Search code examples
pythonsecuritynetwork-programmingscapyman-in-the-middle

Unable to use scapy as a bridge among interfaces

I'm trying to perform a transparent MITM attack with scapy. I've got an Ubuntu machine with two network interfaces, connected each one to a machine. Those machines have same subnet addresses and operate correctly if directly connected. The objective is to be able to be totally transparent, using both interfaces with no IP address and in promisc mode.

The implementation I'm using is the following:

def pkt_callback(pkt):
    if pkt.sniffed_on == "enp0s3":
        sendp(pkt, iface="enp0s8", verbose=0)
    else:
        sendp(pkt, iface="enp0s3", verbose=0)

def enable_bridge():
    sniff(iface=["enp0s3", "enp0s8"], prn=pkt_callback, store=0)

if __name__ == "__main__":
    conf.sniff_promisc=True
    enable_bridge()

This is not all the code, but is the main routing part... I can see that packets arrive to both interfaces, but no pinging from one machine to another... Any idea of how to make this work?

Thanks in advance.

EDIT 1:

The full implementation here:

from scapy.all import *
from utils import interfaces, addresses
#from routing import *
from packet_filters import is_mms_packet
from attacks import performAttack
import sys
import os
import time
import datetime

def writePacketInDisk(pkt):
    wrpcap("network_logs/network-log- 
    "+datetime.date.today().strftime("%Y")+"-"
        +datetime.date.today().strftime("%B")+"- 
    "+datetime.date.today().strftime("%d")+".pcap", pkt, append=True)

def pkt_callback_PLC_OPC(pkt):
    ret = True
#   if is_mms_packet(pkt):
#       writePacketInDisk(pkt)
    #ret = performAttack(pkt)
    return ret

def pkt_callback_OPC_PLC(pkt):
    ret = True
#   if is_mms_packet(pkt):
#       writePacketInDisk(pkt)
    #ret = performAttack(pkt)
    return ret

def enable_bridge():
    print "hello!!"
    bridge_and_sniff(interfaces["plc-ccb"], interfaces["opc"], 
        xfrm12=pkt_callback_PLC_OPC, xfrm21=pkt_callback_OPC_PLC,
         count=0, store=0)
    #prn = lamba x: x.summary()
    print "bye!!"

if __name__ == "__main__":
    conf.sniff_promisc=True
    enable_bridge()

This is definitely not working... Is the code correct? May be my VM too slow for this task?

Solution

  • This code is correct and should work. You should update to the current development version of Scapy (https://github.com/secdev/scapy/) and see if that was related to an old bug.

    As a side note, you can directly use bridge_and_sniff("enp0s3", "enp0s8") instead of writing your own function.