Skip to content

mmh152/Arp_Spoofing_Detection

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
AI_and_References.txt
AI_and_References.txt
 
 
Attacker_Code.py
Attacker_Code.py
 
 
Defender_Code.py
Defender_Code.py
 
 
README.md
README.md
 
 

Repository files navigation

ARP Spoofing Project - MITM Attack and Detection

Project Overview

This project demonstrates an ARP spoofing-based Man-in-the-Middle (MITM) attack and the corresponding detection mechanism. The attacker tool uses ARP spoofing to position itself between a router and a victim. The defender tool, running on the victim's machine, detects any ARP spoofing attempts and alerts the user.

The project has two main components:

  • Attacker Tool: Performs the ARP spoofing attack to simulate a MITM scenario.
  • Defender Tool: Detects ARP spoofing attempts and alerts the user.

Requirements:

Both the attacker and defender tools use Python and the scapy library. To install the necessary dependencies, use:

pip install scapy netifaces

Tools Used:

  • Python 3
  • Scapy: For packet manipulation and network scanning.
  • netifaces: For retrieving network interface information.
  • Alfa atheros AR9271 - model: AWUS036NHA (Long-Range USB Adapter for the defender's kali machine).
  • Ranlink 802.11 n wlan (For the attacker's kali machine).

Attacker Tool

The attacker tool performs ARP spoofing to impersonate the router and intercept traffic from the victim.

Usage:

  1. Run the Attacker Tool:

    sudo python3 Attacker_Code.py

  2. Steps:

    • The attacker tool will scan the network to find connected devices.
    • Select the victim's device (IP and MAC) from the list.
    • The tool will continuously send spoofed ARP replies to the victim and the router to maintain the MITM state.

  3. Stop the Attack:

    • Use CTRL + C to stop the attack. The tool will automatically restore the ARP tables to their correct state, ending the MITM.

Defender Tool

The defender tool runs on the victim's machine and listens for ARP packets. If it detects that the ARP table has been tampered with (i.e., ARP spoofing), it will raise an alert.

  1. Usage:

    • Make sure to put the alfa adapter in promiscuous mode: sudo ifconfig wlan0 promisc

    • Run the Defender Tool:
      sudo python3 Defender_Code.py

  2. Steps:

    • The tool will dynamically retrieve the IP and MAC addresses of the machine it's running on.
    • It will sniff ARP packets and monitor any suspicious changes.
    • If spoofing is detected, the tool will notify the user with details of the attack.

How ARP Spoofing Works

ARP (Address Resolution Protocol) is responsible for translating IP addresses to MAC addresses on a local network. ARP spoofing exploits this by sending forged ARP replies, tricking devices into updating their ARP tables with false information. This allows the attacker to intercept traffic between the victim and the router.

In this project, the attacker tricks the victim into associating the attacker's MAC address with the router's IP address. As a result, the victim sends traffic meant for the router to the attacker instead.

Real Life Example:

  1. Network Setup:

    • Attacker's machine IP: 192.168.1.22 and MAC: AA:BB:CC:DD:EE:FF
    • Victim's machine IP: 192.168.1.24 and MAC: 11:22:33:44:55:66
    • Router's IP: 192.168.1.1 and MAC: 00:11:22:33:44:55

  2. Attacker's Tool (Spoofing): The attacker runs the spoofing tool to make the victim believe that the attacker’s machine is the router. The attacker sends a fake ARP reply to the victim’s machine (192.168.1.24), claiming that the attacker’s MAC address (AA:BB:CC:DD:EE:FF) is associated with the router’s IP (192.168.1.1).

    • The ARP packet sent to the victim tells: "The IP 192.168.1.1 (the router) is now at MAC AA:BB:CC:DD:EE:FF (attacker’s MAC)."

  3. Victim’s ARP Table: The victim updates its ARP table based on this forged packet. Now, when the victim wants to communicate with the router (192.168.1.1), it sends the traffic to the attacker's MAC (AA:BB:CC:DD:EE:FF), thinking it’s the router.

    • Victim's ARP table after the spoof:

      192.168.1.1 -> AA:BB:CC:DD:EE:FF (attacker’s MAC)

  4. Interception: Now, all traffic from the victim to the router is sent to the attacker first.

  5. Defender’s Tool: Meanwhile, the defender tool, running on the victim’s machine, monitors ARP traffic. It detects the attack because the actual MAC address of the router (00:11:22:33:44:55) doesn’t match the spoofed MAC address (AA:BB:CC:DD:EE:FF) provided in the forged ARP reply.

    When the tool notices this discrepancy, it alerts the user with a warning message:

    [!] ARP Spoofing detected! Real MAC: 00:11:22:33:44:55, Fake MAC: AA:BB:CC:DD:EE:FF

Example Scenario

  1. Running the Attacker Tool:

    • Start the attacker tool on a machine in the same network as the victim.

  2. Running the Defender Tool:

    • Run the defender tool on the victim’s machine.
    • It will automatically detect any ARP spoofing attempts and raise an alert if an attack is underway.

  3. On the Attacker's machine:

    • Select the victim’s device when prompted and execute the ARP spoofing attack.
    • Monitor the number of ARP packets sent and observe network changes.

Disclaimer

This project is for educational and testing purposes only. Unauthorized ARP spoofing or any form of network attack is illegal and unethical. Always ensure you have permission before running these tools on any network or device.

About

Arp spoofing MITM based attack and detection

Topics

arp-spoofing attack-defense maninthemiddleattack arp-spoof-detector

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages