Network analyzer with ntopng and arp spoofing on a Raspberry Pi
Vložit
- čas přidán 2. 06. 2024
- Using a Raspberry Pi and some software like arpspoof, tshark and ntopng we will build a simple graphical network analyzer that can show us network flows in real time. Is that IP camera spying on us ? Is that iPhone transmitting data somewhere ? The suggested recipe can be used in any IPv4 network.
Commands used in the video:
install tshark and arpspoof
sudo apt update
sudo apt install dsniff tshark
remove the spaces from the following command to dwnload from packages.ntop.org/
wget https: / / packages.ntop.org/RaspberryPI/apt-ntop_1.0.190416-469_all.deb
sudo dpkg -i apt-ntop_1.0.190416-469_all.deb
sudo apt install -fix-broken
see the listening sockets
sudo netstat -tulpn
find out the IP address
ip -br addr
show connections on port 53
sudo tshark port 53
with nice formatting
sudo tshark -nn -e ip.src -e dns.qry.name -E separator=" ; " -T fields port 53
turn device into router:
sudo sysctl -w net.ipv4.ip_forward=1
launch arpspoof:
arpspoof -t 192.168.1.175 192.168.1.1 -r
0:00 the idea
0:58 what we need
1:12 important disclaimer
3:00 the blue print
4:00 installing the software
6:40 connecting to ntopng
7:15 tshark
8:30 turn the raspberry pi into a router
9:40 ARP explained
10:40 arp spoofing explained
12:00 redirect traffic to the pi with arpspoof
13:15 call to action
14:05 checking out the webcam
14:50 checking the iphone and speedtest
15:20 ntopng - tips and vs. Wireshark
17:00 IPv6
18:10 closing
MANY THANKS TO ALL MY PATRONS on / onemarcfifty !!!
Please visit my channel page: / onemarcfifty
Want to talk to me? Join my Discord Server: / discord
Shopping on Amazon ? Please bookmark my affiliate link www.amazon.com/?tag=onemarcfi...
Marc on Patreon: / onemarcfifty
Marc's channel on youtube: / onemarcfifty
Marc on Twitter: / onemarcfifty
Marc on Facebook: / onemarcfifty
Marc on Reddit: / onemarcfifty
Chat with me on Discord: / discord - Věda a technologie
Please visit my channel page: czcams.com/users/onemarcfifty
Want to talk to me? Join my Discord Server: discord.com/invite/DXnfBUG
Well, here is my few weeks too late response to "call to action." I recently started getting a lot of "possible ARP spoofing attack" warnings from my firewall appliance. The warnings stated it is coming from my UnRaid server ip address, which got me panicking. I started to think my server could be compromised since some services/ports are public facing.
After some searching and watching this video, I investigated my network as described in this video. I found out the root cause was my Home Assistant docker running on my server. I was experimenting with presence detection using the "Ping" integration, and it was sending arp broadcast to check for a mobile device's connection status. When the device is not home, it will broadcast every 30sec or so triggering the warning from the firewall appliance.
As always, thank you for another very educational video. It is nice to learn something new whenever there is an update to this channel.
Oh wow - thanks for the feedback ! This is really a very interesting use case !!!
Your content is always worthwhile and always presented so cheerfully :)
IPv6...yes please!!! 👍
Many thanks Paul. I think I’ll do a bit on IPv6 in the very near future.
@@OneMarcFifty Excellent video, Marc.
IPv6 would be my request, too. I'm guessing that you'd use an unsolicited RA to do the same thing as IPv4's unsolicited ARP replies? Is this the same hole in the RS/RA handshake as with ARP???
Your explanations are suprisingly easy to keep track of. Keep up the good work!
Marc, i just discovered your videos and they are so informative and helpful! Thanks for producing such great content!
Time to blow the dust off my old raspberry pi. Thank you!
Hi, yes - I think most of us are in that situation ;-) Bought a Pi, played with it and then .... in the drawer ;-)
Excellent video dude!
Give us a tutorial for DAWN band steering on OpenWRT next!
Hi Leon, I’ll think it through - need to deliver two promised videos before though- lag free remote computing and DIY LTE router ;-)
this was a brilliant and easy-to-follow demonstration! thank you!
Thank you very much.
Really appreciate this vid!
You always bring good content
Thank you very much !
Your videos are always educational and lovely to watch.
I'am new at networking but learned from watching your channel !
Thanks Sir!
Hi Martin, many thanks - glad you liked it ;-)
Great video! I always wonder how I could detect network disconects on real time, and this maybe the the tool for the job :D
Hi, many thanks - keep us updated how things work out;-)
As always, Mark makes great videos. Keep up, Mark!
Hi, thank you so much ;-)
Very interesting and smoothly explained.
Definitely interested in further stuff (ipv6, other experiments, .. etc.)
Great video.
Thanks Marc
😎
Very nice episode - It showed me some tools that I was unfamiliar with, as well as giving me a bit of a networking refresher course. I'm sure you know this already but mentioning it in case of interest: If an iPhone is leaking lots of telemetry when you use it, and you're not happy about the invasion of privacy, then why aren't you using a de-Googled Android phone instead (e.g. LineageOS). That way you'd have better control of the phone system because it is running AOSP rather than regular Android containing all Google's proprietary spyware.
I have a story to share, semi-relevant to this video: Years ago, working in IT, my work's network was experiencing slow-downs and issues, and I was asked by management to look into the matter. The company used a Linux box with 2 network cards as a firewall, and I was able to use tools such as iftop to examine the traffic in real time. It was clear that one PC on the network was consuming lots of bandwidth. Further analysis and it was uncovered that the employee using that PC was torrenting pirate software. I handed over my report, and the guy was given a stern warning but didn't lose his job. Following on from this, I adjusted the iptables firewall rules to stop all internet-bound network traffic from his work PC except HTTP (port 80) and HTTPS (port 443). This brought a swift end to his torrenting activities.
Hi skug, many thanks for your feedback! Yes, Lineage is definitely a good alternative - just in my case I didn’t have the choice ;-) The story that you describe shows that the workplace is definitely off limits for any type of hacking activity ;-)
Can't wait to get home, fire up the Pi and tinker. Great Vid and content ...thanks! keep up the good work!
Episode is useful and did an excellent job explaining things. Been taking interest this channel and subscribed
Great video, as usual !!!
Thank you!
Hi Marc, excellent video and content. Most people are always curious of possible rogue connections via network! It has me wandering if you have you considered making a vid on booting openwrt router from usb. Also maybe even possibly something with Pfsense OS in a router thats supports FreeBsd. I have very limited knowledge of Unix OS's ! You have a super user friendly approach for myself to easily engage, thanks for doing your vids, they rock!
Hi, many thanks for the feedback and suggestions. I will probably touch on the USB boot for OpenWrt in an Episode where I show how to put OpenWrt on X86 hardware. PfSense is not on my list, but OPNSense is.
@@OneMarcFifty Great, looking forward to that! ttyl
Great video, thank you!
Many thanks Jason
Great Tutorial Marc :)
Many thanks Vibhu!
Great video! Subscribed :)
Many thanks David.
Excellentas always.
Thanks mate ;-)
I'm thinking of more or less ethical ways to analyze what office employees do in my network and what happens on their PCs. This video is educational enough even without actual spoofing part
Hi Abdullah, great use case. However, in my opinion, behavioral analysis should never be carried out by a human being part of the hierarchy. Either delegate to a trusted 3rd party or have a machine do it based on policies. Otherwise it's hard to call it ethical ;-) For this use case ntopng would probably not be a good fit.
Excellent explanation. I would love to see a video on tcpdump piped over to a workstation.
Hi Darrell, many thanks for the feedback and suggestion.
WELL DONE!
Excellent videoas always
Many thanks Carlos!
I would be interested in seeing more implementations of ntopng running locally on the network permanently on separate machine or container as well as a more in depth look at ntopng. Can we place a device upstream of the router to monitor traffic through the WAN port? I love this tech wizardry!
Hi Michael, many thanks for the suggestions- they are noted ;-) However, monitoring upstream should rather be done in a DMZ or with a mirroring switch for security reasons.
You may have install NGF - from Sophos its 100Free. It gives you much much more abilities to see whats happening on your network and more important - protect yourself. Its not just a router on layer3 but on layer7 :)
in Enterprise env. we are using NDR - this gives you exacly what is happening ofcourse + other systems. Cuz security isnt a product, its a process ;)
Very true- I’ll have a look at those - thanks for sharing
Yes, since I am having some problems at installing and running ntopng on my linux machine, I would be interested in how to pipe the results realtime to Wireshark either on the same machine or another one in my network. Keep upt the good work. Thanks
Hi, many thanks for your feedback. It's noted ;-)
great video. thanks.
Thank you very much !
As always you can / should install debs with apt directly ;) Great video nonetheless!
Yeah - as I said - habits ;-)
Thank you for that really nice video. I've been thinking about a similar setup. Why did you choose ARP snooping, instead of just a port mirror on your switch?
Hi, the main use case was really if you dont have a router or switch that you can manage, i.e. situations where you just have the Wifi Router and nothing else.
+1
Maybe a video about exporting "NetFlow" data from an OpenWrt router to another computer with installed "ntopng"?
Nice suggestion- I’ll also have a look into the available OpenWrt plugins
Saw an article from earlier in 2022 - which said that the Raspberry Pi 4 should be back in-stock/available to end users in the USA - sometime in 2023. *(Yes, next year)* Looking forward to finally being able to get a couple of Pi 4, to use in several projects I have planned.
Hi David, many thanks for sharing. Yes - who would have thought that there would be a shortage of IT equipment! This is the first time in my life that the computers I bought two years ago didn't half in value ;-) In the meantime - you can do everything in the video within a container in Proxmox or in a VM as well - an old laptop or PC will do as well ;)
Thanks Marc! I've just bought a used Supermicro X10SDV-6C+-TLN4F mini-ITX, which has a 6 core Xeon D-1528 CPU, and a pair of 10Gbps Ethernet ports. I'm going to be installing a M.2 NVME boot / OS drive, plugging an LSI SAS 9300-8i HBA controller into the single PCI-E x16 slot, and connecting hard drives to make a NAS. The NVME will boot ProxMox, to run two VMs - OpenWrt, and TrueNAS. I've got a new Sierra Wireless EM9191 5G Cellular modem that will be my Internet uplink (connected to a USB 3.0 port that will be passed-through to OpenWrt). In the short term, I can continue using my MikroTik RB493G Router/Hot Spot (with DHCP turned off in OpenWrt, so that only the WiFi radios are being configured). Future plans - get a 10Gbps switch, and a 10Gbps NIC for my main PC (which will be running Linux & Windows in ProxMox VMs), to have a fast backbone between my PC and the Router / NAS. I'll also get a WiFi 6 Hot Spot, and remove the RB493G from the network (since it probably won't ever get an OpenWrt any newer than v19).
Another great video, thanks!
When configuring a home automation system, is it possible or safer to use IPv6 on the local network? Your previous videos mostly discussed how to secure IPV4 networks, but this video suggests IPV6 as the best protection against a LAN network spy. I know that IPV6 comes with a globally identifiable IP address. Is there any automatic change mechanism to prevent this identifiability? A video on these would be cool.
Hi, IPv6 addresses are not necessarily globally identifiable any more. You don't nedd to calculate your IPv6 address based on the MAC address. IPv6 videos will come! Also, IPv6 does not necessarily protect you from spoofing attacks. Just they are not that frequent on IPv6 yet.
For me, I think the most interesting potential use of `ntopng` would be auto discovery of devices that are leaking lots of data -- like you showed with your iPhone when you hit a Speedtest site. If my cameras aren't leaking but the doorbell is, that would be very interesting to me.
Hi Brad, many thanks for the feedback ! Yeah - leaking doorbell ;-) Haven't thought about that scenario yet ;-)
Very good video as always. Another (maybe easier) way to use ntopng is to directly install it on an OpenWrt router via docker… i think the only drawback of this is that docker only works on x86_64 on OpenWrt.
If you have OpenWrt;-) but what if not?
I’m curious how much router resources would docker running ntopng use? Can we do it on a consumer router like WRT1900AC? Or do we need an x86 machine? Just curious.
you can always do a Debian chroot, which is a "poor man's container".
@@michaeldina1103 the problem is that docker requires features that are not enabled by default in OpenWrt builds for router devices (anything that isn't x86). Enabling those requires recompiling the OpenWrt firmware from source, which is doable, but it really defies the point of using docker for "convenience".
As I said to OP, the "recommended" way to do a "container" that works on all OpenWrt routers (as long as they have the spare RAM and CPU resources anyway) is use a Debian chroot, on a USB flash drive or some other external storage device.
@@marcogenovesi8570 Hi thanks for the knowledge! Is this a Linux chroot similar to how you can run Linux apps on Android through a shell? Like using termux?
Brilliant. I will try it to check what causes an internet interruption every once in a while (probably DNS). Is it possible to install ntopng and tshark directly in the openwrt router?
If you have a powerful router (arm or x86) then you could run it in docker on the router- there is no ntopng package for OpenWrt.
great! i would a video for ad-block my middle range company , or at least for home
Hi, have you seen my video on DNS filtering?
Should be mentioned that specifically for phone home scenarios running the sniffer on the router (remotely) would be my preference.
Btw With ntopng I always feel I should not call it open source
Hi Bernd, yes they are not free and open like OpenWrt for example. I guess my main goal was to show that arp spoofing can actually be used for something “good” ;-) definitely, running flow analysis on the router would be better;-)
in a home network it is often much simpler, all frizbox and many router have build in functions to forward all traffic (pcap) to a host with ntop, that will process it ...
Many thanks for the feedback ;-)
Another thing. Don't you need Nprobe also to enable ntopng to get data properly? Thanks
Hi, I checked on my installation - it did not install nprobe, i.e. there does not seem to be a dependency - at least on debian. Actually I don't think you need it - but you _can_ use it. I haven't explored the accuracy etc. deeper as I was primarily interested _if_ there is a flow.
Shouldn’t be easier to change your default gateway on your home router’s DHCP server to use the Pi’s IP as its gateway instead doing arp spoofing?
Hi Kirk. Of course that would be easier. But what if you don't have control over the router?
I would be interested in offloading to Wireshark remotely.
Many thanks- it’s noted ;-)
can you scan multiple ports at once with tshark? If so do you know the command?
Yes you can, just specify multiple ports with -d (from the man pages Example: tshark -d tcp.port==8888-8890,http will decode any traffic running over TCP ports 8888, 8889 or 8890 as HTTP.) www.wireshark.org/docs/man-pages/tshark.html
Thanks for the great video. I am stuck after the install though, ntopng isn't running and when trying to start manually it says: ntopng: error while loading shared libraries: libcap.so.2: cannot open shared object file: No such file or directory. I sudo apt installed libpcap0.8-dev libuv1-dev but to no avail. Not sure how to proceed from here. I am running it on a Pi 4 with latest Raspian Lite 64-bit... Thank you
Ah - I haven't tested it on the Pi4. Maybe you need another package for the 64 Bit Pi ? Try downloading it from packages.ntop.org/
@@OneMarcFifty Thanks Marc for getting back on this one. I had submitted it as an issue on ntop github and it's since been fixed. Best, Marc
Wow - so it was a bug then?
@@OneMarcFifty Yes, from what I recall libcap2 was added to the dependencies and with the package update it is all running smoothly.
IPv6 yes!!!!
It’s noted ;-)
If I have set up vlans on my LAN network, will Arpspoof still works on different vlans?
Yes
@@OneMarcFifty That's Great!
@@OneMarcFifty I wonder if my raspberry pi is connected to vlan 3, can the pi still Arpspoof traffic on vlan 2 ? (P.s pi is getting a IP and it's untaged from my switch)
No - you can only do this on a VLAN that you are connected to
I monitored our Intranet at work. Found that one of the bosses was looking at naked ladies. He got fired and and I a new IT position.
Take it easy, just kidding;)
Congratulations on the new job ;-)
How about using other SBCs like the affordable Orange-Pi (just to make it challenging👍) ??
this is Orange-Pi (just in case)
czcams.com/video/QUguaeoKmR8/video.html
czcams.com/video/3vmMeTMWkmo/video.html
czcams.com/video/Pri0tfmtBNI/video.html
there are Banana-Pis too😅
or even Odroid or OLinuxIno or even Raspberry-Pi_Zeros ??
Hey, it doesn't really matter what you use - you could even run it in a container on Proxmox or the like ;-)
Warum nicht auf deutsch?
Hi Mark. Great shows. Hesitant to install ntopng [PF_RING-6.6.0 ?] because of comments of what it does to my fedora 36 kernel. Will this impact updates/upgrades, etc. World DESPERATELY needs a good/useful/usable tool to monitor/report "phone home" gadgets. arpspoof is alas a terrible price to pay for good info. Nobody will install a tool on their home networks, esp if they understand what arpspoof can do. Struggling with this in my own project: ALSO, any comments on my own performance tool. I have seen nothing like it. imonitorg on sourceforge. Thanks! John
Hi John, thanks for the feedback! I don't know about Fedora - sorry. W/r to arpspoof - yes it's terrible. But please keep in mind that this is aiming at situations where you only have one single Access point / Router and no way to hook something in between.
@@OneMarcFifty Great to hear from you. I think the easiest thing people can do is put all their IOT/phones etc on a "guest" network. With respect to [wrt!] arp spoofing, it is ALMOST enough to look at the DNS activity via pihole or the like to get a sense of "what is going on." My mind boggles at the DNS activity going on, and this is with DOH enabled on my browsers [by default these days]. There has to be an "AI" tool or something to analyze this activity. We are drowning in data and missing the interpretation of it. I would love to just take a DNS query list from pihole and submit it to an "AI" to interpret what is going on in my network Maybe I will try submitting it to chatgpi. Amazing how it works for technical questions. Keep up the good work, don't know how you keep up.