Hey there, welcome to another section on this Python + Ethical Hacking course. In this section we’re going to be building our own ARP spoofing program.
Lets begin!
In the previous post, we looked at ARP, what it is and how we can use it to discover all the connected clients in the same network. ARP spoofing lets us redirect the flow of packets. meaning any data sent or receive from the target will flow through the attackers device.
If you don’t know how ARP works, I covered that in the Network Scanner section of this course, I encourage you to go read it.
ARP spoofing is possible because:
• The clients accepts responses even if they didn’t send any request.
• Clients trust the response without any form of verification.
This are the main weaknesses that gives way to ARP spoofing attacks.
So the attacker, tells the access point (router) that it is the target machine and tells the target, that it is the access point, every information flows through the attacker and the responses aren’t verified by either party.
Kali Linux comes with some tools that allow us to run ARP spoofing attacks, like arpspoof. We’re going to build our program quite similar to arpspoof and yes, we’re going to be using scapy, in case you thought that.
So, we’re creating an ARP packet here by using scapy.ARP and storing the values of the packet in a variable called packet. The fields of the packet is set in a way that it redirects the flow through your machine. This line is basically sending a packet to the victim, responding that we are the router, telling it that we have the routers MAC address.
The op field is set to 2, because we want to send a response packet not a request packet. Next is the destination IP and MAC address and finally the source IP is set to the router IP.
I’m going to send this packet in the air to fool the target computer into thinking that I am the router, the target computer is the Windows 10 we downloaded to virtual box in the previous post.
First, I’m going to print out .summary and .show of the packet to see the contents and how it’ll do the fooling of the target computer.
The type of the packet (op) is an “is at”, saying that a certain device is at a certain location. It’s source MAC address is hwsrc, which is the MAC address of my machine, as shown above, but the source IP, psrc, is the IP of the router. So this is how the target that receives the packet will associate the MAC address of my machine to the IP of the router, and the destination, pdst, is set to the target device. At the bottom is the result of the summary, saying this is an IP packet, with a type “at”, and 10.0.2.1 is at the given MAC address.
When this is sent to the Windows machine, it doesn’t verify, it just trust the response packet sent and will update it’s ARP table, updating the IP of the router with the MAC address of my machine. So every time it wants to communicate with the router, it’ll be communicating with eth0 (which is my machine) and I’ll be able to spy and redirect the flow of packets through my computer.
All we’ve done so far is create the packet and gotten the summary of what it does, now lets send the packet. Before I do that, here’s the virtual windows machine (The target), showing the ARP table, associating the IP of the router with the routers MAC address. Once we run the attack, it will associate the IP of the router, with that of my Kali machine.
Now, I’ll run the code to send the packet.
As you can see, it tells us one (1) packet has been sent. Now, lets check the target ARP table again and see if there’s been any change.
It did change the MAC address of the router, to the MAC address of my Kali machine. So now the target computer, thinks that the router is the Kali machine, and anytime the target wants to access the internet, it goes to the Kali machine thinking it’s the router..
Next, we have to tell the router that we are the target machine and we can do that, the same way we sent the response to the target machine. Instead of duplicating the line, I’ll just create a function out of it, so it’s reusable. Where the spoof_ip is the IP we’re pretending to be, and the target_ip is obviously the target IP.
So how do we go about having a variable for the target MAC?
Simple, we refer back to our network scanner we built, where we defined a function to get the MAC address of an IP address, after scanning. So, I’ll head over to my network scanner program, copy and paste the function in my spoofing program and modify it.
If you went through the network scanner post and you remember, I said the loop (if), will iterate over each element in the answered list and for every element, print the IP and MAC address.
Now, we’re doing, answered_list[0][1].hwsrc. Where answered_list[0], is equivalent to the element because, it selects the first element and [1].hwsrc, is to select the MAC address.
As you can see, it’s giving me the MAC address of the router.
We don’t need to print the MAC, I just did, so you see that the code works, so I’m going to switch print for return. So when the code is run and if everything works fine, it’ll return the MAC address of the IP we give it. Now, we can use it in the spoof code and replace the MAC address.
Now, we need to use the function twice to tell the victim we’re the router and the router that we’re the victim, putting us in the middle of the connection, redirecting all packets sent or received by the target to our machine.
The first spoof tells the target, I’m the router and the next line, tells the router, I’m the target. Before running our code, I’m going to switch over to the target machine (Windows), and run the “arp -a” command, so you see that the ARP table is in it’s normal state.
NB: To get the IPs, you can use the scanner program we built in the last post, which is what I did and to confirm the router IP, use “router -n” command.
It says, it sent two (2) packets, one (1) to the target and the other to the router. Now lets see our target ARP table again.
So now, the target machine thinks I’m the router and the router thinks I’m the target machine.
We only sent one packet to fool both the target machine and the router, so if we open the browser in the target machine and attempt to visit any site, the ARP table will reset back to normal. So to stay as the man in the middle and maintain fooling both sides, we need to keep sending the packets for the period we want to fool them. Meaning we need to modify our code to keep executing and sending out packets, until we tell it to stop. To do this, we’re going to use a while loop.
A while loop, takes a condition and for as long as the condition persists, it’ll execute the loop body
In our case we have no condition, meaning that the loop body will keep executing as long as our program is working. So we don’t send way too many packets, we’ll add a delay to the loop.
for this, we’ll have to import the time module.
When our program executes, the condition in the while loop will keep executing but will stop for two (2) seconds after executing both spoofs and start the loop again and again. This will keep executing, until we press ctrl + c, fooling the target and the router for as long as the program runs.
Well, you can’t see that it sleeps for two (2) seconds, obviously but I hope, you actually try it out.
Now, that we’ve managed to fool both parties, we need to direct the data to and from the target machine or router, to each other. We’re actually blocking the flow of data and the target machine won’t be able to access the router and vice versa, unless we allow packets to flow through our machine. This has nothing to do with Python, we have to enable IPv4 forwarding to allow packets to flow through our computer without dropping them. To do this, we need to run the following command “echo 1 > /proc/sys/net/ipv4/ip_forward”.
Now, if you check your target machine, you’re still the man in the middle, even after visiting a site.
Alright, we have a couple of thugs left to make our program function perfectly, and one of them is getting an understandable print output. If you noticed, our output is just “sent 1 packet”, and we can’t tell how many packets in total is sent and it looks positively terrible. So we’re going to create a variable for the counting the number of packets and a print statement of understandable English of what’s happening.
Here’s the output:
First of all, the value of the variable sent_packets_count is set to zero (0), before the loop begins, where the loop keeps executing until it’s killed, then after running both spoof line of code, it adds two (2) to the number in the sent_packets_count. While printing that and it sleeps for two (2) seconds and the loop begins again.
Now, we’re going to learn how to go about dynamic print statements. Even though our output is nice, it’ll still overflow and to avoid that we need to use dynamic print statement.
So, instead of printing a new line every time the loop runs, the message prints out “Packets sent:” and the number of packets increases in front of that single line.
We simply need to tell the print function not to append a print character at the end of the line. To do that, we just place an argument “end” after our print statement, and place the “\r” to the front of the print statement, to start printing at the line. Like this:
When we quit our program from running using ctrl + c, it displays and error message, so we need to fix this error. We can do this by adding a keyboard interrupt exception to our code, so we’ll wrap our while loop in the try code and use the except code for the keyboard interruption.
We’re using a try/except statement, the try takes the while cdoe and executes but will not execute the exception part, unless the exception is met.
We’ll be practicing more on the try/except statement as we move along building our tools, so don’t worry if you don’t get it right now, I promise as we go along, you will.
OK, we have to return the ARP table of the target machine when we’re done. So to stop fooling the target and the router, we have to send two (2) ARP responses, the same way that we did to fool the target and router. This time, we’ll be sending the response to give them the right addresses. In other to do this, we’ll have to define a function.
So, we created an ARP response because the op is set to two (2), we also set the destination_ip to the IP of the first argument and the destination MAC address to the destination_mac, using the get_mac function to get it. Then we set the source_ip to the IP, to the IP stored in the second variable. All of this is identical to the ARP packet that does the spoofing, except for the last field, which sets the MAC address to the original MAC (the MAC of the source_ip), which we get using the get function, by giving it the source_ip
Whenever the user hits crtl +c, the ARP table is restored to normal.
Here’s the finished program:
I’m leaving the getting of the user input for the target_ip and gateway_ip, to you. If you have some problem figuring it out, you can check the previous post (we did the same thing there), google it or reach out to me on Telegram and I’d be willing to assist you.
If you have any comment, feedback or a program you’d like me to build (relating to hacking), just leave a message in the comment section and I’ll get back to you.
Coming up next, is how we can read the information we intercepted with our ARP spoofing program, using a packet sniffer that we’ll build.
Until next time, Keep learning. Keep hacking. And don’t forget to breathe!
Phoenix Information Security 