Is there a way a send custom (and event undemanded) arp responses via shell (e.g. by hand or by a shell script) on MacOS X or any other UNIX?
In addition, is there a way of making the software ask for the MAC representation for all IPs in the current subnet without sending pings the anyone?
Yes there is. This kind of activity is used in ARP Spoofing and ARP Poisoning attacks and is preformed for ex. by arpspoof. If You want to discover host's MAC, when You know its IP and it is located in Yours broadcast domain (LAN), use arping. ARP is layer 2 protocol, so it's packets are not forwarded by routers but it's much more reliable then ICMP echo (ping).
Some tools:
arp - standard program (win/unix)
used to list host's IP-MAC address
association cache, which contains
already learnt IPs
arping - unix program which sends ARP
Request for a given IP and displays
MAC contained in received ARP Response
arpspoof - a program from dsniff package generating bogus ARP Responses
A packet generator might do the trick. The wikipedia page links to some implementations but I don't know if they work on OSX.
There are also arp-scan using libpcap; and arpdropper using libnet.
To passively (or actively) sniff your network for ARP packets and display the IP and MAC address of the machine that generated the packet you may use a Mac OS X application called ArpSpyX.
# arpdropper requires http://sourceforge.net/projects/libnet-dev/ to compile
# (libnet & arpdropper successfully compiled on Mac OS X 10.6.8)
curl -LO http://thebends.googlecode.com/svn/trunk/misc/arpdropper.c
gcc -Wall -Wextra -lnet -o arpdropper arpdropper.c
./arpdropper
# Usage: ./arpdropper -i <device> -s <source ip> -d <dest ip>
# For arp replies:
# ./arpdropper -r -i <device> -s <source ip> -m <source mac> -d <dest ip>
# using nmap
# get a pre-compiled Mac OS X version of nmap at:
# http://nmap.org/download.html#macosx or
# http://www.berndsworld.com/downloads/
nmap -PR -oN nmap-arpscan.txt 192.168.0.0/16
Related
I am trying to make a program that automatically lists all of the connections to my computer from outside of the router. The end goal of this script is that I would like to be able to have a clean list of the external IP addresses of every server/website I am connecting to. I am also trying to use this as a way to learn more about how networks, websites, and servers work so I am sorry for any mistakes I make with terminology and general knowledge!
My tcpdump bash script:
while :
do
# get myip and assign it to a variable
myip="$(ifconfig wlp2s0 | grep -E -o -m 1 "inet................" | grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)")"
# tcpdump on my ip for all packets going to or from my ip address. the ipaddress of the packets is placed in IP Address.txt
sudo tcpdump -c 1 -nn host "$myip" | grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" >> IPaddress.txt
done
I thought that tcpdump would be the tool for this however I confess that I do not know how tcpdump works. This script is a bash file that I am running through ubuntu. How would I use tcpdump to collect the IP address of every website that I am connecting to? I read the tcpdump documentation and believe it can help me achieve my goal however if there are better tools out there I would love to hear it! Currently, this code only displays internal IP addresses. ;(
I'd lean more towards using ss or netstat.
ss --all --ipv4
Would show all IPv4 connections.
The same works for IPv6 of course; and you could add one of many arguments to get more detailed information if you want, such as --processes, --extended, or --info.
There's also a few more arguments to control the output format, making it more suitable for parsing:
ss --all --ipv4 --processes --no-header --oneline
Suggest to follow ss command .
Learn about ss command here.
Is there any possibility to capture packets by tcpdump from all devices in MacOS?
In Linux I would use 'sudo tcpdump -i any'. In my MacOS when I execute 'sudo tcpdump -D', I don't see "any" pseudo-device.
Per #ChristopherMaynard:
tcpdump docs specify any as working on linux: On Linux systems with 2.2 or later kernels, an interface argument of ``any'' can be used to capture packets from all interfaces. However, it is not actually OS-specific.
tcpdump accepts the any interface on macos in my testing, so in answer to your question, the analog of any on linux is any on macos:
bash-5.0 $ sudo tcpdump -i any
tcpdump: data link type PKTAP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
09:43:57.789302 IP6 dsldevice7.attlocal.net.domain > 2600:1700:a700:7340:6dad:2758:c536:f29f.56483: 4283 1/0/0 SOA (85)
09:43:57.789324 IP6 2600:1700:a700:7341:6dad:2759:c536:f29f > dsldevice7.attlocal.net: ICMP6, destination unreachable, unreachable port, 2600:1700:a700:7340:6ded:2759:c536:f29f udp port 56423, length 141
...
tcpdump should have the same options (manpage)
on both macos and linux, apart from those detailed below. If you have an older version of tcpdump (my version is 4.9.3/Apple version 83.200.3), you can update it with brew install tcpdump.
Macos/Linux Tcpdump Differences
You should still look at the manpages when in doubt, but this is a summary of differences:
Linux
-Q direction : Choose send/receive direction (in/out/inout)
Macos
-k : Control display of packet metadata
-Q : Specify a filter expression based on packet metadata
-P : Save to pcapng
Note: Unlike Linux or *BSD, Macos does not support -Q direction.
I am able to get Wifi connection in Raspberry Pi from wifi card acting as Access Point in Jatson Nano.
But now i want to continuously look into devices that are getting connected to Jatson Nano AP and kick off other than Raspberry Pi. If i assume, i know the MAC Address of Pi, is it possible to kick off any device that does not match that MAC Address?
Note : This AP is wifi card and not router, so do not have Settings Panel to filter MAC address and can only be done using terminal command by either ssh or some bash/python script
Is it possible to block/filter specific MAC Address using terminal?
You can try using iptables to filter by MAC address. Check out this answer.
# Create the DHCP_clients chain in the 'raw' table
iptables -t raw -N DHCP_clients
# Incoming DHCP, pass to chain processing DHCP
iptables -t raw -A PREROUTING -p udp --dport 67 -j DHCP_clients
# Allowed DHCP clients
iptables -t raw -A DHCP_clients -m mac --mac-source <ALLOWED MAC> -j ACCEPT
# Deny other clients not listed above
iptables -t raw -A DHCP_clients -j DROP
Specify the raw table with -t.
raw: This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other IP tables. It provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes)
-t, --table table
This option specifies the packet matching table which the command should operate on.
and create a new chain name to reference.
-N, --new-chain chain
Create a new user-defined chain by the given name. There must be no target of that name already.
the raw table provides PREROUTING(for packets arriving via any network interface), -A appends the rule to your chain.
DHCP uses ports 67 and 68 and the UDP protocol. You can prevent DHCP requests by blocking communication on these ports.
-A, --append chain rule-specification
Append one or more rules to the end of the selected chain.
then you have rules to ACCEPT only the MAC addresses you want and DROP all others.
iptables manual
I want to build a .sh script for a tomatousb router that would be launched once a minute and send requests to telegrambot api once the certain mac address is added or removed from the router's arp table.
I want to store the last state (if the mac address was found) in the env variable, but I have no clue how to check for the address.
I would normally do
if [(arp -a | grep aabbccdd)!=null] then
/usr/bin/wget https://api.telegram.org/... --no-check-certificate
but that doesn't seem to work..
arp -a | egrep -o '(\w{1,2}:){5}\w{1,2}' will return all the available MAC addresses.
I am using macOS 10.12 and I want to do ip:port mapping
ex. 127.0.0.1:32769 to 10.0.0.1
then I can add 10.0.0.1 somedomain.com to my /etc/hosts
I did some search, and got solutions to this question on this post:
https://serverfault.com/questions/102416/iptables-equivalent-for-mac-os-x/673551#673551
but the command in this post works for only the newest one.
every time I use this command the system replies me:
$ sudo ifconfig lo0 10.0.0.2 alias
$ echo "rdr pass on lo0 inet proto tcp from any to 10.0.0.2 port 80 -> 127.0.0.1 port 32771" | sudo pfctl -ef -
pfctl: Use of -f option, could result in flushing of rules
present in the main ruleset added by the system at startup.
See /etc/pf.conf for further details.
No ALTQ support in kernel
ALTQ related functions disabled
pfctl: pf already enabled
how can I prevent flushing rules?
or is there any ways to get this work easier?
Thanks a lot