1

I am trying to act as a fake machine that sends ARP requests to my host (as well as other machines on a specific network using a specific interface). Here's my code snippet to spam a specific host IP address on a specific interface with ARP requests, from a fake MAC address/IP address:

import scapy.all
import threading
import time
import argparse


def arp_sender(iface, host_ip, guest_ip, guest_mac):
    arp_req = scapy.layers.l2.ARP(psrc=guest_ip, pdst=host_ip)
    bcast = scapy.layers.l2.Ether(
        src=guest_mac, dst='ff:ff:ff:ff:ff:ff')
    arp_req_bcast = bcast / arp_req
    while True:
        time.sleep(2)
        scapy.all.sendp(arp_req_bcast, iface=iface)


if __name__ == "__main__":
    pasrer = argparse.ArgumentParser()
    pasrer.add_argument('--iface', '-i', required=True)
    pasrer.add_argument('--host-ip', required=True)
    pasrer.add_argument('--guest-ip', required=True)
    pasrer.add_argument('--guest-mac', required=True)
    args = pasrer.parse_args()
    th = threading.Thread(target=arp_sender, args=(
        args.iface, args.host_ip, args.guest_ip, args.guest_mac
    ))
    th.start()
    th.join()

While sniffing the responses on Wireshark, other hosts on the same network do respond to the ARP requests, but not my host where the fake machine that sends ARP requests resides in. I also tried to send ARP requests to a Virtualbox machine in my host and no response either. Is there something wrong with the way I am sending layer 2 packets using Scapy, or is there something else I need to do in my host to accept incoming packets from my script?

Edit

Tested on Windows 10 host. While testing, I have disabled all firewall (private, public, and domain).

falhumai96
  • 327
  • 2
  • 17

1 Answers1

0

I originally misunderstood and thought this was a problem with the virtual machine.

The host machine is detecting a conflict based on the sender address (itself) and in this case apparently not responding to the ARP request. I'm not that knowledgeable about how windows handles ARP conflicts, but it should be one of the options specified in RFC 5227 section 2.4

At any time, if a host receives an ARP packet (Request or Reply) where the 'sender IP address' is (one of) the host's own IP address(es) configured on that interface, but the 'sender hardware address' does not match any of the host's own interface addresses, then this is a conflicting ARP packet, indicating some other host also thinks it is validly using this address. To resolve the address conflict, a host MUST respond to a conflicting ARP packet as described in either (a), (b), or (c) below:

I'm not sure why it's not sending to the vbox machine though. Are you sending the ARP request to the vbox machine immediately after trying the host? If so, windows may just be ignoring any ARP requests from the mac and IP address it has detected a conflict with.

WindowsNT
  • 83
  • 1
  • 1
  • 6
  • @falhumai96 Which VirtualBox network mode are you using? There's a list of them a couple paragraphs from the top here: https://www.nakivo.com/blog/virtualbox-network-setting-guide/ Are you able to use the "bridged adapter" mode? That may or may require admin privileges though. If you can, please try it and check what IP the guest gets and try sending ARP requests to that IP – WindowsNT Feb 24 '20 at 04:17
  • I am using a "bridged mode" to my LAN network. The Virtualbox VM is accessible to my LAN as well as my host. The problem is that the fake ARP spam machine I created using Scapy doesn't get any responses from my host nor my Virtualbox VM, but it does get replies from hosts outside my host on the same LAN (say, I ping a Raspberry Pi controller in the same LAN). – falhumai96 Feb 24 '20 at 04:33
  • The main intent behind this question is to solve a problem I raised in this Stack Overflow question: https://stackoverflow.com/questions/60295128/create-a-qemu-bridge-using-the-socket-networking-backend. – falhumai96 Feb 24 '20 at 04:33
  • @falhumai96 Just for clarification, the ARP spamming machine is in QEMU and the virtualbox machine is the one you're trying to reach? If so, you may want to specify that in your question (As well as the information you gave above) and give it a QEMU tag since that's more relevant. I was under the impression the ARP spammer was vbox until I read your linked question. – WindowsNT Feb 24 '20 at 05:20
  • in this case, the ARP spamming script is in my host. It is meant to replicate the issue I am seeing in the `scapy_br.py` in the linked question. This question is not directly linked to QEMU per se, but rather how would I communicate between my host (or another VM within the host) and Scapy on a specific interface. – falhumai96 Feb 24 '20 at 05:47
  • That is why I did not want to add the QEMU tag in the question, as the main intent is the communication channel between Scapy (or WinPcap/Npcap on Windows, libpcap on Unix) and the same host running the Scapy script. – falhumai96 Feb 24 '20 at 05:49
  • Oh, my bad. I accidentally confused 'fake' with 'virtualbox' 1 line below in the last paragraph and thought you had a virtual machine trying to pretend to have a different IP. You're right. It's not a problem with QEMU or Vbox. Is this any help to you? https://serverfault.com/questions/219837/why-my-laptop-sends-arp-request-to-itself – WindowsNT Feb 24 '20 at 06:25
  • Why curl Windows does not supprt specific "--interface"? – CS QGB Jan 05 '23 at 08:28