ARP spoofing is achieved by forging IP addresses and MAC addresses, which can generate a large amount of ARP traffic in the network to block the network, attackers can change the IP-MAC entries in the ARP cache of the target host as long as they continuously generate forged ARP response packets, resulting in network interruptions or man-in-the-middle attacks. This article introduces four methods to defend against ARP attacks by using self-made batch processing files.
1. Compile the following statement into a BAT file to process @ echo off.
: Read the Mac address of the Local Machine
If exist ipconfig.txt del ipconfig.txt
Ipconfig/all> ipconfig.txt
If exist phyaddr.txt del phyaddr.txt
Find "Physical Address" ipconfig.txt> phyaddr.txt
For/f "skip = 2 tokens = 12" % M in (phyaddr.txt) do set Mac = % M
: Read the local IP Address
If exist IPAddr.txt del IPaddr.txt
Find "IP Address" ipconfig.txt> IPAddr.txt
For/f "skip = 2 tokens = 15" % I in (IPAddr.txt) do set IP = % I
: Bind the local IP address and MAC address
Arp-s % IP % Mac %
: Read the gateway address
If exist already ip.txt del already ip.txt
Find "Default Gateway" ipconfig.txt> GateIP.txt
For/f "skip = 2 tokens = 13" % G in (ip.txt) do set destination IP = % G
: Read the Mac address of the gateway.
If exist GateMac.txt del GateMac.txt
Arp-a % slave IP %> GateMac.txt
For/f "skip = 3 tokens = 2" % H in (GateMac.txt) do set hosts MAC = % H
: Bind the Mac and IP addresses of the gateway.
Arp-s % GateIP % GateMac %
Arp-s gateway IP Gateway MAC
Exit
This batch processing needs to query the local ARP cache table to see if there is a gateway IP address and a MAC address.
Bound, but not bound !!! However, we can improve it to achieve the goal of double binding, such
Add a line of arp-s gateway IP Gateway MAC...
2. This cannot achieve true double binding. You can only bind the local IP address and MAC address.
@ Echo off
For/f "delims =: tokens = 2" % a in (ipconfig/all ^ | find "Physical Address") do set local_mac = %
For/f "delims =: tokens = 2" % a in (ipconfig/all ^ | find "IP Address") do set local_ip = %
For/f "delims =: tokens = 2" % a in (ipconfig/all ^ | find "Default Gateway") do set gate_ip = %
Fo */* % * in (getmac/nh/s % local_ip %) do set gate_mac = %
Arp-s % local_ip % local_mac %
Arp-s % gate_ip % gate_mac % ......)
After testing, the batch processing cannot bind the gateway IP address and MAC address, but can only bind the local IP address and MAC address.
3. This is not very clear. I want to test it. Currently, I know that I can also bind the local IP address and MAC address.
@ ECHO OFF
SETLOCAL ENABLEDELAYEDEXPANSION
For/f "tokens = 2 delims = [] =" % I in (nbtstat-a % COMPUTERNAME %) do call set local =! Local! % I
For/f "tokens = 3" % I in (netstat-r ^ | find "0.0.0.0") do set gm = % I
For/f "tokens = 1, 2" % I in (arp-a % gm % ^ | find/I/v "inter") do set gate = % I % j
Arp-s % gate %
Arp-s % local %
Arp-s gateway IP Gateway MAC
This batch processing can bind the gateway IP address and MAC address, but it still has defects. It depends on the ARP cache on the local machine!
The improved method is to add an arp-s gateway IP address and a MAC address at the end!
4. The principle is the same as the first one, but it has improved a little bit!
This P ping the gateway three times to get the gateway's MAC. In fact, the above batch can be used to handle the gateway's IP address and MAC,
However, if ARP spoofing occurs during startup, the IP address and MAC address you bound are wrong and you cannot access the Internet.
@ Echo off
::::::::::::::::::: Clear all ARP caches
Arp-d
:::::::::::::::::: Read local connection Configuration
Ipconfig/all> ipconfig.txt
:::::::::::::::::: Read the IP address of the Intranet gateway.
For/f "tokens = 13" % I in (find "Default Gateway" ipconfig.txt) do set GatewayIP = % I
::::::::::::::: ING, three times Intranet gateways
Ping % GatewayIP %-n 3
:::::::::::::::::: Read from the arp cache of the gateway.
Arp-a | find "% GatewayIP %"> arp.txt
:::::::::::::::::: Read and bind the gateway MAC
For/f "tokens = 1, 2" % I in (find "% GatewayIP %" arp.txt) do if % I = % GatewayIP % arp-s % I % J
::::::::::::::::: Read the IP address of the Local Machine + MAC
For/f "tokens = 15" % I in (find "IP Address" ipconfig.txt) do set ip = % I
For/f "tokens = 12" % I in (find "Physical Address" ipconfig.txt) do set mac = % I
::::::::::::::::: Bind the IP address of the Local Machine + MAC
Arp-s % ip % mac %
:::::::::::::::::: Delete all temporary files
Del ipconfig.txt
Del arp.txt
Exit
But this is rare. Please try it out first!
The preceding P can be used together with the IP address and MAC address of the client on the route to implement completely anti-ARP, but only the IP address and MAC address of the following machine and gateway can be bound separately.
It is not very useful. For the routing above, because the routes used by everyone are different, this will not be written.