ARP Spoofing is an old yet efficient way to carry out MITM attacks on a local network. Although we may have mitigation mechanisms, like DHCP Snooping and Dynamic ARP Inspection (DAI), set on the corporate network, when we are connected to a less secure environment, we may be at risk.
In a MITM ARP Spoofing scenario, the attacker will send spoofed ARP messages to victims in order to associate its own MAC Address with the network gateway IP address allowing him to intercept and manipulate all traffic.
This project provides a set of simple scripts for Mac OS that automatically sets the gateway MAC address on the ARP table in a an way that it cannot be overriden by gratuitous ARP messages usually sent in attack scenarios.
- High Sierra
- Fedora 27
Copy setgatewaymac.plist to /Library/LaunchDaemons
sudo cp macos/setgatewaymac.plist /Library/LaunchDaemons
Install the setgatewaymac service on Mac OS
sudo launchctl load /Library/LaunchDaemons/setgatewaymac.plist
Copy setgatewaymac.sh to /usr/local/bin
sudo cp macos/setgatewaymac.sh /usr/local/bin
sudo chmod +x /usr/local/bin/setgatewaymac.sh
Done
Open system Console logs (Applications -> Utilities -> Console) and filter for "setgatewaymac" while you connect to a different network (ie: WiFi). If everything is set properly, you may see the logs from scripts permanently setting the gateway MAC on your system ARP table, as in figure bellow.
Figure: Setting up gateway MAC.
Finally, you may check your system's ARP table:
Figure: ARP table with permanent gateway MAC Address
sudo launchctl unload /Library/LaunchDaemons/setgatewaymac.plist
sudo rm /Library/LaunchDaemons/setgatewaymac.plist
sudo rm /usr/local/bin/setgatewaymac.sh
Copy setgatewaymac.sh to /etc/NetworkManager/dispatcher.d/25-setgatewaymac
sudo cp linux/setgatewaymac.sh /etc/NetworkManager/dispatcher.d/25-setgatewaymac
Give Correct permissions
sudo chown root:root /etc/NetworkManager/dispatcher.d/25-setgatewaymac
sudo chmod +x /etc/NetworkManager/dispatcher.d/25-setgatewaymac
Done
Morphus Labs Team (morphuslabs.com)