Zarp is a network attack tool centered around the exploitation of local networks. This does not include system exploitation, but rather abusing networking protocols and stacks to take over, infiltrate, and knock out. Sessions can be managed to quickly poison and sniff multiple systems at once, dumping sensitive information automatically or to the attacker directly. Various sniffers are included to automatically parse usernames and passwords from various protocols, as well as view HTTP traffic and more. DoS attacks are included to knock out various systems and applications. These tools open up the possibility for very complex attack scenarios on live networks quickly, cleanly, and quietly.
The long-term goal of zarp is to become the master command center of a network; to provide a modular, well-defined framework that provides a powerful overview and in-depth analysis of an entire network. This will come to light with the future inclusion of a web application front-end, which acts as the television screen, whereas the CLI interface will be the remote. This will provide network topology reports, host relationships, and more. zarp aims to be your window into the potential exploitability of a network and its hosts, not an exploitation platform itself; it is the manipulation of relationships and trust felt within local intranets. Look for zeb, the web-app frontend to zarp, sometime in the future.
Tool Overview
Poisoners
These tools work as expected; poisoning hosts for performing MitM, session hijacking, etc. Currently included are ARP, DNS, DHCP, NBNS, ICMP redirect, and LLMNR.
- DHCP
There are a couple of ways to do DHCP poisoning; zarp implements DHCP poisoning by deploying a ‘rogue’ DHCP server that listens for DHCP-ACK or DHCP-DISCOVER packets. If a DHCP-DISCOVER is detected, an IP address is reserved and assigned to the host and an ARP poisoning session is automatically deployed. If a DHCP-ACK is detected, we attempt to give them the address they’re requesting. This occurs in cases where a returning device would like its IP address back. If we cannot give them the address, we generate a new one and hand it out.
- DNS
DNS poisoning is performed by matching DNS requests and responding with a malicious packet. zarp (v.10) requires that an ARP poison be active, but this may change. DNS RR poisoning is currently in development.
Denial of Service
Modules used for denial of servicing hosts. Various attacks currently exist for different systems, including Teardrop, IPv6 NDP RA, Nestea, LAND, TCP SYN, and SMB2.
Sniffers
These post-poisoning modules are useful for intercepting interesting traffic. Currently included are HTTP, Password, Traffic, and Database sniffers.
Scanners
Scan networks for victims. Included are Network Scanner, Service Scanner, Access Point Scanner, and Passive Scanner.
Services
Pretend you’re useful; harvest credentials from automatic login tools or unaware users. Spoofed services have been custom written to act as honeypots; none of these services can actually be used to do useful things as intended. Currently included are HTTP, SSH, FTP, SMB, WiFi AP, and telnet.