sites

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs

commit 84af1a22c8cc0fc5ca0084ab869b17e053f94746
parent 556dccc94b2db3939f3953ca2cf2fc4fd3e36954
Author: vladz <vladz@devzero.fr>
Date:   Fri,  8 Mar 2013 09:05:41 +0100

Add mitm detection helper function for dwmstatus.

Diffstat:
Adwm.suckless.org/dwmstatus/dwmstatus-mitm.c | 72++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Mdwm.suckless.org/dwmstatus/index.md | 1+
2 files changed, 73 insertions(+), 0 deletions(-)

diff --git a/dwm.suckless.org/dwmstatus/dwmstatus-mitm.c b/dwm.suckless.org/dwmstatus/dwmstatus-mitm.c @@ -0,0 +1,72 @@ +/* Here is a helper function that warns you if someone tries to sniff your + * network traffic (i.e. a Man-In-The-Middle attack ran against you thanks + * to ARP cache poisoning). + * + * It checks the dump file of the kernel ARP table (/proc/net/arp) to see + * if there is more than one IP address associated with the same MAC + * address. If so, it shows an alert. If an error occurs during the + * check, it returns NULL. + * + * Written by vladz (vladz AT devzero.fr). + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + + +/* The hard maximum number of entries kept in the ARP cache is obtained via + * "sysctl net.ipv4.neigh.default.gc_thresh3" (see arp(7)). Default value + * for Linux is 1024. + */ +#define MAX_ARP_CACHE_ENTRIES 1024 + + +char *detect_arp_spoofing(void) { + + FILE *fp; + int i = 1, j; + char **ptr = NULL; + char buf[100], *mac[MAX_ARP_CACHE_ENTRIES]; + + if (!(fp = fopen("/proc/net/arp", "r"))) { + return NULL; + } + + ptr = mac; + + while (fgets(buf, sizeof(buf) - 1, fp)) { + + /* ignore the first line. */ + if (i == 1) { i = 0; continue; } + + if ((*ptr = malloc(18)) == NULL) { + return NULL; + } + + sscanf(buf, "%*s %*s %*s %s", *ptr); + ptr++; + } + + /* end table with a 0. */ + *ptr = 0; + + fclose(fp); + + for (i = 0; mac[i] != 0; i++) + for (j = i + 1; mac[j] != 0; j++) + if ((strcmp("00:00:00:00:00:00", mac[i]) != 0) && + (strcmp(mac[i], mac[j]) == 0)) { + + return "** MITM attack detected! Type \"arp -a\". **"; + } + + return "MITM detection: on"; +} + +int main() { + + printf("%s\n", detect_arp_spoofing()); + + return 0; +} diff --git a/dwm.suckless.org/dwmstatus/index.md b/dwm.suckless.org/dwmstatus/index.md @@ -34,6 +34,7 @@ add them here as file or as code example. * [Reading eth0 up-, and downspeed from /proc/net](dwmstatus-netusage.c) * [Counting number of mails in a Maildir/new](mail_counter.c) * [Get disk usage and execute some check at different moments](diskspace_timechk.c) : Because you don't want to check new mails every second +* [Detecting Man-In-The-Middle](dwmstatus-mitm.c) Questions ---------