Malcolm

Perform a man in the middle attack in C without the help of any network library.

Summary

• Introduction
• Features
• Options
• Installation
• Usage
• Examples
• Compatibility
• Authors
• Disclaimer

Introduction

ARP Poisoning is a type of Man-in-the-Middle (MitM) attack, that allows hackers to spy on communications between two parties over a Local Area Network (LAN).
ft_malcolm is a low-level networking project from 42 (https://42.fr), we went far beyond the subject and implemented a lot of extra features.

Features

• Multiple modes:
  • Default: Specified hosts will be spoofed persistently and redirect their packets to us.
    • ft_malcolm [Source IP] [Target IP] [Interface] [Options]
  • Broadcast: Spoof all the machines within the LAN.
    • ft_malcolm --broadcast [Source IP] [Interface] [Options]
  • Manual: You have control over MAC addresses by specifying them
    • ft_malcolm --manual [Source IP] [Source MAC] [Target IP] [Target MAC] [Options]
• Denial of Service (DoS) Attack:
  • Paralyse the targets by specifying the --deny option.
  • Can be used within the broadcast mode to paralyse the whole network.
• Sniffer (still work in progress):
  • Create a sniffer thread that displays your target's activities on the network.
• Cache restoration:
  • Once done, malcolm will restore ARP cache of the targets so the network will work normally again.

Options

• -d --duration [time (in seconds)]: Duration of the spoofing process
• -f --frequency [Time]: Select (in seconds) the rate for ARP replies
• -v --verbose: Displays informations about what ft_malcolm is doing
• -h --help: Display the help menu
• -V --version: Output the current version of this software

Installation

Run make to compile the project, make will compile the binary ft_malcolm.

Usage

Since malcolm has a lot of options, run ./ft_malcolm -h to display the help menu.
Be sure to run ft_malcolm under root's privileges.

• Default mode
  ft_malcolm [Source IP] [Target IP] [Interface] [Options]
• Broadcast mode
  ft_malcolm --broadcast [Source IP] [Interface] [Options]
• Manual mode
  ft_malcolm --manual [Source IP] [Source MAC] [Target IP] [Target MAC] [Options]

Formatting:

• IPv4 addresses must be valid IPs under this format: 172.17.0.1
• Hardware addresses must be valid MACs under this format: 12:34:56:78:9a:bc

Examples

Here are some usage examples for malcolm

• sudo ./ft_malcolm --manual 172.17.0.1 66:66:66:66:66:66 172.17.0.2 02:42:ac:11:00:02 --no-persistency
• sudo ./ft_malcolm 172.17.0.2 172.17.0.3 docker0
• sudo ./ft_malcolm 172.17.0.1 eth0 -b --deny -d 20 --frequency 1 -v
• sudo ./ft_malcolm --manual 172.17.0.1 66:66:66:66:66:66 172.17.0.2 02:42:ac:11:00:02 --duration 5 --verbose
• sudo ./ft_malcolm 172.17.0.1 eth0 -b -s

Compatibility

This project is only compatible with Linux.

Authors

• Ludovic Menthiller (https://github.com/lumenthi)
• Lucas Nicosia (https://github.com/lnicosia)

Disclaimer

This tool is meant for educational only.
It is your responsibility to make sure you have permission from the network owner before running this tool against it.
The authors of this tool are not responsible for your personal actions or choices.