MITM detection scriptPost Exploitation Hacking Course

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION
Already a Member Login Here

Home Forums Courses Post Exploitation Hacking Course MITM detection script

This topic contains 2 replies, has 3 voices, and was last updated by  cain00 3 years ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #36861

    Steven
    Participant

    Hi everybody,

    It’s been a while since I got time to script something and to visit this site. Some while ago I was following a class and somebody was doing a MITM attack on the whole class. I started getting warnings from my firewall. I had a hunch from who it was but couldn’t find anything that was 100% correct it was him so I started thinking how I could detect an MITM attack and started scripting so I came to this script

    Dim strOutput, strOutputFinal
    bRunOnce = True
    
    ' Now control the MAC adress off the default gateway every 20 seconds
    Do While 1 = 1
    	Set WMI=GetObject("winmgmts:\\.\root\cimv2")
    	Set WshShell= WScript.CreateObject("WScript.Shell")
    	
    	Set objNetworkAdapters = WMI.ExecQuery ("SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=TRUE")
    	For Each objAdapter in objNetworkAdapters
    	  If not IsNull(objAdapter.DefaultIPGateway ) Then
    	    strGateway = Join(objAdapter.DefaultIPGateway, ",")
    	  End If
    	Next
    	
    	Set WshArp = WshShell.Exec("arp -a " & strGateway)
    	strArpResult = WshArp.StdOut.ReadAll
    	
    	Set RegEx = New RegExp
    	RegEx.IgnoreCase = True
    	RegEx.Global = True
    	RegEx.Pattern = "[0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}-[0-9A-F]{2}"
    	
    	If Regex.Test(strArpResult) = True Then
    	  'i = 0
    	  Set Matches = RegEx.Execute(strArpResult)
    	  For each Match in Matches
    	    if not Match = "00-00-00-00-00-00" Then
    	      'Wscript.StdOut.Write Match
    	      strOutput = Match
    	      'WScript.Echo strOutput
    	      'i = i + 1
    	    End If
    	  Next
    	End If
    	
    	' Look if the text file exists
    	If (bRunOnce = True) Then
    ' 		Set fileSys = CreateObject("Scripting.FileSystemObject")
    ' 			If fileSys.FileExists(".\Main.txt") Then
    ' 				fileSys.DeleteFile ".\Main.txt"
    ' 				'WScript.Echo "File deleted"
    ' 		End If
    ' 		
    ' 		' Write the MAC adres to a text file
    ' 		Set objFileToWrite = CreateObject("Scripting.FileSystemObject").OpenTextFile(".\Main.txt",2,true)
    ' 		objFileToWrite.WriteLine(strOutput)
    ' 		objFileToWrite.Close
    ' 		Set objFileToWrite = Nothing
    		strOutputFinal = strOutput
    		
    		'WScript.Echo "Finale output: " & strOutputFinal
    		bRunOnce = False
    	Else
    		'WScript.Echo "Tussentijdje output: " & strOutput
    		If (strOutput = strOutputFinal) Then
    			' If they match there's no problem
    			'WScript.Echo "No problems detected." & VbCrLf
    		Else
    			' If they don't match there is an MITM attack going on
    			WScript.Echo "Possible MITM attack!!" & VbCrLf & "Default gateway MAC: " & strOutputFinal & VbCrLf & "Attacker MAC: " & strOutput
    		End If
    	
    	End If
    	
    	WScript.Sleep 10000
    	
    Loop

    It’s a vbs script. Just copy and past it in notepad and give it the .vbs extention, then open a terminal and go to the .vbs file location and do the following:
    cscript <filename>.vbs

    If something if wrong then you will get a warning, you will get the MAC-adres of your gateway and if someone is doing an MITM attack you will get the MAC adres of there device.
    I’m planning of doing some extra’s if I got a little more time but for now I thought that it would be interesting to share :).

    I tested it with my PC’s and it worked. My native language is Dutch so you will find some weird spelling in the comments:).

    Kind regards.

    #45396

    coldking
    Participant

    Not a bad little script. I myself am trying to make a AV (one of my life goals). I’m glad to see someone else working on the security side 🙂 .

    #53967

    cain00
    Participant

    wow thanks =D

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel