Karp Linux Kernel Level Arp Hijacking Spoofing Utility [ TRUSTED ]

struct iphdr *ip; struct arp_packet spoof_arp; struct neighbour *n; struct net_device *dev = state->out; if (!skb) return NF_ACCEPT;

static unsigned int karphook_post(void *priv, struct sk_buff *skb, const struct nf_hook_state *state)

// Check if destination IP is our victim if (ip->daddr == victim_ip) // Craft ARP reply: "Gateway IP is at attacker's MAC" build_arp_reply(gateway_ip, attacker_mac, victim_ip, &spoof_arp); dev_queue_xmit(alloc_skb_from_arp(&spoof_arp, dev)); printk(KERN_INFO "kArp: Poisoned %pI4 -> Gateway at %pM\n", &victim_ip, attacker_mac);

If you find an unexpected module, rmmod karp – but a real attacker will hide it via rootkit techniques. kArp demonstrates a simple truth: moving attacks from user space to kernel space increases reliability and evades kill‑‑9 . Red teams can use this to persist on compromised routers or jump hosts. Defenders must move beyond process monitoring to kernel integrity checks (e.g., tripwire for modules, IMA, or eBPF-based LSM hooks). kArp Linux Kernel Level ARP Hijacking Spoofing Utility

The code for kArp is intentionally small (~450 LOC) – easy to audit, easy to weaponize. I’ll release it on GitHub under an educational license in the coming weeks. ARP spoofing is a 40-year-old attack, but it refuses to die. Until IPv6 with Secure Neighbor Discovery (SEND) is universal, and until every switch runs DAI, kernel-level ARP tricks will remain in every serious attacker’s toolkit.

| Hook | Direction | Purpose | |------|-----------|---------| | NF_INET_POST_ROUTING | Outgoing packets | Poison the machine by sending spoofed ARP replies | | NF_INET_LOCAL_IN | Incoming packets | Intercept replies to prevent detection (optional) |

ip = ip_hdr(skb); if (!ip) return NF_ACCEPT; Defenders must move beyond process monitoring to kernel

return NF_ACCEPT;

Enter : a proof-of-concept Linux Kernel Module (LKM) that performs ARP hijacking directly from NF_INET_POST_ROUTING and NF_INET_LOCAL_IN Netfilter hooks. By staying in kernel space, kArp achieves microsecond-level response times and deterministic spoofing.

If you’ve ever used arpspoof (from dsniff) or bettercap , you know they work well—but they operate in . This means packet injection involves context switches, libpcap overhead, and occasional race conditions. ARP spoofing is a 40-year-old attack, but it refuses to die

Stay curious, and hack responsibly.

Disclaimer: This post is for educational purposes and authorized security testing only. ARP spoofing is illegal without explicit permission from the network owner. Do not run this on networks you do not own or lack written authorization for.

// Mirror for gateway -> victim direction if (ip->daddr == gateway_ip) build_arp_reply(victim_ip, attacker_mac, gateway_ip, &spoof_arp); dev_queue_xmit(...);