So – as a small project I decided to script a bash-script that detects an ARP-poison Man in the Middle Attack. The notifier I’ve used is for KDE – feel free to replace it with something else for X11 or Gnome. (I might make a Gnome / X11 version). The code:
#!/bin/bash gateway=$(ip route show | awk '(NR == 1) { print $3}') startmac=$(arp $gateway | awk '(NR == 2) { print $3}') while true; do gateway=$(ip route show | awk '(NR == 1) { print $3}') macaddr=$(arp $gateway | awk '(NR == 2) { print $3}') sleep 3; if [ $startmac != $macaddr ]; then kdialog --title "Gateway has changed!" --passivepopup "Gateway Mac address has changed! Possible MitM Attack!" 60 & fi done |
The nice things with Bash is, that it’s so easy to read and it just calls and uses standard Linux functions.
a quick explanation:
The variable $gateway uses the command: ip route show to list the routes, and then we sort it with awk.
the variable $startmac is the result of an arp-lookup at the gateway, and then we use awk to sort out the mac address.
a while-loop then runs and check if the gateway and mac address are chaning. After 1 loop it sleeps and then starts again.
If a change is detected, a popup notification will appear in KDE saying “Gateway Mac address has changed! Possible MitM Attack!”
That’s everything to it..
The code might not be beautiful, but it works :>
//M00kaw
Much appreciated for the information and share!