See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/360932918

Create ARP Spoofing Attack Using Scapy

Research · May 2022

DOI: 10.13140/RG.2.2.19490.09923

CITATION READS

1 1,772

1 author:

Anjana Kawshan
Sri Lanka Institute of Information Technology
3 PUBLICATIONS 1 CITATION

SEE PROFILE

All content following this page was uploaded by Anjana Kawshan on 29 May 2022.

The user has requested enhancement of the downloaded file.

 Create ARP Spoofing Attack Using Scapy
Anjana Kawshan G. L. H. T
Faculty of Computing
Sri Lanka Institute of Information Technology
Malabe, Sri Lanka
[email protected]

Abstract—The ARP protocol is widely used on the internet to

map IP addresses to MAC addresses. It is vulnerable to a
spoofing attack known as "ARP spoofing attack" since it lacks
authentication. This spoofing can then lead to a Man-in-the-
Middle attack, a denial-of-service attack, and so on. This paper
explains how to act as a Man-in-the-Middle as well as how to
detect ARP spoofing attacks using custom code.

Keywords—ARP, ARP Request, ARP Response, Scapy, MAC

address, IP address

I. INTRODUCTION
Most of the organizations implement LAN for their
communication and networking needs. The MAC address is Figure 01
the communication identifier in LANs. For communication
within a LAN, it is necessary to resolve IP addresses to MAC
addresses. The Address Resolution Protocol is responsible
for this resolution (ARP).
However, this protocol has a serious security flaw. The Figure 02
ARP protocol has no state. It does not authenticate whether
any request was made for the response received. As a result,
1. Create ARP request
it is vulnerable to an attack known as ARP spoofing or ARP
cache poisoning. [1] In this paper mainly focus on the
As the first step we need to discover all the clients of the
following 2 sections.
network. So I use the module, called as “Scapy”. I created a
(i) Network Scanner – To obtain all IP and MAC ARP request directed to broadcast MAC Address by asking
Addresses of the Network who has the specific IP. The following python code (figure
03) represents the created ARP request.
(ii) ARP Spoofer – To send ARP response

II. METHODOLOGY
I use Kali Linux and windows 10 Operating systems and
Scapy documentation to do this ARP spoofing attack.
Scapy is a Python program that lets you send, sniff,
parse, and forge network packets. This feature enables the
creation of network probe, scan, and attack tools. [2]

Figure 03
III. NETWORK SCANNER
The first part of the scan function (06th line) asks about
Information Gathering is one of the most important step “who has the target IP”. And second part (07th line) will set
of the penetration testing. If you need to gain access to a destination MAC to broadcast MAC. When I call the scan
system, you should gather enough information before attack. function, I will scan all the IPs in my subnet.
In ARP, first of all, we need to discover all devices which
are connected to the same network. Then get their IPs and
MAC addresses. To fulfill this requirement, Kali Linux has
number of tools. Such as net discover, nmap and so on. But I
use my own code to build a Network Scanner.
I use the Kali Linux as the attacker machine and the Figure 04
windows OS as the victim machine. Using “ifconfig”
command we can check our IP address. (Figure 01) And I use 2 print statements to show the output how looks like
“route –n” command will show the IP of gateway /Router. it is. The first ARP packet shows who has the specific IP
(figure 02) asking by my device’s IP and the second Ethernet packet is
sent from my MAC address to the particular MAC address.
(figure 04)
 But these 2 packets are existing as separately. So we need If I run this code, I can get the following result.
to combine these 2 packets to 1 packet. In Scapy, we can use
forward slash (/) to combine packets. Remove the print
statements and use the following command line to combine
them.

Figure 09
2. Send packet and receive response
However, the above result is more confusing than the
So far we did the created part of the ARP. But in this previous one. If look closer to this result, we can see a
section, I will cover about sending part of the packet. comma inside each of the element. As I discussed earlier,
this is the answered element, and this element consist of
In scapy we can use “srp()” function to send packets. But couple of list. Which means left side of the comma
the problem is this srp() function returns a couple of 2 lists. represents the sent packet’s details and the right side of the
The first element contains list of couple (packet sent, answer) comma represents the answered details. [2] In here we want
and the second element contains unanswered packets. These only response details. So I modify the for loop as follow.
elements are existing as lists. [2]
But we need answered packets only. So we can omit the
unanswered part. The following code (figure 05) can use for
send ARP request (09th line) and get responses (10th line). Figure 10

Figure 05
The result is show in the following diagram. (figure 06)

Figure 06
3. Print Result

Figure 06 shows the details of all connected clients to the

same network. But every line consists of a part of the same
arguments. (figure 07)

Figure 07
That won’t be necessary to show for the user. So in this Figure 11
section, I will code to show the output for the user in a When I run the program, Figure 11 shows the result. It
simple way. So we can access the above elements will show the all details of the response packet consist. If I'll
individually by using the following code. (figure 08) be the man-in-the-middle, all I need are the targets' MAC
and IP addresses. So we can modify the code as following
(figure 12) and the result will show in the follow. (figure 13)

Figure 08 Figure 12
 1. Spoof the Network

As the first step, I’m going to create ARP response

packet by using ARP() function in scapy module. To fulfill
the task, I need target MAC, target IP, and gateway IP. But
we’ve already developed a code to get details of the
connected clients. So we can generate those details by using
Figure 13
the network scanner which I created previously.
But there is a confusing part. How do we set up these
IV. ARP SPOOFER fields correctly in ARP() function? To do that we can use the
following command and we can see the all available fields
that ARP() function consists of. (figure 17)

Figure 14
Figure 17
Basically in ARP spoofing, I’m going to be a man in the
middle. According to the above diagram (figure 14) requests First I created variables by assigning the arguments.
sent and any responses received by the target computer will (figure 18)
have to flow through the hacker computer. So the attacker
can view, modify or drop that information as the attacker
wish.
In kali Linux, there is a tool called “arpspoof”. By using
this tool, we can do an ARP spoofing attack easily. But here
I’ll develop a code to poison ARP tables. So basically, I tell
the router that I'm the victim's computer as well as tell to the
victim I am the router. The diagram below makes it easier to
understand. Figure 18
Then use the following code segment to create a response
packet and use send() function to send the packets. Set
“verbose=False” because the send function displays some
default data that we don't need. (figure 19)

Figure 19
Figure 15

I use Linux platform as the attacker, and windows as the

target computer. Every computer manages an ARP table. We
can get these information by using “arp –a” command.

Figure 15 – (ARP Table of Kali Linux)

Figure 20
The code worked properly. The ARP table of the
windows machine has been poisoned. The MAC address of
Figure 16 – (ARP Table of Windows)
the gateway has been updated to my kali Linux MAC The final code is in the following diagram.
address. (figure 20)
Unfortunately, the above method only updates the ARP
tables once. If we do not keep updating them continuously,
then by default the Target’s ARP Table would correct itself
to default. So I use a loop to avoid this problem. (figure 21)

Figure 21
But this code does not display the number of packets sent
because I set the verbose to False. So I modify the code as
follow. (figure 22)

Figure 26

V. PREVENTION METHOD
Figure 22
Another important thing is the IP forwarding. If you do  Use a Static ARP
ARP spoof attack the target machine couldn’t access to the  Get a Detection Tool
internet because the data flow through Kali machine. But the  Set-Up Packet Filtering
Kali machine needs to allow packets to flow through it. So  Check Malware Monitoring Settings
use the following command.
 Encryption
 Physical Security

Figure 23

VI. REFERENCE
2. Handling Exceptions

However, there are still certain details that are missing. [1] G. Agrawal, "Detection and Prevention of ARP-
This includes the infinite loop that this code will continue to Spoofing," vol. 8, no. 10, 2019.
run until we give it an interrupt to stop it. If we press ctrl+c
it will stop. So I modify the code again to the below code.
[2] P. Biondi, "SCAPY," [Online]. Available:
https://scapy.readthedocs.io/en/latest/introduction.html
#about-scapy.

[3] R. Grimmick, "VARONIS," [Online]. Available:

https://www.varonis.com/blog/arp-poisoning.

[4] V. Sundar, "INDUSFACE," 11 October 2018. [Online].

Figure 24 Available: https://www.indusface.com/blog/protect-
arp-poisoning/.
3. Resetting the Network

So far this code perfectly spoofed the connection. But the

problem is the ARP tables have not yet been updated to their
default values.
So I modify the exception coding part shown as below
diagram.

Figure 25

View publication stats