Kraken ArpWatch

Note

• There is no GA (Generally Available) version yet, but you can test beta release.
• Win32 x86/x86_64 and Linux x86/x86_64 architectures are supported.

Quick Start

• Install  latest WinPcap first.
• Download  latest Kraken Core 1.6.0 snapshot from maven repository.
• Run Kraken Core.
  • java -jar kraken-core-VERSION-package.jar
• Connect to Kraken Shell using telnet or ssh.
  • If you use SecureCRT, don't forget to set XTERM mode.
  • telnet 7004 port (no auth) or ssh 7022 port (default account: root, password: kraken)
  • Kraken shell supports tab auto-completion. Try it.
  • If you do not supply proper command parameters, usage will be printed out. Don't worry.
• Type pkg.install kraken-arpwatch
  • Expected output:

    kraken> pkg.install kraken-arpwatch
    Resolving {groupId: org.apache.felix, artifactId: org.apache.felix.ipojo, version: 1.4.0}
      -> trying to download from http://repo1.maven.org/maven2/
      -> resolved
      -> installing: org.apache.felix.ipojo 1.4.0
    
    Resolving {groupId: org.krakenapps, artifactId: kraken-ipojo, version: 1.0.0}
      -> trying to download from http://repo1.maven.org/maven2/
      -> trying to download from http://krakenapps.org/mvn/
      -> resolved
      -> installing: org.krakenapps.ipojo 1.0.0
    
    Resolving {groupId: org.krakenapps, artifactId: kraken-syslog, version: 1.1.0}
      -> trying to download from http://repo1.maven.org/maven2/
      -> trying to download from http://krakenapps.org/mvn/
      -> resolved
      -> installing: org.krakenapps.syslog 1.1.0
    
    Resolving {groupId: org.krakenapps, artifactId: kraken-filter, version: 1.2.0}
      -> trying to download from http://repo1.maven.org/maven2/
      -> trying to download from http://krakenapps.org/mvn/
      -> resolved
      -> installing: org.krakenapps.filter 1.2.0
    
    Resolving {groupId: org.krakenapps, artifactId: kraken-arpwatch, version: 1.0.0}
      -> trying to download from http://repo1.maven.org/maven2/
      -> trying to download from http://krakenapps.org/mvn/
      -> resolved
      -> installing: org.krakenapps.arpwatch 1.0.0
    
    Resolving {groupId: org.krakenapps, artifactId: kraken-pcap, version: 1.1.0}
      -> trying to download from http://repo1.maven.org/maven2/
      -> trying to download from http://krakenapps.org/mvn/
      -> resolved
      -> installing: org.krakenapps.pcap 1.1.0
    
    Starting Bundles
      -> [OK] org.apache.felix.ipojo 1.4.0
      -> [OK] org.krakenapps.ipojo 1.0.0
      -> [OK] org.krakenapps.syslog 1.1.0
      -> [OK] org.krakenapps.filter 1.2.0
      -> [OK] org.krakenapps.pcap 1.1.0
      -> [OK] org.krakenapps.arpwatch 1.0.0
    
    Complete!
    

  • Use pkg.list command to see installed kraken packages.
• Open pcap device
  • List all devices: pcap.devices
    • You will see all pcap devices like this:

      kraken> pcap.devices
      Available Devices
      -----------------------
      [ 1] \Device\NPF_{AFF4C6CC-2C74-485A-8A7F-807712D18A24} TAP-Win32 Adapter V8
      [ 2] \Device\NPF_{5E955A8C-E8A8-4A02-8EDB-161136A6886A} Microsoft
      [ 3] \Device\NPF_{FE8D1EF3-3E0B-46ED-B776-217C4F180D15} Marvell Yukon Ethernet Controller.
      [ 4] \Device\NPF_{A569FFF6-617E-4B48-92D3-D086C63857AD} Microsoft
      [ 5] \Device\NPF_{BB599EE1-3DA5-4D2F-86FB-BB139CAF09F0} MS Tunnel Interface Driver
      
      

  • Open device: pcap.open [ALIAS] [DEVICE INDEX] [TIMEOUT (milliseconds)] [promisc or nonpromisc]
    • For example, pcap.open test 4 1000 promisc
  • List all open streams: pcap.streams
    • You will see stream stats like followings:

      kraken> pcap.streams
      Live Streams
      -----------------------
      test: Microsoft [recv=5375, drop=0, ifdrop=0]
      

• Connect arpwatcher to live packet stream.
  • arpwatch.connect [ALIAS] or arpwatch.connect test
  • You can list connected streams using arpwatch.streams command.
• See arp cache entries
  • arpwatch.entries
  • Type arp -d in command prompt if you have no patience to wait arp packets.
• Add static bindings
  • You should add static binding to detect arp poisoning attack.
  • Use arpwatch.addBinding [IP] [MAC] command.
  • You can list all current bindings using arpwatch.bindings command.
  • Removal command is arpwatch.removeBinding [IP]
• Check filter list
  • Type filter.list
  • You will see org.krakenapps.arpwatch.impl.ArpEventSource, it is arpwatch's event source.
  • Expected output:

    kraken> filter.list
    Kraken Filter List
    ==================
    [  1] org.krakenapps.syslog.SyslogReceiver
    [  2] org.krakenapps.syslog.SyslogSender
    [  3] org.krakenapps.syslog.SyslogTracer
    [  4] org.krakenapps.arpwatch.impl.ArpEventSource
    

• Load event source
  • Type filter.load 4 arpevent
  • You can see arpevent filter using filter.status if filter is loaded successfully.
• Load syslog sender
  • syslog.loadSender [ALIAS] [ADDRESS] [PORT] [FACILITY (optional, default is LOCAL0)] [ENCODING (optional, default is utf-8)]
  • For example, syslog.loadSender navi 110.45.142.130 514
  • Syslog sender is also filter. Check it using filter.status
• Bind filter
  • filter.bind [FROM] [TO]
  • For example, filter.bind arpevent navi
  • Try also filter.status arpevent or filter.status navi after binding.
• Completed!
  • Yes, it's a bit complicated, but kraken filter system allows you a lot of flexibility.
  • You can add another syslogger or inject your own filter.

All Commands

• will be documented.

Service Interface

• will be documented.
• You can replace or extend arpwatch easily.

Syslog Format

• Date format: always yyyy-MM-dd HH:mm:ssZ
• Log can be changed slightly in stable version.
• Log Type
  • ARP spoof alert
    • <129>kraken-arpwatch: date=2010-07-06 00:42:00+0900, type=arp_spoof, mac=00:16:EA:AA:BB:CC, ip=192.168.0.3
    • mac is attacker's mac address.
    • ip is attacker's ip address.
  • New ARP entry
    • <134>kraken-arpwatch: date=2010-07-06 00:42:00+0900, type=new_entry, mac=00:16:EA:AA:BB:CC, ip=192.168.0.3
  • Extend timeout of ARP entry
    • <134>kraken-arpwatch: date=2010-07-06 00:42:00+0900, type=extend_entry, mac=00:16:EA:AA:BB:CC, ip=192.168.0.3, first_seen=2010-07-06 00:21:00+0900
  • Mac address changed
    • <133>kraken-arpwatch: date=2010-07-06 00:42:00+0900, type=change_entry, old_mac=00:16:EA:AA:BB:CC, old_ip=192.168.0.3, new_mac=00:16:EA:CC:BB:AA, new_ip=192.168.0.3
  • ARP cache timeout
    • <134>kraken-arpwatch: date=2010-07-06 00:42:00+0900, type=remove_entry, mac=00:16:EA:AA:BB:CC, ip=192.168.0.3