Scapy Tutorial - Part 1 - ARP
Since i CANT post this stuff in normal tutorial area (just subscribed), i guess ill post this right here.
I downloaded a great new tool called Scapy , wich permit packet forging under linux .
I didnt see much information and or tutorial about this, so i decided to write one myself.
To FULLY undertsand this tuto, it would be better to have a basic conception of OSI layers.
In this part of the toturial, we will cover (a bit) the ARP protocol.
an arp-spoofing packet can be created with the following command:
"Ether(dst='00:15:F20:46:40')/ARP(hwsrc='00:11:22:33:44:55', pdst='192.168.3.95', psrc='192.168.3.66', op=1)"
dst of Ether is only layer 2 related : ARP dont give a shit of that parameter
hwsrc of ARP is the MAC you want to be in the remote arp table
pdst of ARP is the IP (the real one!) of the remote machine in wich u want to infect the ARP table
psrc of ARP is the IP (fake) of you want to be in the remote arp table
to send the packet, please use the iface="ethX" option with the command SENDP (layer2)
A packet named 'arp_spoof' will already be instanciated from the session file.
an arp query ("who-has") packet can be created with the following command:
"ARP(pdst='192.168.3.95', psrc='192.168.3.1', op=1)"
pdst=The IP you want the MAC address from
psrc=If you want to receive the answer, while NOT being in promiscious mode.
BEWARE: Not setting a real IP will poison the ARP table of the remote computer, which is not THAT bad because the IP doesnt exist, but still...
to send the packet, use a layer 3 sending function , like:
sr(ARP(pdst='192.168.3.95', psrc='192.168.3.1', op=1))
A packet named 'arp_query' should already be instanciated from the session file
nice tutorial.. one word of advice:
That is *not* a tutorial. That is explanation of arp spoofing that can be found literally everywhere.
I would like to see a tutorial made by you, for editing the arp packet manually and sending it over the network... that will teach yourself first, and the others, possibly, second.
Nice trying to help, though - keep the spirit up.
For arp spoofing you can also use
arpcachepoison(target_IP, victim_IP, interval=5)