A tool/theory to prevent all MiTM attacks for any computer

[ShadowMaster]

Hey guys, this is a very interesting topic/tool. First off, I'd recommend python for this project. It's capable of running on almost any system, it's network friendly, it's easy to code, and it's pretty damn powerful! Perl would be an option but I bet you'd find a stronger developer base in the python world. Thats just my opinion though... On to the meat and potatoes...

Thanks for the interest. The reason I want perl, while python might be easier, I don't want the end user to have to install anything on his system. In windows, perl has a perl2exe stuff, while I dunno about python... If you are willing to help code modules or even dlls that we could use in a windows setting, then by all means, use python. A tool that works is the end goal, I don't care if it's written in multiple languages.

One of the obvious ways to detect arp spoofing is by detecting a large amount of arp traffic from a single node (or multiple nodes). The way tools like arpspoof work is by trying to flood the network with a packet every second or so that states the attacker's desired false arp info. Other devices on the network get this arp update every second and use that info for routing packets. When the real gateway broadcasts its arp info it's drowned out by the noise from the attacker. So, logically if we can identify the source of the noise on the network and block it via packet counting rules, IP/Mac tables, or whatever else and alert the user to the anomaly then we have accomplished a part of the goal.

True. I believe that this is in the specs already.

Using a database of some sorts to keep track of "clean" IP/MAC combos for machines on the network is a great way to start when it comes to prevention. Also, implementing a static routing setup could work but may be over complicated (especially cross platform I have a feeling). But, finding a balance of approaches and attacking the problem from every possible exploitable path would be the key to a robust tool. There may be some limitations here though due to the nature of the arp protocol itself...

What I'm proposing is a database of sorts to store profiles of clean ip:arps for multiple networks. Since all we'd be doing is checking the current arp cache against a known clean list, there shouldn't be any limitations of arp protocol... I specifically did not want a static table, as I wanted this to be cross platform, and cross network.

One of the things I keep thinking about when looking over the requirements is that they seem to assume that the gateway MAC will change or be a different MAC when an attack is occurring AND the client will see this. Correct me if I'm wrong, but during mitm/proxy attacks can't you modify the packets going back to the client? If you could do this then the destination and src fields could be edited and the client would never know that the packets WEREN'T coming from the gateway (on the way back to the victims machine the src mac is changed to the real gateways mac instead of the attackers, therefore it is not being used for routing and does not cause a DOS). How can we catch this and ensure we are really effectively understanding the topography of the LAN and where the packets are coming from and going too?

Yes, you can modify the packets on the fly, but to get the packets to modify, assuming the average switched router, you need to poison at least one source. I believe. I've never had a MiTM attack work w/o one end being successfully poisoned... This tool is here to prevent any poisoning at all. If you are assuming that the attacker has poisoned the router, then I'm not as worried, because the main reason one spies on a network is to steal passwords and info etc.. If the host sends directly to the router, then that's not a real issue. As for the info going back, if not SSL encrypted, then it'll only be one end of the conversation. Of course, if you have an idea to stop poisoning on the router's end, please share.

Anyway, I'm definitely interested and would consider working on this project as long as it's not reinventing the wheel. (As seen in the post above and based on a google search there are LOTS of IDS's, IPS's, and standard tools already that do something very similar with arp for various platforms) So what can we bring to the table thats new and fresh when it comes to fighting arp attacks? ie What would make this tool stand out and be worth the many hours of coding?Thanks!

As I said in previous posts, the main goal here is to provide cross platform/cross network ARP-spoof protection to the point where I can share my linux profile of this network with my friends windows version of this program, who then gives it to his friend's macbook. Even if they have never seen this network before and never connected to it, they can still use my clean profile and be protected. As far as I researched, no tool has that capability.

Please let me know if you can help code, design, or contribute in any way. As I said previously as well, I'm smack in the middle of a PWB course which is way more intense than I originally assumed, and my time to work on this is limited.

Thank you for your interest.