How to Detect Sniffer in Your Network using shARP

This article is written to introduce a new tool called shARP. It is an anti-ARP-spoofing program and uses an active scanning process to identify any ARP-spoofing event.

ARP spoofing allows an attacker to intercept data frames on a network, modify the traffic, or stop all traffic. Often the attack is used as an opening for other attacks, such as denial of service, a man in the middle, or session hijacking attacks. Our anti- ARP spoofing program, (shARP) detects the presence of a third-party in a private network actively. It has 2 modes: defensive and offensive.

  • Defensive mode protects the end-user from the spoofer by disconnecting the user’s system from the network and alerts the user by an audio message.
  • Offensive mode disconnects the user’s system from the network and further kicks out the attacker by sending de-authentication packets to his system, unable him to reconnect to the network until the program is manually reset.

The program creates a log file (/usr/shARP/) containing the details of the attack such as the attackers Mac address, Mac vendor time and date of the attack. We can identify the NIC of the attacker’s system with the help of the obtained Mac address. If required the attacker can be permanently banned from the network by feeding his Mac address to the block list of the router.

Let’s start!

Open the terminal in Kali Linux and type following command to download it

If the user wants to secure his network by scanning for any attacker he can run the program. The program offers a simple command line interface which makes it easy for the new users. Now type the following command to run this program:

Then we had used zanti for sniffing in the network and start MIMT attack on selected target IP: so that we can view its network traffic.

When the user runs the program in defensive mode, As soon as the program detects a spoofer in the network, and it disconnects the user’s system from the network so as to protect the private data being transferred between the system and the server. It also saves a log file about the attacker for further use.

From the screenshot you can the highlighted text is showing the Mac address of android phone trying to perform spoofing.

So when it finds spoofing in the network, it disconnects the user from the network. From the screenshot, you can see now the user is assigned with its localhost IP.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Leave a Reply

Your email address will not be published. Required fields are marked *