Features
- Uses a faster approach in detection of arp poisoning attacks compared to passive approaches
- Detects not only presence of ARP Poisoning but also valid IP-MAC mapping (when LAN hosts are using non-customized network stack)
- Stores validated host for speed improvements
- Works as a daemon process without interfering with normal traffic
- Log's to any external file
Architecture
+-------------+ +---------------+ +------------+
| ARP packet | ARP Reply | Mac-ARP Header| Consistent | Spoof |
| Sniffer | ------------> | consistency | --------------> | Detector |
| | Packets | Checker | ARP Packets | |
+-------------+ +---------------+ +------------+
| /
Inconsistent /
ARP Packets Spoofed
| ARP Packets
V /
+--------------+ /
| | /
| Notifier | <----------
| |
+--------------+
- ARP Packets Sniffer
It sniffs all the ARP packets and discards
- ARP Request Packets
- ARP Reply packets sent by the machine itself which is using the tool (assuming host running the tool isn't ARP poisoning
)
- Mac-ARP Header Consistency Checker
It matches
- source MAC addresses in MAC header with ARP header
- destination MAC addresses in MAC header with ARP header
- Spoof Detector
It works on the basic property of TCP/IP stack.
So there can be two type of packets:The network interface card of a host will accept packets sent to its MAC address, Broadcast address
and subscribed multicast addresses. It will pass on these packets to the IP layer. The IP layer will
only accept IP packets addressed to its IP address(s) and will silently discard the rest of the
packets.
If the accepted packet is a TCP packet it is passed on to the TCP layer. If a TCP SYN packet is
received then the host will either respond back with a TCP SYN/ACK packet if the destination port is
open or with a TCP RST packet if the port is closed.
- RIGHT MAC - RIGHT IP
- RIGHT MAC - WRONG IP (Spoofed packet)
If a RST(port is closed) or ACK(port is listening) within TIME LIMIT is received for the SYN then host(who sent the ARP packet) is legitimate.
Else No response is received within TIME LIMIT so host is not legitimate and it will be notified.
- Notifier
It provides desktop notifications in case of ARP spoofing detection.
npm
[sudo] npm install arp-validator -g
source git clone https://github.com/rnehra01/arp-validator.git
cd arp-validator
npm install
Use the binary in bin/ to run
Usage
[sudo] arp-validator [action] [options]
actions:
start start arp-validator as a daemon
options:
--interface, -i
Network interface on which tool works
arp-validator start -i eth0 or --interface=eth0
--hostdb, -d
stores valid hosts in external file (absolute path)
arp-validator start -d host_file or --hostdb=host_file
--log, -l
generte logs in external files(absolute path)
arp-validator start -l log_file or --log=log_file
stop stop arp-validator daemon
status get status of arp-validator daemon
global options:
--help, -h
Displays help information about this script
'arp-validator -h' or 'arp-validator --help'
--version
Displays version info
arp-validator --version
Dependencies
- libpcap-dev: library for network traffic capture
- node-pcap/node_pcap
- stephenwvickers/node-raw-socket
- indutny/node-ip
- scravy/node-macaddress
- codenothing/argv
- niegowski/node-daemonize2
- mikaelbr/node-notifier
References
Vivek Ramachandran and Sukumar Nandi, “Detecting ARP Spoofing: An Active Technique”