Detect Arp Spoofing with Ruby

G5 Cyber Security

1 month ago

TL;DR

This guide shows you how to detect ARP spoofing attacks on your network using a simple Ruby script. We’ll monitor the MAC address table and alert you if any changes occur, which could indicate someone is trying to intercept network traffic.

What You’ll Need

A Linux machine (e.g., Ubuntu, Debian) – this is where we’ll run the script.
Ruby installed. Check with
```
ruby -v
```
. If not installed, use your distribution’s package manager (e.g., sudo apt install ruby on Debian/Ubuntu).
Root access (or sudo privileges) to run commands that read network information.

Step-by-Step Guide

Install the necessary Ruby gem: We’ll use the ‘packet_fu’ gem to easily parse ARP packets.
```
gem install packet_fu
```

Create the Ruby script (arp_monitor.rb): Open a text editor and paste in the following code:

require 'packet_fu'

# Interface to monitor (e.g., eth0, wlan0)
INTERFACE = 'eth0' # Change this if needed!

# Store initial MAC address table
initial_macs = {}

# Function to get the current ARP table
def get_arp_table
  arp_data = `arp -an | awk '{print $4, $1}'`
  arp_table = {}
  arp_data.each_line do |line|
    mac, ip = line.split
    arp_table[ip] = mac if mac && ip
  end
  return arp_table
end

# Get the initial ARP table
pkg = PacketFu::Packet.create(:iface => INTERFACE)
initial_macs = get_arp_table

puts "Monitoring interface: #{INTERFACE}"
puts "Initial MAC address table:"
initial_macs.each { |ip, mac| puts "  #{ip}: #{mac}" }

# Main loop to monitor for changes
pkg.loop do
  current_macs = get_arp_table

  # Check for new entries or changed MAC addresses
  current_macs.each do |ip, mac|
    if !initial_macs[ip]
      puts "New entry detected: #{ip}: #{mac}"
    elsif initial_macs[ip] != mac
      puts "ARP spoofing detected for #{ip}! MAC address changed from #{initial_macs[ip]} to #{mac}"
    end
  end

  # Check for removed entries
  initial_macs.each do |ip, mac|
    if !current_macs[ip]
      puts "Entry removed: #{ip}: #{mac}"
    end
  end

  initial_macs = current_macs # Update initial table for next iteration
  sleep 5 # Check every 5 seconds
end

Make the script executable: This allows you to run it directly.
```
chmod +x arp_monitor.rb
```
Run the script as root (or with sudo): You need elevated privileges to access network information.
```
sudo ./arp_monitor.rb
```
Interpret the output: The script will print messages if it detects:
- New entry detected: A new IP address and MAC address pair has appeared on your network. This isn’t necessarily malicious, but worth investigating.
- ARP spoofing detected for [IP]! MAC address changed from [old MAC] to [new MAC]: This is a strong indicator of ARP spoofing. Someone is likely trying to intercept traffic destined for that IP address.
- Entry removed: An IP/MAC pair has disappeared.
Important Considerations:
- Interface Name: Make sure the INTERFACE variable in the script is set to the correct network interface on your machine (e.g., eth0, wlan0). Use ifconfig or ip addr show to find it.
- False Positives: Dynamic IP addresses and legitimate network changes can cause false positives. Consider the context of your network when interpreting the output.
- Security Best Practice: This script is a basic detection tool. For robust cyber security, use it in conjunction with other security measures like static ARP entries, port security on switches, and intrusion detection systems.