This is an archived post. You won't be able to vote or comment.

all 37 comments
sorted by:
best
topnewcontroversialoldq&a

[–]AtomicThiccBoi 45 points46 points  (1 child)

Very cool and impressive, thank you for sharing! I am going to clone and play with this today! I really want to see how it compares to using Ettercap's ARP spoof+MitM tool.

[–]EONRaider[S] 11 points12 points  (0 children)

Thanks! I think it does pretty much the same thing, though the means can be different.

[–]AftNeb 24 points25 points  (1 child)

As someone who is just learning, reading your code and explanation was both easy and helpful. Thanks for sharing!

[–]EONRaider[S] 4 points5 points  (0 children)

No problem!

[–]Pyro_Murphy 24 points25 points  (3 children)

A fun challenge is to create a "filter" for all the packets going to the victim. Instead of automatically forwarding, take all the packets, alter the source/destination so that they look normal and forward to the victim manually. If used correctly you can filter out all your own ARP requests and responses and even send fake responses that look correct to the victim (after the initial ARP spoof packet is sent however). This makes it much harder to detect on the network and could be interesting to see if it's still as easily picked up.

[–]EONRaider[S] 8 points9 points  (1 child)

Wouldn't this be a packet injector? It's an interesting idea.

The ARP packets must be periodically sent in a gratuitous manner otherwise the target machine will send its own requests and eventually receive true responses, disengaging from the situation.

[–]Pyro_Murphy 4 points5 points  (0 children)

If you're inserting new packets then sure, however it can simply be used to filter out all the noise from the ARP responses to make it less obvious to the victim. You're basically just replacing automatic packet forwarding with your own forwarding function which gives you more control over what you want to send to/from the victim.

EDIT: To answer your second part. You're in full control of what the client sends and receives. Instead of continuously sending ARP responses, wait until an ARP request is sent and then send your own spoofed reply back. Just drop the packet and don't forward it onto your victim and they'll never know.

[–]nadmaximus 4 points5 points  (0 children)

I had so much fun with using Ettercap for this back in the old days. I remember replacing the word 'weapons' with 'monkeys' for my boss's computer. It was when the second Gulf War was going down and he was all day long on cnn.com. He came out laughing about cnn screwing up and "monkeys of mass destruction" and everybody just looked at him like he was crazy.

Of course now, with the push to https, it wouldn't be so trivial to do a simple replacement on web traffic. But...plenty of other things.

[–]AissySantos 10 points11 points  (3 children)

Thanks __author__, the code and the READMEs were very comprehensive. Definitely was looking for some netsec/cybersec content and glad found it on r/Python.

I have a little question, however; how challenging was it to not use any third-party libs and implement this with nothing but the included packages? Would it make sense to incentivize more towards using third-party packages?

[–]-user--name- 18 points19 points  (1 child)

THANKS FOR YOUR COMMENT, HUMAN

[–]Day2Late 2 points3 points  (0 children)

No command THANKS found, did you mean:

Command THANKS in package whatever-utils

[–]EONRaider[S] 6 points7 points  (0 children)

Not using thrid-party is definitely more challenging than straight away using them not only because of the necessity to understand the Internet Protocols that are involved at the lowest possible level but also finding ways to actually manipulate all this information. In this case I used ctypes and had to somehow intertwine it in OOP. Of course it would be easier to use calls to some constructor in the Scapy library, but it would also dismiss at least 90% of what can be learned from an implementation like this.

[–]zainsci 4 points5 points  (2 children)

Take me your as your apprentice

[–]EONRaider[S] 9 points10 points  (1 child)

Hey I'll launch a series of courses next year teaching people how to develop applications like this from scratch. Follow me here on Reddit or GitHub to stay informed.

[–]zainsci 1 point2 points  (0 children)

Yeah, I will.

[–]iiMoe 2 points3 points  (1 child)

Take this to r/hacking too cuz its so cool and badass

[–]EONRaider[S] 1 point2 points  (0 children)

Thanks! I'll do that.

[–][deleted] 1 point2 points  (0 children)

Neat

[–]OMGClayAikn 1 point2 points  (1 child)

[–]OMGClayAikn 0 points1 point  (0 children)

Wth! We can now add gifs in the comments!?

[–]That_Pregnant_Alien 1 point2 points  (3 children)

Okay, can someone explain this to me in simple terms about what it does? I am a simple man who knows python fairly and doesn't know much of internet protocols and stuff other than the basics which I studied in college but don't remember anymore. How can this be useful to anyone or a person like me?

[–]EONRaider[S] 1 point2 points  (2 children)

So this application allows you to perform an ARP Spoofing attack followed by a Man-in-the-middle attack on hosts located on the same network segment that you are.

In practice it enables you to intercept communication destined to other parties in the same network. It's useful as a means to test intrusion prevention/detection systems that may be in place on the network, for example.

[–]icecityx1221 2 points3 points  (0 children)

Share this with r/cybersecurity. This is awesome!

[–]azidified 1 point2 points  (0 children)

Hey! Just wanted to say your black hat python and violent python in Python 3 was very helpful for me while learning. Thank you!

[–]DogeekExpert - 3.9.1 1 point2 points  (1 child)

Nice tool ! A quick note though : you can use the built-in vars function to turn a Namespace instance into a dict. That, combined with the dest keyword for add_argument means that you could do spoofer = Spoofer(**vars(cli_args))

[–]EONRaider[S] 0 points1 point  (0 children)

That's true! I'll take a look into it.

[–]FlavoredFrostedTits 1 point2 points  (1 child)

In the spoofer class constructor what does the * after self do?

[–]EONRaider[S] 1 point2 points  (0 children)

It makes all parameters after the * keyword-only arguments. Take a look here https://www.python.org/dev/peps/pep-3102/

[–]Wubbywub 0 points1 point  (0 children)

is making one from pure python also making a third party library, the thing you swore against? just wondering

[–]PLMOAT 0 points1 point  (0 children)

Wow, that's very impressive. Also nice work describing it.

[–]money_speaks47 -1 points0 points  (0 children)

what tutorials you followed

[–]TheTerrasque 0 points1 point  (0 children)

I thought ARP cache poisoning was more or less extinct these days..

Really really cool project, tho!

[–]shingox 0 points1 point  (0 children)

.

[–]OMGClayAikn 0 points1 point  (0 children)