I am developing a program which is to be installed on a “simple” machine in a LAN, the only particularity is that the NIC are connected on mirror ports.
The software can scan and monitor the network. What I am looking for is a technique to take down a host on this network.
When I discover a new host on the network I want to “block” it until I authorized it but the machine is not a firewall nor a real Network Access Controller (NAC) so I can only use passive methods.
I have tried ARP cache poisoning to associate a fake MAC with the real gateway IP in the target host ARP cache but there is two major issues:
- The victim can manually set the ARP cache entry of the gateway as static.
- The victim can still communicate with the other LAN hosts.
So I tried another method: poison the ARP cache of every hosts on the network except the victim’s one. I send a broadcast ARP request (works better than reply) with the IP of the victim and a fake MAC. But there is still one issue:
- When the victim try to communicate with another LAN host, it sends an ARP request which put the valid MAC and IP association in the other hosts ARP cache.
- The victim can also manually sends ARP requests or replies to overwrite the fake MAC in the hosts ARP cache.
For these reasons I wonder if there is a better method to accomplish such a thing.