[wiki] [sites] Add mitm detection helper function for dwmstatus. || vladz

From: <git_AT_suckless.org>
Date: Fri, 08 Mar 2013 09:07:46 +0100

commit 84af1a22c8cc0fc5ca0084ab869b17e053f94746
Author: vladz <vladz_AT_devzero.fr>
Date: Fri Mar 8 09:05:41 2013 +0100

    Add mitm detection helper function for dwmstatus.

diff --git a/dwm.suckless.org/dwmstatus/dwmstatus-mitm.c b/dwm.suckless.org/dwmstatus/dwmstatus-mitm.c
new file mode 100644
index 0000000..ebb2157
--- /dev/null
+++ b/dwm.suckless.org/dwmstatus/dwmstatus-mitm.c
_AT_@ -0,0 +1,72 @@
+/* Here is a helper function that warns you if someone tries to sniff your
+ * network traffic (i.e. a Man-In-The-Middle attack ran against you thanks
+ * to ARP cache poisoning).
+ *
+ * It checks the dump file of the kernel ARP table (/proc/net/arp) to see
+ * if there is more than one IP address associated with the same MAC
+ * address. If so, it shows an alert. If an error occurs during the
+ * check, it returns NULL.
+ *
+ * Written by vladz (vladz AT devzero.fr).
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+
+/* The hard maximum number of entries kept in the ARP cache is obtained via
+ * "sysctl net.ipv4.neigh.default.gc_thresh3" (see arp(7)). Default value
+ * for Linux is 1024.
+ */
+#define MAX_ARP_CACHE_ENTRIES 1024
+
+
+char *detect_arp_spoofing(void) {
+
+ FILE *fp;
+ int i = 1, j;
+ char **ptr = NULL;
+ char buf[100], *mac[MAX_ARP_CACHE_ENTRIES];
+
+ if (!(fp = fopen("/proc/net/arp", "r"))) {
+ return NULL;
+ }
+
+ ptr = mac;
+
+ while (fgets(buf, sizeof(buf) - 1, fp)) {
+
+ /* ignore the first line. */
+ if (i == 1) { i = 0; continue; }
+
+ if ((*ptr = malloc(18)) == NULL) {
+ return NULL;
+ }
+
+ sscanf(buf, "%*s %*s %*s %s", *ptr);
+ ptr++;
+ }
+
+ /* end table with a 0. */
+ *ptr = 0;
+
+ fclose(fp);
+
+ for (i = 0; mac[i] != 0; i++)
+ for (j = i + 1; mac[j] != 0; j++)
+ if ((strcmp("00:00:00:00:00:00", mac[i]) != 0) &&
+ (strcmp(mac[i], mac[j]) == 0)) {
+
+ return "** MITM attack detected! Type \"arp -a\". **";
+ }
+
+ return "MITM detection: on";
+}
+
+int main() {
+
+ printf("%s
", detect_arp_spoofing());
+
+ return 0;
+}
diff --git a/dwm.suckless.org/dwmstatus/index.md b/dwm.suckless.org/dwmstatus/index.md
index e9cad61..38ce77d 100644
--- a/dwm.suckless.org/dwmstatus/index.md
+++ b/dwm.suckless.org/dwmstatus/index.md
_AT_@ -34,6 +34,7 @@ add them here as file or as code example.
 * [Reading eth0 up-, and downspeed from /proc/net](dwmstatus-netusage.c)
 * [Counting number of mails in a Maildir/new](mail_counter.c)
 * [Get disk usage and execute some check at different moments](diskspace_timechk.c) : Because you don't want to check new mails every second
+* [Detecting Man-In-The-Middle](dwmstatus-mitm.c)
 
 Questions
 ---------
Received on Fri Mar 08 2013 - 09:07:46 CET