kArp – Linux Kernel Level ARP Hijacking/Spoofing Utility


Introduction

kArp is a linux patch that allows one to implement ARP hijacking in the kernel, but control it easily via userland. You may configure, enable and disable kArp via ProcFS or the sysctl mechanism.

kArp is implemented almost on the device driver level. Any ethernet driver (including 802.11 drivers) is supported. The kArp code is lower than the actual ARP code in the network stack, and thus will respond to ARP requests faster than a normal machine running a normal network stack, even if the machine we’re spoofing has a CPU twice as fast as ours!

Functionality

  • ARP Hijacking – Enabling ARP spoofing allows a user to spoof an ARP response to a specific victim host. Due to the low level at which the code exists, our spoofed packet is guaranteed to arrive at the victim’s network stack prior to the response of the machine we’ve impersonated.
  • ARP Hijacking the Impersonated – Enabling this function via arp_send_to_spoofed allows us to spoof the victim’s information to the impersonated machine as well, helping to solidify the MiM attack. However, this functionality may kill the speed of our spoofed frame to the victim, so it isn’t enabled by default.
  • ARP Flooding – Enabling this function via arp_flood causes the kernel to send a flood of random source and destination MAC addresses via a broken ARP frame. On some switches this will fill its internal MAC table, or overflow it. Often, the result of this attack is forcing the switch to fall back to dumb hub mode, allowing us to sniff the wire without a MiM attack.

Warning

kArp was written to beat the race in responding to an ARP Request from a target (victim) machine. It is *not* meant as an tool to flood a victim with ARP information. This means that some operating systems (MacOSX) that ingest unsolicited ARP responses may still obtain the actual MAC address of the machine we’re impersonating. Linux, however, only accepts the fastest response. If you want to flood a machine with fake ARP responses, use a userland tool.

For now, the URL is:

http://aversion.net/~north/karp/

Posted in: Hacking Tools, Linux Hacking

,


Latest Posts:


APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.
GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc
GKE Auditor - Detect Google Kubernetes Engine Misconfigurations GKE Auditor – Detect Google Kubernetes Engine Misconfigurations
GKE Auditor is a Java-based tool to detect Google Kubernetes Engine misconfigurations, it aims to help security & dev teams streamline the configuration process
zANTI - Android Wireless Hacking Tool Free Download zANTI – Android Wireless Hacking Tool Free Download
zANTI is an Android Wireless Hacking Tool that functions as a mobile penetration testing toolkit that lets you assess the risk level of a network using mobile.
HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.


Comments are closed.