[+] Buildng an ARP scanner on Python

No replies
Erra
Erra's picture
Offline
Neophyte
Joined: 2014/05/01

I should say that all the knowledge I gained from creating this is from a very good instructor named Zaid Sabih, owner of Zsecurity you can check out his website and support him by purchasing his course at some point, he goes into better detail than I do and has more then 180,000 students to date here https://zsecurity.org/ and here https://www.udemy.com/learn-python-and-ethical-hacking-from-scratch/

Often times you may want to identify hosts on a LAN and maybe you want to say for example dos a target or perform some sort of ARP spoofing to do something related to capture traffic. To understand this you obviously should know how to program in python, and should know a little bit about what the scapy module is used for, you can refer to its documentation here: https://scapy.readthedocs.io/en/latest/

To start off, everything I'm about to explain can simply be done in the three following lines:

#!/usr/bin/python3
import scapy.all as scapy
scapy.arping(ip)

But for the sake of understanding how things work, I've put together a script to help curb your understanding here is a simplified version to start you off:

#!/usr/bin/python3
import scapy.all as scapy

def scan(ip):
        arp_packet= scapy.ARP(pdst=ip)  ##create ARP packet object with its pdst field having the ip
        ##can also do arp_packet.pdst = ip
       
        #print(arp_packet.summary())            ##print summary for ARP request
        #scapy.ls(arp_packet)                   ##print out the contents of the arp packet
        #arp_packet.show()
       
        #to send the packet to the entire network you'll need to
        #set the destination mac to the broadcast mac address ff.ff.ff.ff.ff.ff
        broadcast = scapy.Ether(dst="ff:ff:ff:ff:ff:ff")        #create ethernet broadcast frame
        #print(broadcast.summary())                                                     #print summary
        #scapy.ls(broadcast)                                                            #examine broadcast packet contents
        #broadcast.show()

        #then combine the packet together using / because scapy allows you to do so
        #take note that it's important that you put broadcast first
        combined = broadcast/arp_packet
        #combined.show()

        #scapy has a method called srp that allows you to send custom packets out into the net
        #it returns two lists, one for answered packets, the other for unanswered, you can
        #also set a timeout for a number of seconds, in this case 1 second.
        answered,unanswered = scapy.srp(combined,timeout =3)

        print(answered.summary())

scan("192.168.1.0/24") #scan my private network subnet

I've made sure to comment this as best as I could, and you can delete some of the lines to determine what each thing does, but to shorten the outputs I've commented some of the things that return excessive outputs. Once you've studied carefully how things work, then you can work on improving the quality of the application. In this I'm going to iterate over each element within the answered lists and pick out the part of each list element that contains information about the received packet:

#!/usr/bin/python3
import scapy.all as scapy

def scan(ip):
        arp_packet= scapy.ARP(pdst=ip)  ##create ARP packet object with its pdst field having the ip
       
        #to send the packet to the entire network you'll need to
        #set the destination mac to the broadcast mac address ff.ff.ff.ff.ff.ff
        broadcast = scapy.Ether(dst="ff:ff:ff:ff:ff:ff")        #create ethernet broadcast frame

        #then combine the packet together using / because scapy allows you to do so
        #take note that it's important that you put broadcast first
        combined = broadcast/arp_packet

        #scapy has a method called srp that allows you to send custom packets out into the net
        #it returns two lists, one for answered packets, the other for unanswered, you can
        #also set a timeout for a number of seconds, in this case 1 second.
        answered,unanswered = scapy.srp(combined,timeout =3)

        #each element in answered is formatted in a way that it contains [srcpcktinfo,recvdpcktinfo]
        #so just to access what we need from each element I took the psrc (the target ip) and the
        #hwsrc (MAC of target) attribute from the recvdpcktinfo portion of each element...  
        for element in answered:
                print(element[1].psrc)          #remember element[1] is taking recvdpcktinfo from the element
                print(element[1].hwsrc)         #and the .psrc and .hwsrc are taking the attributes
                print("----------------------------------------------------")

scan("192.168.1.0/24")

and what you end up with is something like so:

192.168.1.1
08:3e:5d:90:26:a1
----------------------------------------------------
192.168.1.9
a4:e9:75:4a:5b:75
----------------------------------------------------
192.168.1.10
2e:30:33:e6:43:76
----------------------------------------------------
192.168.1.2
e4:c8:01:00:44:9a
----------------------------------------------------
192.168.1.12
02:0f:b5:b4:b7:d5
----------------------------------------------------

And there you have it, easily taking the mac addresses of any target within the network!

Often times you may want to identify hosts on a LAN and maybe you want to say for example dos a target or perform some sort of ARP spoofing to do something related to capture traffic. To understand this you obviously should know how to program in python, and should know a little bit about what the scapy module is used for, you can refer to its documentation here: https://scapy.readthedocs.io/en/latest/; but personally the recommended guide is better at explaining the basics here https://thepacketgeek.com/

"This is our world now... the world of the electron and the switch, the
beauty of the baud."
-The Mentor