diff --git a/x0-automation-script/scanning-tools/SpoofShield/LICENSE b/x0-automation-script/scanning-tools/SpoofShield/LICENSE new file mode 100644 index 0000000..65a1517 --- /dev/null +++ b/x0-automation-script/scanning-tools/SpoofShield/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2025 c!ph3r 1337 + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/x0-automation-script/scanning-tools/SpoofShield/README.md b/x0-automation-script/scanning-tools/SpoofShield/README.md new file mode 100644 index 0000000..8af08ee --- /dev/null +++ b/x0-automation-script/scanning-tools/SpoofShield/README.md @@ -0,0 +1,86 @@ +# 🚨 SpoofShield - ARP Spoofing Detection Tool 🔥 + +``` + ___| _| ___| | _) | | +\___ \ __ \ _ \ _ \ | \___ \ __ \ | _ \ | _` | + | | | ( | ( | __| | | | | | __/ | ( | +_____/ .__/ \___/ \___/ _| _____/ _| |_|_|\___|_|\__,_| + _| +``` + +## 🛡️ Overview +**SpoofShield** is a powerful ARP spoofing detection tool that keeps your network safe from MITM (Man-in-the-Middle) attacks. It scans your network, detects ARP anomalies, and alerts you on **Discord** when it finds something shady! 🕵️‍♂️ + + +## ⚡ Features +✅ Real-time ARP table scanning 🔄 +✅ Detects ARP spoofing attacks 🕶️ +✅ Sends instant alerts to **Discord** 🚀 +✅ Works on **Windows** 🖥️ +✅ Customizable scan intervals ⏳ + +## 🔧 Requirements +- **Python 3.x** 🐍 +- `requests` module (for Discord alerts) 🌐 + +## 📥 Installation +1️⃣ Clone the repo: + ```bash + git clone git clone https://github.com/c1ph3r-1337/spoofshield.git + cd spoofshield + ``` +2️⃣ Install dependencies: + ```bash + pip install requests + ``` + +## ⚙️ Configuration +Edit the script to set up your **Discord webhook & network settings**: + +🔹 **WEBHOOK_URL** → Replace with your **Discord Webhook URL** 🎯 +🔹 **SUBNET_PREFIX** → Set the subnet to **monitor** (default: `192.168.130.`) 🌍 +🔹 **SCAN_INTERVAL** → Adjust scanning frequency (default: `60` seconds) ⏰ + +Example config inside `main.py`: +```python +WEBHOOK_URL = "your_discord_webhook_url" +SUBNET_PREFIX = "192.168.130." +SCAN_INTERVAL = 60 # Seconds between scans +``` + +## 🚀 Usage +Run **SpoofShield** like a pro: +```bash +python main.py +``` +It will **continuously monitor** your ARP table and send 🔔 **alerts** if it detects spoofing! 👀 + +## 🕵️‍♂️ How It Works +1️⃣ Fetches the **ARP table** using `arp -a` 🗂️ +2️⃣ Parses the ARP table for **IP-MAC** pairs 📊 +3️⃣ Filters results for your **subnet** 🌍 +4️⃣ Detects if multiple **IP addresses** share the same MAC 🚨 +5️⃣ Sends an **alert to Discord** if spoofing is detected! ⚠️ + +## 📢 Example Discord Alert +``` +📋 **ARP Table (192.168.130.0/24):** +``` +```plaintext +192.168.130.1 58:11:22:e0:67:4f dynamic +192.168.130.5 58:11:22:e0:67:4f dynamic +``` + +🔔 **ALERT: Possible ARP spoofing detected!** 🚨 +**Multiple IPs share the same MAC!** +``` + +## 📜 License +🚀 **SpoofShield** is open-source and available under the **MIT License**. + +## 💻 Contribution +Pull requests are **welcome**! Feel free to submit **issues & PRs** to improve **SpoofShield**! 🔥 + +## ⚠️ Disclaimer +🛑 **For educational & security purposes only!** Ensure you have **permission** to scan the network you're monitoring! 🚫 + diff --git a/x0-automation-script/scanning-tools/SpoofShield/main.py b/x0-automation-script/scanning-tools/SpoofShield/main.py new file mode 100644 index 0000000..a286c36 --- /dev/null +++ b/x0-automation-script/scanning-tools/SpoofShield/main.py @@ -0,0 +1,167 @@ +import subprocess +import time +import re +import requests +from datetime import datetime + +def print_banner(): + banner = r""" + ___| _| ___| | _) | | +\___ \ __ \ _ \ _ \ | \___ \ __ \ | _ \ | _` | + | | | ( | ( | __| | | | | | __/ | ( | +_____/ .__/ \___/ \___/ _| _____/ _| |_|_|\___|_|\__,_| + _| + """ + print(banner) + print("🚨 SpoofShield - ARP Spoofing Detection Tool 🔥") + print("Made by c1ph3r1337 😎🔥\n") + +# Configuration +WEBHOOK_URL = "your_webhook_url" # Replace with actual webhook URL +SUBNET_PREFIX = "192.168.130." # This filters for 192.168.130.0/24 +SCAN_INTERVAL = 60 # Scan interval in seconds + +def get_arp_table(): + """ + Run the 'arp -a' command and return its output as a string. + """ + try: + result = subprocess.run(["arp", "-a"], capture_output=True, text=True, check=True) + return result.stdout + except subprocess.CalledProcessError as e: + print("Error executing 'arp -a':", e.stderr) + return "" + +def parse_arp_table(output, subnet_prefix=SUBNET_PREFIX): + """ + Parse the ARP table output and extract IP and MAC addresses. + Returns a list of dictionaries containing the IP, MAC, and Type. + """ + lines = output.splitlines() + arp_entries = [] + + for line in lines: + line = line.strip() + + # Skip headers and empty lines + if line.startswith("Interface:") or line.startswith("Internet Address") or not line: + continue + + # Extract IP, MAC, and Type + ip_match = re.search(r"(\d+\.\d+\.\d+\.\d+)", line) + mac_match = re.search(r"([0-9a-fA-F]{2}[-:][0-9a-fA-F]{2}[-:][0-9a-fA-F]{2}[-:][0-9a-fA-F]{2}[-:][0-9a-fA-F]{2}[-:][0-9a-fA-F]{2})", line) + type_match = re.search(r"(static|dynamic)", line, re.IGNORECASE) + + if ip_match and mac_match: + ip_addr = ip_match.group(1) + if ip_addr.startswith(subnet_prefix): + arp_entries.append({ + "ip": ip_addr, + "mac": mac_match.group(1).replace(":", "-").lower(), # Normalize MAC format + "type": type_match.group(1) if type_match else "unknown" + }) + + return arp_entries + +def detect_arp_spoofing(arp_entries): + """ + Detect potential ARP spoofing by finding duplicate MAC addresses. + Returns a dictionary of MAC addresses with their associated IPs. + """ + mac_to_ips = {} + for entry in arp_entries: + mac = entry["mac"] + ip = entry["ip"] + + if mac in mac_to_ips: + mac_to_ips[mac].append(ip) + else: + mac_to_ips[mac] = [ip] + + # Filter for MAC addresses that are associated with more than one IP + suspicious_macs = {mac: ips for mac, ips in mac_to_ips.items() if len(ips) > 1 and "255" not in ips[0]} + + return suspicious_macs + +def format_arp_table(arp_entries): + """ + Format the ARP table entries into a readable string table. + """ + if not arp_entries: + return "No ARP entries found for subnet 192.168.130.0/24." + + table = "IP Address MAC Address Type\n" + table += "--------------------------------------------------\n" + + for entry in arp_entries: + table += f"{entry['ip']:<15} {entry['mac']:<20} {entry['type']}\n" + + return table + +def send_discord_notification(message): + """ + Send the message to Discord using the webhook. + """ + payload = {'content': message} + try: + response = requests.post(WEBHOOK_URL, json=payload) + if response.status_code not in [200, 204]: + print(f"Failed to send notification: {response.status_code} - {response.text}") + else: + print("Successfully sent notification to Discord.") + except Exception as e: + print(f"Error sending Discord notification: {e}") + +def main(): + while True: + timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S") + arp_output = get_arp_table() + + if arp_output: + arp_entries = parse_arp_table(arp_output) + formatted_table = format_arp_table(arp_entries) + suspicious_macs = detect_arp_spoofing(arp_entries) + + if suspicious_macs: + # Format the alert for potential ARP spoofing + for mac, ips in suspicious_macs.items(): + # Find the gateway IP (assuming it's x.x.x.1) + gateway_ip = next((ip for ip in ips if ip.endswith(".1")), None) + if gateway_ip: + other_ips = [ip for ip in ips if ip != gateway_ip] + alert_message = ( + f"**🚨 ALERT: ARP SPOOFING DETECTED!**\n" + f"Suspicious IPs sharing gateway MAC: {', '.join(other_ips)}\n" + f"Gateway IP: {gateway_ip}\n" + f"Timestamp: {timestamp}\n" + f"**ARP Table:**\n\n```\n{formatted_table}```" + ) + send_discord_notification(alert_message) + else: + alert_message = ( + f"**🚨 ALERT: Potential ARP SPOOFING DETECTED!**\n" + f"Multiple IPs sharing MAC address {mac}: {', '.join(ips)}\n" + f"Timestamp: {timestamp}\n" + f"**ARP Table:**\n\n```\n{formatted_table}```" + ) + send_discord_notification(alert_message) + else: + # Normal update + update_message = ( + f"**🔍 Network Monitor Update**\n" + f"Scan completed at: {timestamp}\n" + f"Devices detected: {len(arp_entries)}\n" + f"Status: Normal - No spoofing detected\n" + f"**ARP Table:**\n\n```\n{formatted_table}```" + ) + send_discord_notification(update_message) + else: + print("Failed to retrieve ARP table.") + + print(f"Scan completed at {timestamp}. Waiting {SCAN_INTERVAL} seconds before next scan...\n") + time.sleep(SCAN_INTERVAL) + +if __name__ == "__main__": + print_banner() # Show banner on startup + print("ARP Spoofing Detector started. Monitoring network...\n") + main()