Eavesarp - Analyze ARP Requests To Identify Intercommunicating Hosts And Stale Network Address Configurations (SNACs)

A reconnaissance tool that analyzes ARP requests to identify hosts that are likely communicating with one another, which is useful in those dreaded situations where LLMNR/NBNS aren't in use for name resolution.

Requirements/Installation
This is only gon' work on Kali or other Debian-based Linux distributions
eavesarp requires Python3.7 and Scapy. After installing Python, run the following to install Scapy: python3.7 -m pip install -r requirements.txt

General Usage

Capturing ARP Requests
Notes:

eavesarp requires root privileges to sniff from the interface and craft ARP packets.
Captured output is automatically written to disk under the name eavesarp.db to prevent having to recapture ARP requests.

Passive Execution
The most basic form of execution is:

sudo ./eavesarp.py capture -i eth1

This will initialize eavesarp such that ARP requests will be captured, analyzed, and relevant output will be presented to the user in a table. Use --help for additional information on non-standard arguments. Note that the stale column indicates [UNCONFIRMED] when an ARP request originating from a target (as a sender) has not yet been observed when running in this mode. Enable ARP resolution via the -ar flag to determine if a given target address has gone stale.

 ___ ___ __  _____ ___ ___ ________
/ -_) _ `/ |/ / -_|_-</ _ `/ __/ _ \
\__/\_,_/|___/\__/___/\_,_/_/ / .__/
-----------------------------/ /---
[LISTEN CAREFULLY]          /_/

Capture interface: eth1
ARP resolution:    disabled
DNS resolution:    disabled
Requests analyzed: 65

SNAC    Sender         Target            ARP#  Stale
------  -------------  --------------  ------  -------------
        192.168.86.5   192.168.86.101      29  [UNCONFIRMED]
                       192.168.86.3         1
        192.168.86.3   192.168.86.37       25  [UNCONFIRMED]
                       192.168.86.38        7  [UNCONFIRMED]
                       192.168.86.5         1
                       192.168.86.99        1
        192.168.86.99  192.168.86.3         1

Active Execution (ARP Resolution, DNS Resolution)
Enable ARP and DNS resolution by including the -ar and -dr flags. Keep in mind that this makes the tool non-passive, but the advantage is that DNS records, MAC addresses, and a confirmation of SNACs status is returned.

sudo ./eavesarp.py capture -i eth1 -ar -dr --blacklist 192.168.86.5

We can clearly see from the output below which senders are affected by one or more SNACs and the affected addresses. The final column indicates if a potential MITM opportunity is present. eavesarp checks to see if the FWD address of the PTR resolved for a given sender is different. If so, it may be an indicator that the intended target has moved to the new FWD address. Applying an alias to the interface of our attacking host may allow us to forward the traffic to the intended target and capture information in transit.

 ___ ___ __  _____ ___ ___ ________
/ -_) _ `/ |/ / -_|_-</ _ `/ __/ _ \
\__/\_,_/|___/\__/___/\_,_/_/ / .__/
-----------------------------/ /---
[LISTEN CAREFULLY]          /_/

Capture interface: eth1
ARP resolution:    enabled
DNS resolution:    enabled
Requests analyzed: 55

SNAC    Sender         Target            ARP#  Stale    Sender PTR      Target PTR        MITM
------  -------------  --------------  ------  -------  --------------  ----------------  ---------------------------------------------
True    192.168.86.2   192.168.86.101      21  True     iron.aa.local.  syslog.aa.local.  T-IP:192.168.86.101 != PTR-FWD:192.168.86.102
True    192.168.86.3   192.168.86.38       17  True     crux.aa.local.
                       192.168.86.37       15  True
                       192.168.86.99        1                           w10.aa.local.
        192.168.86.99  192.168.86.3         1           w10.   aa.local.   crux.aa.local.

Analyzing PCAP Files and SQLite Databases (generated by eavesarp)
eavesarp can accept SQLite databases and PCAP files for analysis. It will output the extracted values to a new database file for further analysis. See the --help flag for more information on this process, however basic execution is demonstrated below.

sudo ./eavesarp.py analyze -sfs eavesarp.db  -cp disable --blacklist 192.168.86.5 --csv-output-file eavesarp_analysis.db

SNAC    Sender         Target            ARP#  Stale    Sender PTR      Target PTR        MITM
------  -------------  --------------  ------  -------  --------------  ----------------  ---------------------------------------------
True    192.168.86.2   192.168.86.101      21  True     iron.aa.local.  syslog.aa.local.  T-IP:192.168.86.101 != PTR-FWD:192.168.86.102
True    192.168.86.3   192.168.86.38       17  True     crux.aa.local.
                       192.168.86.37       15  True
                       192.168.86.99        1                           w10.aa.local.
        192.168.86.99  192.168.86.3         1           w10.aa.local.   crux.aa.local.
- Writing csv output to eavesarp_analysis.db

...and the CSV output looks like...

arp_count,sender,sender_mac,target,target_mac,stale,sender_ptr,target_ptr,target_forward,mitm_op,snac
21,192.168.86.2,74:d4:35:1a:b5:fb,192.168.86.101,[STALE TARGET],True,iron.aa.local.,syslog.aa.local.,192.168.86.102,T-IP:192.168.86.101 != PTR-FWD:192.168.86.102,True
17,192.168.86.3,b8:27:eb:a9:5c:8f,192.168.86.38,[STALE TARGET],True,crux.aa.local.,,,False,True
15,192.168.86.3,b8:27:eb:a9:5c:8f,192.168.86.37,[STALE TARGET],True,crux.aa.local.,,,False,True
1,192.168.86.99,08:00:27:22:49:c5,192.168.86.3,b8:27:eb:a9:5c:8f,False,w10.aa.local.,crux.aa.local.,192.168.86.3,False,False
1,192.168.86.3,b8:27:eb:a9:5c:8f,192.168.86.99,08:00:27:22:49:c5,False,crux.aa.local.,w10.aa.local.,192.168.86.99,False,True

Download Eavesarp