ARP Spoofing Detector: Real-time Network Security Monitoring

ARP Spoofing Detector: Real-time Network Security Monitoring

This Python script implements a simple ARP spoofing detector, utilizing Scapy for packet manipulation and Tkinter for a basic graphical user interface. It scans the network for potential ARP spoofing attempts and alerts the user in real-time.

Key Features:

• Network Scanning: The script scans the local network to identify connected devices and their corresponding MAC addresses.
• ARP Spoofing Detection: It continuously monitors for ARP replies that do not match the expected source MAC address, indicating a potential spoofing attack.
• Graphical Interface: A Tkinter-based GUI provides basic controls for starting and stopping the detection process, and displays the detection status.

Code:

import threading
import time
import tkinter as tk
import netifaces
from scapy.all import ARP, sr1, Ether
from getmac import getmacbyip

class ArpDetectorPage:
    def __init__(self, master, timeout):
        self.master = master
        self.timeout = timeout
        self.interface = 'ens33'
        self.ip_mac_map = {}
        self.attacker_ip = None
        self.attacker_mac = None
        self.thread = None
        self.stop_event = threading.Event()
        self.timer = 0

        self.frame = tk.Frame(self.master)
        self.frame.pack()

        self.status_label = tk.Label(self.frame, text='Idle')
        self.status_label.pack()

        self.start_button = tk.Button(self.frame, text='Start', command=self.start_detection)
        self.start_button.pack()

        self.stop_button = tk.Button(self.frame, text='Stop', command=self.stop_detection, state=tk.DISABLED)
        self.stop_button.pack()

    def start_detection(self):
        self.status_label.config(text='Running')
        self.start_button.config(state=tk.DISABLED)
        self.stop_button.config(state=tk.NORMAL)

        self.thread = threading.Thread(target=self.run)
        self.thread.start()

    def stop_detection(self):
        self.status_label.config(text='Idle')
        self.start_button.config(state=tk.NORMAL)
        self.stop_button.config(state=tk.DISABLED)

        self.stop_event.set()
        self.thread.join()

    def run(self):
        self.attacker_ip = netifaces.ifaddresses(self.interface)[netifaces.AF_INET][0]['addr']
        self.attacker_mac = getmacbyip(self.attacker_ip)
        print(f'Attacker IP: {self.attacker_ip}, MAC: {self.attacker_mac}')

        while not self.stop_event.is_set():
            self.scan_network()
            self.detect_arp_spoofing()
            time.sleep(5)
            self.timer += 5
            if self.timer >= self.timeout:
                print('No ARP spoofing detected')
                self.stop_event.set()

    def scan_network(self):
        for ip in netifaces.ifaddresses(self.interface)[netifaces.AF_INET][0]['addr'].split('.')[:-1]:
            for i in range(1, 255):
                target_ip = f'{ip}.{i}'
                if target_ip != self.attacker_ip:
                    arp_request = ARP(pdst=target_ip)
                    arp_reply = sr1(arp_request, timeout=1, verbose=0)
                    if arp_reply and arp_reply.hwsrc not in ('00:00:00:00:00:00', self.attacker_mac):
                        self.ip_mac_map[target_ip] = arp_reply.hwsrc

    def detect_arp_spoofing(self):
        for target_ip, target_mac in self.ip_mac_map.items():
            arp_request = ARP(op=1, pdst=target_ip, hwdst=target_mac, psrc=self.attacker_ip, hwsrc=self.attacker_mac)
            arp_reply = sr1(arp_request, timeout=1, verbose=0)
            if arp_reply and arp_reply.hwsrc != target_mac:
                print(f'ARP spoofing detected: {target_ip} ({target_mac}) -> {arp_reply.hwsrc}')

class ArpDetectorPageUI:
    def __init__(self, master):
        self.master = master
        self.master.title('ARP Detector')
        self.master.geometry('400x150')

        self.timeout_label = tk.Label(self.master, text='Detection Time (s)')
        self.timeout_label.pack()
        self.timeout_entry = tk.Entry(self.master)
        self.timeout_entry.pack()

        self.start_button = tk.Button(self.master, text='Start', command=self.start_detection)
        self.start_button.pack()

    def start_detection(self):
        timeout = int(self.timeout_entry.get())
        self.master.withdraw()
        ArpDetectorPage(self.master, timeout)

root = tk.Tk()
arp_button = tk.Button(root, text='ARP Detection', command=lambda: ArpDetectorPageUI(root))
arp_button.pack()
root.mainloop()

Usage:

1. Ensure you have Scapy and getmac installed (pip install scapy getmac).
2. Run the script. The GUI will appear with a field to enter the detection time (in seconds).
3. Enter the desired detection time and click 'Start'.
4. The script will continuously monitor the network for ARP spoofing attempts.
5. If spoofing is detected, it will print the details to the console.
6. To stop the detection, click the 'Stop' button.

Note:

• This script requires administrator privileges to perform network operations.
• The interface variable (set to 'ens33' by default) should be modified to match your network interface.
• The script utilizes sr1 from Scapy, which performs single-packet sending and reception. Consider using srp1 for more robust packet analysis and filtering.

Further Development:

• Add a more informative GUI, including a list of detected devices and spoofing attempts.
• Implement logging of spoofing events for post-analysis.
• Integrate with a network monitoring system for centralized alerts.
• Explore using other libraries for network sniffing and analysis.

This script provides a basic framework for detecting ARP spoofing attacks. By understanding its functionality and potential improvements, you can enhance your network security practices and identify potential threats.