0 Replies - 1114 Views - Last Post: 05 March 2009 - 02:23 PM

#1 no2pencil  Icon User is offline

  • Professor Snuggly Pants
  • member icon

Reputation: 6560
  • View blog
  • Posts: 30,699
  • Joined: 10-May 07

Check for arp cache poisoning

Posted 05 March 2009 - 02:23 PM

Description: Must be ran as root, or with root privledgesCheck the MAC address of the router in your arp tables, to check for arp cach poisoning (aka MiTM).
#!/bin/sh
file1=./junk1
file2=./junk2
if [ -f ${file1} ]; then
  rm ${file1}
fi
if [ -f ${file2} ]; then
  rm ${file2}
fi

# Get the current mac address to check for arp p
mac=`arp -a | cut -d" " -f4`
if [ $? -ne 0 ];then
  echo "Something went wrong..."
  exit
else
  echo ${mac} > ${file1}
fi


# Get the ip address of the default router
ip1=`arp -a | cut -d" " -f2`
ip1=`echo ${ip1} | tr -d '(' | tr -d ')'`
#echo ${ip1}

# Clear the arp cache from the ip address
arp -d ${ip1}
if [ $? -ne 0 ];then
  echo "Something went wrong..."
  exit
fi

# Fill the arp cache w/ some nonsense traffic
nslookup ebay.com 1>/dev/null

# Get the mac address of the default router
mac=`arp -a | cut -d" " -f4`
if [ $? -ne 0 ];then
  echo "Something went wrong..."
  exit
else
  echo ${mac} > ${file2}
fi

if [ -f ${file1} ];then
  if [ -f ${file2} ]; then
    diff ${file1} ${file2} 1>/dev/null
    if [ $? -ne 0 ];then
      echo "MAC addresses do not match, possible ARP Cache Poision attack!"
    else
      # any feel good message here...
    fi
  fi
fi






Is This A Good Question/Topic? 0
  • +

Page 1 of 1