seringe v0.2 : arp injector and redirector by michael@scanit.be ------------------------------------------ "We can't build our dreams on suspicious minds" e.presley [foreword] Seringe is a tool that intercepts arp requests and replies with his own hardware address. This is done to "sniff" traffic on a switched network where traditional "sniffers" fail. Note : this tool was written during a security audit and should only be used with responsibility and authorization. There is a possibility that this tool can disrupt network services, therefor it must be solely used with caution under supervision of authorized personnel. [arp poisoning] Arp poisioning is nothing new, it has been around, and implemented many times in several tools, for example: ettercap [1] and dsniff[2]. While being more stealth than just tools that "flood" the network with many arp-replies, updating machines arp cache, seringe will update only arp caches of machines requesting arp addresses. Other, "flooding" tools can be easily detected by NIDS's or by looking at tcpdump output, such as the following exerpt: (ip addresses are modified for reasons of privacy) 10:23:04.052275 arp who-has 10.1.4.101 tell 10.1.4.106 10:23:04.052279 arp who-has 10.1.4.102 tell 10.1.4.106 10:23:04.052312 arp who-has 10.1.4.103 tell 10.1.4.106 10:23:04.058605 arp who-has 10.1.4.105 tell 10.1.4.106 10:23:04.073481 arp who-has 10.1.4.107 tell 10.1.4.106 10:23:04.088467 arp who-has 10.1.4.109 tell 10.1.4.106 In order to communicate over ethernet, a network card needs to know the hardware address of the target interface. To achieve this addresses ARP (address resolution protocol) is used. ARP[3] is a simple, lightweight protocol. To get the mac address of the target, the following sequence happens: Host A needs to know the hardware address (mac address) of host B. And assume that A's ip address is 10.0.0.1 and B's ip address is 10.0.0.2. 1. Host A sends a broadcast packet requesting the mac addr of B 2. B responds with his IP address and his mac address 3. A knows where to sent packets over ethernet to reach B Now, what seringe does is taking over step 2, and sending host A a fake hardware address for host B. A will think that B is at the "fake" mac address and sent packets to this mac address, thinking it is B. By this, an attacker can capture and record the packets and forward 'em to the real B host. [compiling] To compile seringe, you need a linux machine. Seringe has been tested sucessfully on Linux, running kernel 2.4.20. To compile seringe to a: $ gcc seringe.c -o seringe You can play with gcc 'options', but beware that the -Wall option gives some warnings. The program should still be able to run correctly. [running] To run seringe, simply do a: # ./seringe to redirect all traffic to your machine. To take a look at more options please use the 'h' argument ("./seringe -h"). [contact] For any questions or comments, please contact me at