarding when it quits if the other is still running.
- Set the list of addresses to spoof (so an empty list means stop spoofing)
- Turn IP forwarding on/off
-
reporter When documenting this, probably want to describe:
- Static IP/MAC mappings in router
- Cisco port security
Both from the POV of "if this concerns you, here are the countermeasures" and "why doesn't this work for me?"
-
reporter also Arpwatch
-
reporter libnet is actively maintainted here: https://github.com/sam-github/libnet/tree/master/libnet
-
reporter - changed milestone to PRR 5
- Log in to comment
Ping broadcast address then do arp -a to list devices
How to handle ping being ignored tho?