DIY DNS/ARP Spoofing Detection

First, you need to make sure you will receive the output of crontab as messages.

date | mail -s `hostname` root

The arp -a command also does DNS resolution, so we can check against both DNS and ARP cache poisoning at once.

prepare a first shot

mkdir -p $HOME/arp/
cd $HOME/arp/
arp -a | sort > `date +%s`

and get the script up and running in a cron job

vi ~/arpcheck

#!/bin/ksh
subnet=x.x.x.x/xx
mkdir -p $HOME/arp/
cd $HOME/arp/
nmap -sn $subnet >/dev/null
nmap -Pn -T4 -sU -p66 $subnet >/dev/null
arp -a | sort > `date +%s`
diff -bu `ls -1 | tail -2 | head -1` `ls -1 | tail -1`

chmod +x ~/arpcheck
~/arpcheck

crontab -e

PATH=/usr/local/sbin:/usr/local/bin:/usr/pkg/sbin:/usr/pkg/bin:/usr/sbin:/usr/bin:/sbin:/bin:$HOME/bin
*/5     *       *       *       *       /root/arpcheck

Resources

What are the reasons for seeing an incomplete ARP? https://networkengineering.stackexchange.com/questions/50843/what-are-the-reasons-for-seeing-an-incomplete-arp


Nethence | Doc | Pub | Lab | Pbraun | SNE Russia | xhtml