The following repository is part of a workshop that reflects a way of performing LAN network attacks.
The spoofing.py script performs an ARP spoofing attack with the help of Scapy, a Python package for packet crafting.
The ARP spoofing attack is the foundation for intercepting connections between different users on the same subnet. Basically the script is going to perform a MITM connection instead of performing an original connection. The ARP packet allows the users to identify themself on a network, computers do not understand IP addresses, and for that, every machine has an ARP table which contains the MAC addresses and their corresponded IP address for each element on the LAN.
The whole idea is send responses ("malformed packets") to the router and to the victim telling that the router is the MAC address of the attacker machine, this will change the whole data flow and the victim's traffic will be forwarded to the attacker machine.
For this example, I used a Windows 10 machine (192.168.1.130) as the victim, and a Kali machine as the attacker (192.168.1.111). The router used the GW Ip address (the 192.168.1.1)
Basically, its something like the following:
- The
victimasks for theMAC addressof therouter - Sends a request, and the machine with that particular
MAC addresswill respond - The
victimPC will update itsARP tablewith theMAC addressof the requested machine - The
ARP spoofinggenerates a communication between the victim and the attacker (tricking the user by saying that we are the router) - Later we can sniff communications on the
LAN networkand check fornon-encrypted datapassed
Using Scapy lets you craft or construct your own packets, sending it by your own needs, this means that we can manipulate request data, responses and plenty more.
Internally does the following.
- Creates an Ethernet broadcast package using the
router MAC address - AN
ARP packetis created with therouter IP destination - Another packet is created, and it concatenates both the
Etherand theARP. This is sent to the network (to therouteractually) - The victim will receive the
router'shwsrc(hardware source) MAC address. This part is tricky because thesourceelement is the router, it is the response, with that value, we are able to perform the second part of the MITM
Just we need to create a malformed packet which flip the hwsrc and hwdst, this will let you fool the ARP table, by telling that the router MAC address is our MAC address.
When the complete MITM cycle is done, the victim machine will lose internet connection, this makes the attack very obvious. The victim can check the ARP table with the arp -a command and see what's going on with the router. Basically this attack results in a DoS to the whole LAN network
So, for this particular scenario, we can forward the traffic letting the router act as well, the victim machine will resolve the internet connection and the attacker will have the capability to persist the ARP spoofing.
Check the /proc/sys/net/ipv4/ip_forward, on the attacker machine, if the value is 0, which means that the interface is not supporting the network forwarding.
Do echo 1 > /proc/sys/net/ipv4/ip_forward and run the script again.
Check and correct (if necessary) the hard-coded IP addresses, give execution permissions and run the file, like:
./spoofing.py
Once the program is interrupted, the restoring function is triggered. (Default MAC addresses)
Simple, just.
virtualenv -p python3 <name_of_the_env>
Important: check the requirements.txt for dependencies