Detect Man in the Middle with ARP on Linux

So – as a small project I decided to script a bash-script that detects an ARP-poison Man in the Middle Attack. The notifier I’ve used is for KDE – feel free to replace it with something else for X11 or Gnome. (I might make a Gnome / X11 version). The code:

#!/bin/bash
gateway=$(ip route show | awk '(NR == 1) { print $3}')
 
startmac=$(arp $gateway | awk '(NR == 2) { print $3}')
 
while true; do 
 
gateway=$(ip route show | awk '(NR == 1) { print $3}')
macaddr=$(arp $gateway | awk '(NR == 2) { print $3}')
 
sleep 3;
if [ $startmac != $macaddr ]; then
  kdialog --title "Gateway has changed!" --passivepopup "Gateway Mac address has changed! Possible MitM Attack!" 60 &
 
fi
done

The nice things with Bash is, that it’s so easy to read and it just calls and uses standard Linux functions.
a quick explanation:
The variable $gateway uses the command: ip route show to list the routes, and then we sort it with awk.
the variable $startmac is the result of an arp-lookup at the gateway, and then we use awk to sort out the mac address.
a while-loop then runs and check if the gateway and mac address are chaning. After 1 loop it sleeps and then starts again.
If a change is detected, a popup notification will appear in KDE saying “Gateway Mac address has changed! Possible MitM Attack!”

That’s everything to it..
The code might not be beautiful, but it works :>

//M00kaw

1 Response to “Detect Man in the Middle with ARP on Linux”


Comments are currently closed.