search

Kevin-Robertson / Inveigh

.NET IPv4/IPv6 machine-in-the-middle tool for penetration testers
BSD 3-Clause "New" or "Revised" License
2.44k stars 433 forks source link

arp poisoning #4

Closed topazbor closed 8 years ago

topazbor commented 8 years ago

Is there a way to use this module for arp poisoning? I was looking for this method working with powershell

Kevin-Robertson commented 8 years ago

It doesn't have anything ARP related at the moment. I haven't looked into adding ARP at all yet. Microsoft has some .net restrictions on what you can do with raw sockets. I'm not sure if another method would be needed. ARP poisoning would definitely be useful.

topazbor commented 8 years ago

can you give me a lead where to start for building such module? which apis I need to use? which packet I need to send over? how do I send them over Powershell thanks

Kevin-Robertson commented 8 years ago

I'd probably check out what can be done .NET's raw socket and protocol type:

https://msdn.microsoft.com/en-us/library/system.net.sockets.sockettype%28v=vs.110%29.aspx

https://msdn.microsoft.com/en-us/library/system.net.sockets.protocoltype%28v=vs.110%29.aspx

If you grab some packet captures from another ARP spoofing tool, it will give you a good idea of what you need to have your module send out.

There are some built-in anti-malware restrictions though with .NET's raw sockets. For example, you can't spoof an IP address on any of the workstation OSs. I'm not sure if they have anything that would impact ARP.

iphlpapi.dll has some ARP functions. I'm not sure if it's suitable for spoofing.

Outside of those, check to see what's been done on the C# side. There is this one:

http://www.codeproject.com/Articles/6579/Spoofing-the-ARP-Table-of-Remote-Computers-on-a-LA

It uses WinPCAP though.

topazbor commented 8 years ago

I tired to do that but no luck.. maybe you have something in mind"?

On Thu, Feb 11, 2016 at 5:02 AM, Kevin Robertson notifications@github.com wrote:

I'd probably check out what can be done .NET's raw socket and protocol type:

https://msdn.microsoft.com/en-us/library/system.net.sockets.sockettype%28v=vs.110%29.aspx

https://msdn.microsoft.com/en-us/library/system.net.sockets.protocoltype%28v=vs.110%29.aspx

If you grab some packet captures from another ARP spoofing tool, it will give you a good idea of what you need to have your module send out.

There are some built-in anti-malware restrictions though with .NET's raw sockets. For example, you can't spoof an IP address on any of the workstation OSs. I'm not sure if they have anything that would impact ARP.

iphlpapi.dll has some ARP functions. I'm not sure if it's suitable for spoofing.

Outside of those, check to see what's been done on the C# side. There is this one:

http://www.codeproject.com/Articles/6579/Spoofing-the-ARP-Table-of-Remote-Computers-on-a-LA

It uses WinPCAP though.

— Reply to this email directly or view it on GitHub https://github.com/Kevin-Robertson/Inveigh/issues/4#issuecomment-182679780 .

Kevin-Robertson commented 8 years ago

I'd have to go through and try a few things. It's a great idea. If I come up with anything I'll update here.

topazbor commented 8 years ago

thanks for the help man!

On Tue, Feb 16, 2016 at 1:59 AM, Kevin Robertson notifications@github.com wrote:

I'd have to go through and try a few things. It's a great idea. If I come up with anything I'll update here.

— Reply to this email directly or view it on GitHub https://github.com/Kevin-Robertson/Inveigh/issues/4#issuecomment-184446362 .

topazbor commented 8 years ago

any update on this issue?