ARP0c connection interceptor

[Download Linux source (ARP0c2.c) |Download Windows source (wci.c) |Download Windows binary ]

Introduction

ARP0c is a connection interceptor (using ARP spoofing and a bridging engine).
ARP requests from various sources in a switched environment get false ARP response packets which point to the host running ARP0c. Packets from these hosts are bridged with an internal engine to the real destination address to allow normal network operation and keep TCP connections alive. Packets to hosts in remote (read: reachable using a router) subnets are forwarded to a gateway using an internal routing table - independant from the hosts routing table.

Normal operation without interception may look like this:

+--------+         +--------+         +-------+
| HOST1  |- - - - -+ SWITCH +- - - - -| HOST2 |
+--------+         +--------+         +-------+
                        |
			|
                   *********
		   * YOU   *   <-- this host gets no packets
		   *********

Here you sit on a switched network, just getting ARP requests and other kinds of broadcasts without seeing any interesting packet. This is what a switch is supposed to do.

When using ARP0c, ARP requests (which are normally send to all hosts) are responded by the real host and your ARP0c server. After the initial response, ARP0c continues to send out ARP response packets to keep the target host 'informed'. This causes most systems to discard the right answer and belive ARP0c.
Now, packets to HOST1 are send to the Ethernet address of ARP0c. It takes care of the layer 2 forwarding (bridging) to finally deliver the packets the the right recipient, because we don't want the connection to break.

+--------+         +--------+         +-------+
| HOST1  |- - - - .+ SWITCH +. - - - -| HOST2 |
+--------+         \--------/         +-------+
                    \   |  /   
	             \  | /
                   *********
		   * ARP0c *   <-- this host gets all packets
		   *********

The fact that most systems use an initially received Ethernet frame as source for the ARP cache entry leads to one-way interceptions, where one of the communication partners sends the frames already to ARP0c and the other still uses the real ethernet address. This is not a problem because by the time the cache expires the other direction is intercepted too. In the UN*X version, you may just create a seperate file to intercept the connection anyway.

ARP0c takes care to keep the network functional. ARP based IP availability tests (primary used by Windoze boxes) are ignored. When you stop the ARP0c server, it sends out ARP responses to all hosts, so that the network communication returns to normal behavior.

UN*X usage

You need a libpcap installed.
Then create a file for your local routing table. Separate network, netmask and gatway by tab. You don't have to add the local subnet to this file - it is filled in automatical.

network	netmask	gateway

Example:
192.168.3.0	255.255.255.0	192.168.1.1
0.0.0.0	0.0.0.0	192.168.1.1

To intercept existing connections (from server to router or something like this) supply the IP addresses in a separate file:

host1	host2

Finally, call the program:

./ARP0c -i < interface > -r < routingtable.file > -a < agressive_intercept.file >

Example:
./ARP0c -i eth0 -r routes.txt -a server.txt -v

Windows usage

The windows version requires the WinPcap driver installed. It is tested with version 2.02.
You have to have a file called "routes.txt" containing your local routing table including your local subnet. This file is space separated:

192.168.1.0 255.255.255.0 0.0.0.0
0.0.0.0 0.0.0.0 192.168.1.1

Make sure you don't have spaces before the first or after the last entry and you should prevent empty lines.
The local subnet is defined as first entry in this file and has the gateway 0.0.0.0 - which means local.

Then, just start the program (wci.exe). We recommend the use of -v for verbosity, so you see what's happending.
You may use the command line switch -T on the first run. This will make WCI to enumerate all Windows resources on the network and show you, how many connections you may intercept at startup. If you think this is to much or you just don't want this enumeration, user -n to prevent it.
BTW: the windows version does not care if you use -T /T \T or whatever. The second character counts.