Detecting ARP Poisoning and Responder with Powershell

When you are on an unsecure network or suspect an MiTM, use the below powershell script to detect ARP Poisoning. Apart from ARP poisoning, it can also be used to detect wpad responder spoofing.

while ($true) {
    # Get the MAC address of the default gateway
    $gatewayMAC = (Get-NetNeighbor -IPAddress (Get-NetRoute -DestinationPrefix 0.0.0.0/0).NextHop).LinkLayerAddress

    # Get the ARP cache entries
    $arpCache = Get-NetNeighbor -AddressFamily IPv4 | Where-Object { $_.IPAddress -ne "127.0.0.1" }

    # Check for ARP spoofing
    $arpSpoofingDetected = $false
    foreach ($entry in $arpCache) {
        if ($entry.LinkLayerAddress -eq $gatewayMAC -and $entry.IPAddress -ne (Get-NetRoute -DestinationPrefix 0.0.0.0/0).NextHop) {
            $arpSpoofingDetected = $true
            break
        }
    }

    # Check for WPAD responder spoofing
    $wpadSpoofingDetected = $false
    try {
        $wpadResponse = Invoke-WebRequest -Uri "http://wpad/wpad.dat" -TimeoutSec 5
        if ($wpadResponse.StatusCode -eq 200) {
            $wpadSpoofingDetected = $true
        }
    }
    catch {
        # Ignore the exception if the request times out or fails
    }

    # Print alerts if spoofing is detected
    if ($arpSpoofingDetected) {
        Write-Host "ARP spoofing detected! The MAC address of the gateway is being used by another device." -ForegroundColor Red
    }
    if ($wpadSpoofingDetected) {
        Write-Host "WPAD responder spoofing detected! A rogue WPAD server is responding to WPAD requests." -ForegroundColor Red
    }
    if (-not $arpSpoofingDetected -and -not $wpadSpoofingDetected) {
        Write-Host "No spoofing detected." -ForegroundColor Green
    }

    # Wait for 5 minutes before the next check
    Start-Sleep -Seconds 300
}