23 March 2006 | 9,026 views

kArp – Linux Kernel Level ARP Hijacking/Spoofing Utility

Prevent Network Security Leaks with Acunetix

Introduction

kArp is a linux patch that allows one to implement ARP hijacking in the kernel, but control it easily via userland. You may configure, enable and disable kArp via ProcFS or the sysctl mechanism.

kArp is implemented almost on the device driver level. Any ethernet driver (including 802.11 drivers) is supported. The kArp code is lower than the actual ARP code in the network stack, and thus will respond to ARP requests faster than a normal machine running a normal network stack, even if the machine we’re spoofing has a CPU twice as fast as ours!

Functionality

  • ARP Hijacking – Enabling ARP spoofing allows a user to spoof an ARP response to a specific victim host. Due to the low level at which the code exists, our spoofed packet is guaranteed to arrive at the victim’s network stack prior to the response of the machine we’ve impersonated.
  • ARP Hijacking the Impersonated – Enabling this function via arp_send_to_spoofed allows us to spoof the victim’s information to the impersonated machine as well, helping to solidify the MiM attack. However, this functionality may kill the speed of our spoofed frame to the victim, so it isn’t enabled by default.
  • ARP Flooding – Enabling this function via arp_flood causes the kernel to send a flood of random source and destination MAC addresses via a broken ARP frame. On some switches this will fill its internal MAC table, or overflow it. Often, the result of this attack is forcing the switch to fall back to dumb hub mode, allowing us to sniff the wire without a MiM attack.

Warning

kArp was written to beat the race in responding to an ARP Request from a target (victim) machine. It is *not* meant as an tool to flood a victim with ARP information. This means that some operating systems (MacOSX) that ingest unsolicited ARP responses may still obtain the actual MAC address of the machine we’re impersonating. Linux, however, only accepts the fastest response. If you want to flood a machine with fake ARP responses, use a userland tool.

For now, the URL is:

http://aversion.net/~north/karp/



Recent in Hacking Tools:
- Arachni v1.0 Released – Web Application Security Scanner Framework
- iSniff-GPS – Passive Wifi Sniffing Tool With Location Data
- masscan – The Fastest TCP Port Scanner

Related Posts:
- Linux Kernel 2.6.x PRCTL Core Dump Handling – Local r00t Exploit ( BID 18874 / CVE-2006-2451 )
- Serious Linux Kernel Vulnerability For ALL 2.4 & 2.6 Kernels
- Sysdig – Linux System Troubleshooting Tool

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,870,697 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,061,706 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 625,352 views

Advertise on Darknet

Comments are closed.