Inquisitor - ARP Poisoning & FTP Traffic Monitoring POC

A proof-of-concept tool demonstrating ARP poisoning attacks combined with FTP traffic monitoring and credential harvesting. This project is designed for educational purposes and penetration testing in controlled environments.

⚠️ Disclaimer

This tool is intended for educational purposes and authorized penetration testing only. Use only on networks you own or have explicit permission to test. Unauthorized use is illegal and unethical.

🎯 Features

• ARP Poisoning: Performs man-in-the-middle attacks by poisoning ARP tables
• FTP Traffic Monitoring: Captures and analyzes FTP control and data channels
• Credential Harvesting: Extracts FTP usernames and passwords from intercepted traffic
• File Transfer Monitoring: Tracks file uploads and downloads
• Dockerized Environment: Complete testing environment with FTP server and client
• Signal Handling: Graceful cleanup and ARP table restoration on exit

🏗️ Architecture

The project consists of several Go modules:

• main.go: Entry point and command-line argument parsing
• arp/: ARP poisoning functionality
• ftp/: FTP traffic monitoring and analysis
• parse/: Argument validation and data structures
• signals/: Signal handling for graceful shutdown
• utils/: Utility functions for interface detection and permissions

🚀 Quick Start

Prerequisites

• Docker and Docker Compose
• Root/Administrator privileges (for packet capture)

Using Docker Compose (Recommended)

1. Clone and build the environment:

   git clone <repository-url>
   cd inquisitor
   docker-compose up -d

2. Get container network information:

   # Get IP addresses and MAC addresses of containers
   docker exec ftp-server ip addr show eth0
   docker exec ftp-client ip addr show eth0

3. Start the attack from the attacker container:

   docker exec -it attacker ./inquisitor \
     -ipsrc <ftp-server-ip> \
     -macsrc <ftp-server-mac> \
     -ipdst <ftp-client-ip> \
     -macdst <ftp-client-mac> \
     -v

4. Test FTP traffic from client container:

   docker exec -it ftp-client ftp <ftp-server-ip>
   # Login with: ftptest / testpass
   # Try downloading: get test.txt

Manual Build

# Install dependencies
go mod download

# Build the binary
go build -o inquisitor .

# Run with root privileges
sudo ./inquisitor -ipsrc <source-ip> -macsrc <source-mac> -ipdst <dest-ip> -macdst <dest-mac> -v

📋 Usage

Command Line Options

./inquisitor [options]

Options:
  -ipsrc string    Source IP address (FTP server)
  -macsrc string   Source MAC address (FTP server)
  -ipdst string    Destination IP address (FTP client)
  -macdst string   Destination MAC address (FTP client)
  -v               Enable verbose output

Example Usage

# Basic ARP poisoning with FTP monitoring
sudo ./inquisitor \
  -ipsrc 192.168.1.100 \
  -macsrc 00:11:22:33:44:55 \
  -ipdst 192.168.1.101 \
  -macdst 66:77:88:99:aa:bb \
  -v

# The tool will:
# 1. Start ARP poisoning between the two hosts
# 2. Monitor FTP traffic on port 21
# 3. Extract credentials and file transfer information
# 4. Display captured data in real-time

🐳 Docker Environment

The Docker Compose setup creates three containers:

• ftp-server: vsftpd server with test user (ftptest:testpass)
• ftp-client: Client container for testing FTP connections
• attacker: Container running the inquisitor tool

Test Credentials

• Username: ftptest
• Password: testpass
• Test file: /home/ftptest/files/test.txt

🔍 What Gets Captured

FTP Credentials

• Usernames from USER commands
• Passwords from PASS commands
• Login attempts and success/failure status

File Operations

• File downloads (RETR command)
• File uploads (STOR, APPE, STOU commands)
• Directory listings (LIST, NLST commands)
• Directory changes (CWD command)

Network Information

• Source and destination IP addresses
• Client and server port numbers
• Data transfer volumes

🛡️ Security Considerations

• Root Privileges: Required for raw packet capture and injection
• Network Impact: ARP poisoning can disrupt network connectivity
• Detection: Modern networks may detect ARP poisoning attempts
• Cleanup: Tool automatically restores ARP tables on exit

🔧 Technical Details

ARP Poisoning Mechanism

1. Continuously sends forged ARP replies
2. Associates attacker's MAC with target IPs
3. Redirects traffic through attacker's machine
4. Restores original ARP entries on shutdown

FTP Monitoring

• Uses libpcap for packet capture
• Filters traffic on ports 21 (control) and 20 (data)
• Parses FTP commands and responses
• Tracks connection states and file transfers

🚨 Troubleshooting

Common Issues

1. Permission Denied

   # Ensure running with root privileges
   sudo ./inquisitor [options]

2. Interface Not Found

   # Check available interfaces
   ip addr show
   # Tool auto-detects interface based on target IP

3. No Traffic Captured

   # Verify network connectivity
   ping <target-ip>
   # Check if FTP traffic is actually flowing

📚 Educational Use Cases

• Understanding ARP protocol vulnerabilities
• Learning about man-in-the-middle attacks
• Demonstrating insecure protocol risks (FTP)
• Network security assessment training
• Penetration testing methodology

🤝 Contributing

This is a proof-of-concept tool. Contributions for educational improvements are welcome:

1. Fork the repository
2. Create a feature branch
3. Make your changes
4. Submit a pull request

📄 License

This project is for educational purposes only. Use responsibly and only on networks you own or have explicit permission to test.

---

Remember: Always obtain proper authorization before testing on any network. Unauthorized network attacks are illegal and can result in serious legal consequences.