Defense Against ARP attacks using four types of self-made batch processing files

ARP spoofing is achieved by forging IP addresses and MAC addresses, which can generate a large amount of ARP traffic in the network to block the network, attackers can change the IP-MAC entries in the ARP cache of the target host as long as they continuously generate forged ARP response packets, resulting in network interruptions or man-in-the-middle attacks. This article introduces four methods to defend against ARP attacks by using self-made batch processing files.

1. Compile the following statement into a BAT file to process @ echo off.

: Read the Mac address of the Local Machine

If exist ipconfig.txt del ipconfig.txt

Ipconfig/all> ipconfig.txt

If exist phyaddr.txt del phyaddr.txt

Find "Physical Address" ipconfig.txt> phyaddr.txt

For/f "skip = 2 tokens = 12" % M in (phyaddr.txt) do set Mac = % M

: Read the local IP Address

If exist IPAddr.txt del IPaddr.txt

Find "IP Address" ipconfig.txt> IPAddr.txt

For/f "skip = 2 tokens = 15" % I in (IPAddr.txt) do set IP = % I

: Bind the local IP address and MAC address

Arp-s % IP % Mac %

: Read the gateway address

If exist already ip.txt del already ip.txt

Find "Default Gateway" ipconfig.txt> GateIP.txt

For/f "skip = 2 tokens = 13" % G in (ip.txt) do set destination IP = % G

: Read the Mac address of the gateway.

If exist GateMac.txt del GateMac.txt

Arp-a % slave IP %> GateMac.txt

For/f "skip = 3 tokens = 2" % H in (GateMac.txt) do set hosts MAC = % H

: Bind the Mac and IP addresses of the gateway.

Arp-s % GateIP % GateMac %

Arp-s gateway IP Gateway MAC

Exit

 

This batch processing needs to query the local ARP cache table to see if there is a gateway IP address and a MAC address.

Bound, but not bound !!! However, we can improve it to achieve the goal of double binding, such

Add a line of arp-s gateway IP Gateway MAC...

2. This cannot achieve true double binding. You can only bind the local IP address and MAC address.

@ Echo off

For/f "delims =: tokens = 2" % a in (ipconfig/all ^ | find "Physical Address") do set local_mac = %

For/f "delims =: tokens = 2" % a in (ipconfig/all ^ | find "IP Address") do set local_ip = %

For/f "delims =: tokens = 2" % a in (ipconfig/all ^ | find "Default Gateway") do set gate_ip = %

Fo */* % * in (getmac/nh/s % local_ip %) do set gate_mac = %

Arp-s % local_ip % local_mac %

Arp-s % gate_ip % gate_mac % ......)

 

After testing, the batch processing cannot bind the gateway IP address and MAC address, but can only bind the local IP address and MAC address.

3. This is not very clear. I want to test it. Currently, I know that I can also bind the local IP address and MAC address.

@ ECHO OFF

SETLOCAL ENABLEDELAYEDEXPANSION

For/f "tokens = 2 delims = [] =" % I in (nbtstat-a % COMPUTERNAME %) do call set local =! Local! % I

For/f "tokens = 3" % I in (netstat-r ^ | find "0.0.0.0") do set gm = % I

For/f "tokens = 1, 2" % I in (arp-a % gm % ^ | find/I/v "inter") do set gate = % I % j

Arp-s % gate %

Arp-s % local %

Arp-s gateway IP Gateway MAC

 

This batch processing can bind the gateway IP address and MAC address, but it still has defects. It depends on the ARP cache on the local machine!

The improved method is to add an arp-s gateway IP address and a MAC address at the end!

4. The principle is the same as the first one, but it has improved a little bit!

This P ping the gateway three times to get the gateway's MAC. In fact, the above batch can be used to handle the gateway's IP address and MAC,

However, if ARP spoofing occurs during startup, the IP address and MAC address you bound are wrong and you cannot access the Internet.

@ Echo off

::::::::::::::::::: Clear all ARP caches

Arp-d

:::::::::::::::::: Read local connection Configuration

Ipconfig/all> ipconfig.txt

:::::::::::::::::: Read the IP address of the Intranet gateway.

For/f "tokens = 13" % I in (find "Default Gateway" ipconfig.txt) do set GatewayIP = % I

::::::::::::::: ING, three times Intranet gateways

Ping % GatewayIP %-n 3

:::::::::::::::::: Read from the arp cache of the gateway.

Arp-a | find "% GatewayIP %"> arp.txt

:::::::::::::::::: Read and bind the gateway MAC

For/f "tokens = 1, 2" % I in (find "% GatewayIP %" arp.txt) do if % I = % GatewayIP % arp-s % I % J

::::::::::::::::: Read the IP address of the Local Machine + MAC

For/f "tokens = 15" % I in (find "IP Address" ipconfig.txt) do set ip = % I

For/f "tokens = 12" % I in (find "Physical Address" ipconfig.txt) do set mac = % I

::::::::::::::::: Bind the IP address of the Local Machine + MAC

Arp-s % ip % mac %

:::::::::::::::::: Delete all temporary files

Del ipconfig.txt

Del arp.txt

Exit

 

But this is rare. Please try it out first!

The preceding P can be used together with the IP address and MAC address of the client on the route to implement completely anti-ARP, but only the IP address and MAC address of the following machine and gateway can be bound separately.

It is not very useful. For the routing above, because the routes used by everyone are different, this will not be written.