Detecting DNS and ARP spoofing / cache poisoning

First, you need to make sure you will receive the output of crontab as messages.

The arp -a command also does DNS resolution, so we can check both, DNS and ARP cache poisoning at once.

You are ready to setup this ultra-simple script,

mkdir -p ~/bin
vi ~/bin/arpcheck


mkdir -p ~/arp
cd ~/arp
arp -a | sort > `date +%s`
nmap -sn SUBNET/24 >/dev/null
nmap -Pn -sU -p66 SUBNET/24 >/dev/null
arp -a | sort > `date +%s`
diff -bu `ls -1 | tail -2 | head -1` `ls -1 | tail -1`

chmod +x ~/bin/arpcheck
crontab -e

*/5 * * * * /root/bin/arpcheck

Nethence | Doc | Pub | Lab | Pbraun | SNE Russia | xhtml