r"""ARP MitM: poison 2 target's ARP cache :param ip1: IPv4 of the first machine :param ip2: IPv4 of the second machine :param mac1: MAC of the first machine (optional: will ARP otherwise) :param mac2: MAC of the second machine (optional: will ARP otherwise) :param broadcast: if
(
ip1, # type: str
ip2, # type: str
mac1=None, # type: Optional[Union[str, List[str]]]
mac2=None, # type: Optional[Union[str, List[str]]]
broadcast=False, # type: bool
target_mac=None, # type: Optional[str]
iface=None, # type: Optional[_GlobInterfaceType]
inter=3, # type: int
)
| 895 | |
| 896 | @conf.commands.register |
| 897 | def arp_mitm( |
| 898 | ip1, # type: str |
| 899 | ip2, # type: str |
| 900 | mac1=None, # type: Optional[Union[str, List[str]]] |
| 901 | mac2=None, # type: Optional[Union[str, List[str]]] |
| 902 | broadcast=False, # type: bool |
| 903 | target_mac=None, # type: Optional[str] |
| 904 | iface=None, # type: Optional[_GlobInterfaceType] |
| 905 | inter=3, # type: int |
| 906 | ): |
| 907 | # type: (...) -> None |
| 908 | r"""ARP MitM: poison 2 target's ARP cache |
| 909 | |
| 910 | :param ip1: IPv4 of the first machine |
| 911 | :param ip2: IPv4 of the second machine |
| 912 | :param mac1: MAC of the first machine (optional: will ARP otherwise) |
| 913 | :param mac2: MAC of the second machine (optional: will ARP otherwise) |
| 914 | :param broadcast: if True, will use broadcast mac for MitM by default |
| 915 | :param target_mac: MAC of the attacker (optional: default to the interface's one) |
| 916 | :param iface: the network interface. (optional: default, route for ip1) |
| 917 | |
| 918 | Example usage:: |
| 919 | |
| 920 | $ sysctl net.ipv4.conf.virbr0.send_redirects=0 # virbr0 = interface |
| 921 | $ sysctl net.ipv4.ip_forward=1 |
| 922 | $ sudo iptables -t mangle -A PREROUTING -j TTL --ttl-inc 1 |
| 923 | $ sudo scapy |
| 924 | >>> arp_mitm("192.168.122.156", "192.168.122.17") |
| 925 | |
| 926 | Alternative usages: |
| 927 | >>> arp_mitm("10.0.0.1", "10.1.1.0/21", iface="eth1") |
| 928 | >>> arp_mitm("10.0.0.1", "10.1.1.2", |
| 929 | ... target_mac="aa:aa:aa:aa:aa:aa", |
| 930 | ... mac2="00:1e:eb:bf:c1:ab") |
| 931 | |
| 932 | .. warning:: |
| 933 | If using a subnet, this will first perform an arping, unless broadcast is on! |
| 934 | |
| 935 | Remember to change the sysctl settings back.. |
| 936 | """ |
| 937 | if not iface: |
| 938 | iface = conf.route.route(ip1)[0] |
| 939 | if not target_mac: |
| 940 | target_mac = get_if_hwaddr(iface) |
| 941 | |
| 942 | def _tups(ip, mac): |
| 943 | # type: (str, Optional[Union[str, List[str]]]) -> Iterable[Tuple[str, str]] |
| 944 | if mac is None: |
| 945 | if broadcast: |
| 946 | # ip can be a Net/list/etc and will be iterated upon while sending |
| 947 | return [(ip, "ff:ff:ff:ff:ff:ff")] |
| 948 | return [(x.query.pdst, x.answer.hwsrc) |
| 949 | for x in arping(ip, verbose=0, iface=iface)[0]] |
| 950 | elif isinstance(mac, list): |
| 951 | return [(ip, x) for x in mac] |
| 952 | else: |
| 953 | return [(ip, mac)] |
| 954 |