shARP: An Anti-ARP-Spoofing Application Software

shARP: An Anti-ARP-Spoofing Application Software

shARP is an anti-ARP-spoofing application software and uses active scanning method to detect any ARP-spoofing incidents.

ARP spoofing allows an attacker to intercept data frames on a network, modify the traffic, or stop all traffic. Often the attack is used as an opening for other attacks, such as denial of service, man in the middle, or session hijacking attacks.Our anti- ARP spoofing program, (shARP) detects the presence of a third party in a private network actively. It has 2 mode: defensive and offensive. Defensive mode protects the end user from the spoofer by dissconnecting the user's system from the network and alerts the user by an audio message.

The offensive mode dissconnects the user's system from the network and further kicks out the attacker by sending de-authentication packets to his system, unabling him to reconnect to the network until the program is manually reset. The program creates a log file (/usr/shARP/)containing the details of the attack such as, the attackers mac address, mac vendor time and date of the attack. We can identify the NIC of the attackers system with the help of the obtained mac address. If required the attacker can be permanently banned from the netwrk by feeding his mac address to the block list of the router.

The whole program is designed specially for linux and is writen in Linux s is hell command (bash command). In the offensive mode the program downloads an open-source application from the internet with the permission of the user namely aircrack-ng (if not present in the user's system already ). Since it is written in python language, you must have python installed on your system for it to work. Visit https://www.aircrack-ng.orgfor more info.

If the user wants to secure his network by scanning for any attacker he can run the program. the program offers a simple command line interface which makes it easy for the new users.the user can directly access the defensive or offensive mode by inputing the respective command line arguments along with the execution code just as in any other linux command to operate a software through CLI. In case the user inputs any wrong command line argument, the program prompts the user to use the help option. the help option provides the details about the two modes. when the user runs the program in defensive mode, he recieves the original mac address of the gateway.

If there is no man in the middle attack, the screen stays idle. As soon as the program detects a spoofer in the network, it outputs the mac address of the spoofer and the time of the attack. It then dissconnects the users's system from the network so as to protect the private data being transfered between the system and the server. It also saves a log file about the attacker for further use. when the user runs the program in offensive mode,he recieves the original mac address of the gateway. If there is no man in the middle attack, the screen stays idle.

As soon as the program detects a spoofer in the network, it outputs the mac address of the spoofer and the time of the attack as in the defensive mode. But further, the program puts the user's Network Interface Card to monitor mode with the help of the application 'Airmon-ng'. Then the application 'Aircrack-ng' gets activated and starts sending deauthentication packets to the attacker's system. This process kicks out the attacker from the network. The program also creates a log file about the attack.

How to use ?

bash ./shARP.sh -r [interface] to reset the network card and driver.

bash ./shARP.sh -d [interface] to activate the program in defense mode.

bash ./shARP.sh -o [interface] to activate the program in offense mode.

bash ./shARP.sh -h for help.

Download shARP

How To Cyber Perform Forensic Investigation In 3 Easy Steps

A Forensic investigation helps the organisation collecting and analyzing the data as evidence. The data collected by forensic investigation can be used as a proof in a court. Because of this, data must be protected in a safe way and needs to be prevented  from modification.

What do you mean by forensic investigation?

Forensic investigation means to analyse the data from the computer and collect it as a proof if any incident happens. This is ever growing domain and lots of institutes are providing a specialised degree in this particular area.

There are mainly three steps in a forensic investigation:

1. Collecting the data

2. Analysing the data

3. Prevent from modification 

Forensic investigators use a different forensic procedure to collect the data and their primary task is to protect that data from modification so that, it can be shown as an evidence in a court.

Now I will explain how to perform forensic investigation:

Step 1

Forensic investigators have special kind of tools to collect the data, for example, you can use …. data include images, email, message, etc. They collect in specified format by following the order of volatility concept. So the volatility concept says, collect the data from most volatile to least volatile. Generally, the sequence of volatility concept is cache memory, RAM, Swap or paging file, hard drive data, logs stored on archived media.

Step 2: Capture the image

Capturing the image means to copy the exact data without any modification. A forensic capture image uses bit by bit tool to capture the data so that it can copy the data without any single modification and try to connect some hardware devices to the drives. Therefore, it can be write protected during the copy process. Encase and forensic toolkit are the most popular forensic tools used by the forensic experts.

Step3: Prevent from modification

Hashing is an important concept which is generally used to prevent the data from modification. Hashing is used by most of the forensic experts to provide proof of the collected data that it has not been modified. So, to maintain the integrity i.e., to prevent from modification we need to take hash. You can take hash as many times you require and it will remain same as long as the data is same.

For example: After capturing an image of the disk, an expert can create a hash of the image and keep it safe and can also enable write protection mechanism to prevent the image from modification. Later, when that evidence is required they again take the hash and matches the later hash with the previous hash if it is same then it means data has not been modified and it is good to use as evidence in a court.

These were the basic three steps which sum up the whole forensic investigation process.

Apart from that, forensic investigation often includes analyses of network traffic and logs of the incident and also maintain a chain of custody. Chain of custody is a process that gives an assurance that evidence is collected in a proper way and handled properly.