Forem: Dharmil Chhadva

Docker Swarm vs Kubernetes

Dharmil Chhadva — Sat, 30 Mar 2024 14:14:08 +0000

Automating the deployment pipeline is becoming increasingly important in today's fast-evolving world, where applications are broken down into microservices. This is where Docker and Kubernetes come into play.

Before we dive deep into Docker and Kubernetes, let's first understand what containers are.

What are containers?

A container packages the application code and its dependencies in one unit, which then can be executed on any infrastructure. It's lightweight and includes everything required to run the app, such as code, runtime environment, system libraries, and external dependencies. The core aim is to quickly deploy the application, which executes the same regardless of the underlying architecture.

Containers eliminate the "works on my machine" 🤣 phrase.

Now that we understand containers let's move on to Docker Swarm.

What is Docker Swarm?

Docker Swarm is a container orchestration tool that allows you to manage and deploy applications using containerization. It's an open -source and popular as it is quick to set up and easy to use. Docker Swarm is called swarm mode and is a native Docker mode. Swarm mode allows DevOps engineers to create a cluster of Docker nodes and deploy services to run on these nodes. This cluster is called Swarm.

A swarm cluster consists of manager nodes, which manage the cluster and worker nodes, which are instructed to run tasks by the manager nodes.

Swarm Architecture

Image Credit: Docker Swarm vs Kubernetes: A Practical Comparison

Pros of Docker Swarm:

Familiarity as swarm mode is a part of Docker.
Easy to install and set up.
Has its own Swarm API.
Smooth integration with Docker Compose and Docker CLI.
Intelligent node selection for picking optimal nodes.
Built-in load balancing feature, eliminating the need to define load balancer files manually.
Roll back to the previous version of the service in case of hazardous events such as failures.
Fault tolerance, wherein swarm automatically checks for node failures and replaces them with new ones.
It can scale up and down as per demand.

Cons of Docker Swarm:

Limited customizations and extensions.
Less functionality and lesser automation capabilities compared to Kubernetes.

Swarm mode CLI commands:

swarm init: Initialize a swarm. The Docker Engine this command targets becomes a manager in the newly created single-node Swarm.

Example:

> docker swarm init --advertise-addr 192.168.99.121

Swarm initialized: current node (bvz81updecsj6wjz393c09vti) is now a manager.

To add a worker to this Swarm, run the following command:

    docker swarm join --token SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-1awxwuwd3z9j1z3puu7rcgdbx 172.17.0.2:2377

To add a manager to this Swarm, run 'docker swarm join-token manager' and follow the instructions.

Swarm join: Join a node to a swarm. The node joins as a manager node or worker node based on the token you pass with the --token flag. If you pass a manager token, the node joins as a manager. If you pass a worker token, the node joins as a worker.

Example:

> docker swarm join --token SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-7p73s1dx5in4tatdymyhg9hu2 192.168.99.121:2377
This node joined a swarm as a manager.

Find more Swarm CLI at Docker Docs

What is Kubernetes?

Kubernetes is also a container orchestration tool which allows you to deploy and manage applications. It's open-source, portable, and highly configurable. These features make it an optimal choice for deploying complex applications. A cluster in Kubernetes consists of worker nodes, which are managed by Kubernetes master. The master controls, monitors and manages all the resources in the cluster.

Kubernetes Architecture

Image Credit: Docker Swarm vs Kubernetes: A Practical Comparison

The above diagram depicts the components involved in Kubernetes.

Controller Plane: It manages the operation of the Kubernetes cluster.
- Kube API Server: Facilitates external communication with the cluster.
- Etcd: Stores configuration data and cluster state in a key-value store.
- Scheduler: Allocates pod placement based on resource needs and availability.
- Kube Controller Manager: Maintains desired component states.
Kubernetes Node: Executes control plane assigned tasks, including:
- Kubelet: Manages containers and their lifecycle.
- Pod: Smallest component of the cluster. Represents a running process instance.

Execution Workflow:

External clients interact with the cluster via kubectl commands.
The controller plane delegates tasks to Kubernetes nodes.
Nodes create pods for container execution.
External users access deployed apps through a load balancer.

Pros of Kubernetes

Wide range of functionalities such as service discovery, load balancing, storage orchestration, self-healing, horizontal scalability, automated rollout and rollbacks and batch execution.
Open-source with a highly active community.
Allows you to store and manage configuration data and secrets securely.
Allows flexible management of resources when deploying an application.
Is highly extensible through plugins.
Interact with Kubernetes components via its API.

Cons of Kubernetes

Learning Kubernetes and managing its master requires specialized knowledge due to its steep learning curve.
Frequent updates from the open-source community need careful patching to prevent workload disruptions.
Kubernetes is too heavy for solo developers who are handling simple apps with occasional deployments.
Teams require tools like kubectl CLI, CI/CD workflows, and DevOps practices to manage access, identity, governance, and security.

Docker Swarm Vs Kubernetes

Feature	Docker Swarm	Kubernetes
Set up	Easy with docker command	Setting up a Kubernetes cluster manually can be complicated.
Container support	Works only with Docker containers	Works with containerd, Docker, etc.
Networking	Basic	Advanced
Learning Curve	Easy to get started	Steep curve
Complexity	Simple & lightweight	Complicated & heavyweight
Load Balancing	Automatic	Manual
CLIs	Comes when installing Docker	Need to install kubectl CLI
Scalability	No automatic scaling	Automatic Scaling
Security	Only TLS support	Supports SSL/TLS, RBAC & secret management

Conclusion

In conclusion, while Docker Swarm and Kubernetes serve as container orchestration tools, they have distinct characteristics and functionalities.

Docker swarm offers easy setup and simplicity, making it ideal for smaller projects with straightforward deployment needs. However, it lacks the advanced features and scalability of Kubernetes.

On the other hand, Kubernetes provides a comprehensive set of features for managing complex applications at scale. Although it has a steep learning curve and requires specialized knowledge, Kubernetes offers extensive functionality, including advanced networking, automated scaling, and robust security features.

Ultimately, the choice between Docker Swarm and Kubernetes depends on the specific requirements and complexity of the project. Docker Swarm may suffice for simpler deployments, while Kubernetes is better suited for larger, more intricate applications that demand advanced orchestration capabilities.

References

Docker Swarm vs. Kubernetes: A Comparison
Docker Swarm vs Kubernetes: A Practical Comparison

Note: This article is a part of the curriculum in the DevOps course. My student ID is C0884179.

Check Out My Previous Articles

Changing the MAC Address using Python
Writing a Network Scanner using Python
Man In The Middle Attack (MITM) Part 1 — ARP Spoofing
Man In The Middle Attack (MITM) Part 2 — Packet Sniffer

Man In The Middle Attack (MITM) Part 2 — Packet Sniffer

Dharmil Chhadva — Tue, 27 Feb 2024 01:08:19 +0000

Building a packet sniffer using Python 🐍 that extracts visited URLs and user credentials.

This is part 2 of Man In The Middle (MITM) attack. If you haven’t read part 1 then I strongly suggest you read that before reading part 2. You can find the link to Part 1 in the next section.

What is a Packet Sniffer?

A packet sniffer is a tool that is used to monitor networks and to diagnose any network problems. It is commonly used by network technicians. Hackers often use this to spy on user’s network traffic and for extracting passwords.

Packet sniffers log network traffic on a network interface that they have access to. It can see every packet that flows to and from an interface.

You’d be wondering that we are designing a packet sniffer but the title says Man In The Middle Attack. This is because in Part 1 we wrote a Python script (ARP Spoofing) that allows us to become a Man In The Middle. The purpose of the packet sniffer is to capture the victim’s (the user which has been attacked using ARP Spoofing) network traffic and extract visited URLs and credentials.
Man In The Middle Attack (MITM) Part 1 — ARP Spoofing

Modules Used:

argparse: To understand what this does read my first article here.
Scapy: Enables the user to send, sniff and dissect and forge network packets. This capability allows the development of tools that can probe, scan, or attack networks. It can forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It easily handles most tasks like scanning, tracerouting, probing, unit tests, attacks, or network discovery.
time: We only use the time module to generate a delay of 2 seconds. To learn more about this module read the docs.

What functionality the Python 🐍 script must have?

get_args() — A function to get command-line arguments. In this case, we need an input value from the user for the **interface **on which we want to sniff the packets.
sniffer(interface) — A function that takes the **interface **value as an input and sniffs the packets on that interface.
process_packet(packet) — A function that is called by the sniffer function for every new packet that is sniffed. This checks whether the packet is of type HTTP Request or not. For this use case, we only need the packets which are of the HTTP Request type because the information we want is sent in this packet. It then uses get_url(packet) and get_credentials(packet) functions.
get_url(packet) — A function that extracts the URL from the packet that was passed to it.
get_credentials(packet) — A function that also takes packet as input and extracts credentials such as username and password.

Without further ado, let’s start writing the script in Python.

Python Script for Packet Sniffer

In this section, we’ll build the script step by step. I’ll explain everything in each step, so read carefully.

Step 1: Importing Necessary Modules

Step 2: Writing the **get_args() **function

The above function adds functionality which allows the user to pass user input values as the command-line arguments. After the addition of the above code, the user will be able to pass the name of the interface on which the packets are supposed to be sniffed in the same instruction that is used to run the script. For example,

root@kali:~# python3 sniffer.py -i interface_name

root@kali:~# python3 sniffer.py --interface interface_name

To learn how exactly this function works, read the entire Step 2 from the article on how to change MAC Address of a device.

Step 3: Writing the **sniffer(interface) **function

The above gist contains the definition of the sniffer(interface) function. It takes an interface name as an input that is used inside it. It uses a method called sniff provided by the scapy module. The methodsniff requires an interface name iface as an input. The next argument, store tells scapy whether to store the packets in memory or not. store = False tells scapy not to store the packets. The last argument is prn, it tells scapy which function to be called each time a new packet is sniffed. In this case, process_packet function is called for every new packet.

Step 4: Writing the process_packet(packet) function

Before jumping into the function, let’s take a look at how a scapy packet looks like.

###[ Ethernet ]###
dst       = 52:54:00:12:35:00
src       = 08:00:27:35:21:2e
type      = IPv4
###[ IP ]###
version   = 4
ihl       = 5
tos       = 0x0
len       = 441
id        = 22651
flags     = DF
frag      = 0
ttl       = 64
proto     = tcp
chksum    = 0xf1f9
src       = 10.0.2.9
dst       = 176.28.50.165
\options   \
###[ TCP ]###
sport     = 48556
dport     = http
seq       = 790303956
ack       = 327206
dataofs   = 5
reserved  = 0
flags     = PA
window    = 64240
chksum    = 0xf075
urgptr    = 0
options   = []
###[ HTTP 1 ]###
###[ HTTP Request ]###
Method    = 'GET'
Path      = '/login.php'
Http_Version= 'HTTP/1.1'
A_IM      = None
Accept    = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
Accept_Charset= None
Accept_Datetime= None
Accept_Encoding= 'gzip, deflate'
Accept_Language= 'en-US,en;q=0.5'
Access_Control_Request_Headers= None
Access_Control_Request_Method= None
Authorization= None
Cache_Control= 'max-age=0'
Connection= 'keep-alive'
Content_Length= None
Content_MD5= None
Content_Type= None
Cookie    = None
DNT       = None
Date      = None
Expect    = None
Forwarded = None
From      = Non
Front_End_Https= None
HTTP2_Settings= None
Host      = 'testphp.vulnweb.com'
If_Match  = None
If_Modified_Since= None
If_None_Match= None
If_Range  = None
If_Unmodified_Since= None
Keep_Alive= None
Max_Forwards= None
Origin    = None
Permanent = None
Pragma    = None
Proxy_Authorization= None
Proxy_Connection= None
Range     = None
Referer   = '[http://testphp.vulnweb.com/login.php](http://testphp.vulnweb.com/login.php')

The above block shows the contents of the packet. The line that starts with ###[text]### is called a layer. The lines after that are the fields that come under that layer until the next layer is encountered. For instance, from the above block, ###[ Ethernet ]### is a layer and the following lines are the fields under the Ethernet. These fields contain information about Ethernet. Similarly, ###[ TCP ]###, ###[ HTTP Request ]###, etc. are layer. Now, let's jump to the process_packet function.

This function needs the sniffed packet as an input. In this function, we are first checking if the packet has a HTTP Request layer. This is done by using a method provided by scapy called haslayer(). If the packet does not has the layer then it is not processed.

If it has the HTTP Request layer then, we perform two operations:

Call get_url(packet) function to extract URL from the packet. It takes the packet as an input. This function returns a URL, we store this is in a variable called url and then we print the value of url.
Then we call another function called get_credentials(packet). It also takes packet as an input. It checks the packet for possible credentials and if found any then it returns those credentials. We store it in a variable named cred and then we print its value.

I’ll explain get_url(packet) and get_credentials(packet) functions in the later steps.

Step 5: Writing the get_url(packet) function

The get_url(packet) function also needs a packet as an input to extract the URL within the packet. The function extracts the contents of theHost and Path subfields of the HTTPRequest layer of the packet. We then join both the parts and return the URL extracted from the packet. The following is an example of the contents present in Host and Path subfields.

Path      = '/login.php'
Host      = 'testphp.vulnweb.com'

The code packet[http.HTTPRequest] allows us to access the layers and is possible because of Scapy.

Step 6: Writing the **get_credentials(packet) **function

In the above code, you can see a Python tuple named keywords . Before understanding why it is required let's understand the function itself.

This function also needs a packet to work with. Now, when we looked at the contents of the packet at the beginning of step 4, there was no such layer called Raw . This layer is crucial for what we are trying to achieve because the additional information such as credentials is added to the Raw layer. The below code block shows the Raw layer. It also shows that the credentials are stored inside a subfield called load.

###[ Raw ]###
load = 'uname=hdhd&pass=hshs'

Now back to the function. At first, the function checks whether the packet has the Raw layer. If the packet has the layer, then it extracts the value of the load subfield and stores it in a variable called field_load.

The next step is using a for loop to loop over the tuple we discussed earlier. The tuple contains the keywords that are potential names of the form fields used at the time of making an HTML Form. These keywords are derived by guessing common names given to HTML Form elements that are used to design HTML Signup and Login forms.

The for loop loops over each element in the tuple and checks whether any of the keywords is present the field_load **variable. If anyone keyword matched then the **field_load is returned to the process_packet(packet) function to display potential credentials.

Step 7: Final Step

Now, all that's left to do is call get_args() and sniffer(interface) function.

With this, we complete the entire script and all that's left to do is test it.

Entire Script

Working Demo

Okay, before jumping to writing the code in Python I’ll tell you about the setup that I have: I am currently on Windows 10 and I have Virtualbox running with two VMs (1. Kali Linux and 2. Windows 10). I will execute the python script that we made in Part 1 — ARP Spoofing on my Kali Linux machine and attack my Windows 10 VM to become Man In The Middle. Then, I’ll execute the packet sniffer script from this part on my Kali Linux Machine. After that, I’ll log in to a website and see whether the sniffer script is able to extract the credentials or not.

Note: The VMs are configured to use NatNetwork in Virtualbox. When the VMs are set to use **NatNetwork, **the VMs thinks the host as the router (access point). To know more about NatNetwork and how to configure a VM to use it, read this.

Note: The packet sniffer only works on websites using the HTTP protocol. It does not work with HTTPS. To test, use this website — Test Vuln Login.

Kali Linux Machine

IP Address = 10.0.2.9
MAC Address = 08:00:27:35:21:2e

Windows 10

IP Address = 10.0.2.15
MAC Address = 08:00:27:e6:e5:59

Access Point or Default Gateway

IP Address = 10.0.2.1
MAC Address = 52:54:00:12:35:00

MITM — Man In The Middle

In the above image, you can see that we have extracted the captured username and password from the packet that was sniffed. In the testing form, we entered username = test_user and password = test_user123 and in the above image, you can see that we are getting the same username and password value in the output.

Conclusion

We successfully wrote a Python 🐍 script to capture packets. We also tested it with Man In The Middle Attack — ARP Spoofing. The script works perfectly as we wanted it to.

You can find the entire script on my Github Repository. Thank You 😃 for reading.

Man In The Middle Attack (MITM) Part 1 — ARP Spoofing

Dharmil Chhadva — Tue, 27 Feb 2024 01:04:12 +0000

What is Address Resolution Protocol (ARP)?

In a network, computers use the IP Address to communicate with other devices, however, in reality, the communication happens over the MAC Address. ARP is used to find out the MAC Address of a particular device whose IP address is known. For instance, a device wants to communicate with the other device on the network, then the sending device uses ARP to find the MAC Address of the device that it wants to communicate with. ARP involves two steps to find the MAC address:

The sending device sends an ARP Request containing the IP Address of the device it wants to communicate with. This request is broadcasted meaning every device in the network will receive this but only the device with the intended IP address will respond.
After receiving the broadcast message, the device with the IP address equal to the IP address in the message will send an ARP Response containing its MAC Adress to the sender.

If it is still not clear what ARP is and how it works then refer to the images below.

What is ARP Spoofing?

ARP spoofing is a Man In The Middle (MITM) attack in which the attacker (hacker) sends forged ARP Messages. This allows the attacker to pretend as a legitimate user as it links the attacker machine’s MAC Address to the legitimate IP Address. Once the MAC Address has been linked the attacker will now receive the messages intended for the legitimate IP Address. Furthermore, ARP Spoofing allows the attacker can intercept, modify, and drop the incoming messages.

ARP Spoofing is only possible on 32-bit IP Addresses (IPv4) and not on IPv6.However, it is widely used because most of the internet still works on IPv4.

Let’s understand ARP Spoofing more clearly with the help of diagrams 😃.

Fig 3. demonstrates the working of a normal network (no malicious activity) and how a device (hacker or victim) access the Internet with the help of an access point. All the messages pass through the access point. For instance, a device (hacker or victim) sends requests to access the resources on the Internet and in turn, receives responses. These requests **and **responses **always pass through the access point and therefore the access point is called the **Gateway to the Internet.

Note: In this article, the words “Gateway”, “Access Point”, “Router” and “Default Gateway” *are used interchangeably. Also the words *“attacker” and “hacker” *are used similarly. The words *“target” and “victim” means the same.

Fig 4. illustrates how the ARP Spoofing affects the normal flow of requests and responses **in a network. In ARP Spoofing, the hacker simply fools the **access point and the victim **by pretending as the **access point in front of the victim and as the victim in front of the access point. Now, let’s see how the hacker manages to pretend and fool the access point and the victim.

With the help of Fig 5. we can understand how the attacker is able to fool both the access point as well as the victim. The figure shows the IP Address and MAC Address of every device present in the network. To understand how ARP Spoofing works you must completely understand the figure first. In order to carry out ARP spoofing the attacker/hacker sends an ARP Response to the access point and the victim.

Before we dive deeper into Fig 5., let’s first understand ARP Response and what different fields it contains. We already covered what ARP Response is and when it is used. Now, let’s take a look inside an ARP Response to understand what kind of information it holds.

Fig 6. displays an ARP Response packet captured in Wireshark. There are several fields inside of it using which it communicates with other devices in the network. Out of all the fields, the most important ones for us are:

Opcode — When its value is **2 **it means its an ARP Response and when it is **1 **it means its an ARP Request. In the figure above the value of Opcode is **2 **which means its an ARP Response.
Sender MAC Address
Sender IP Address
Target MAC Address
Target IP Address

Now, to pretend as the victim in front of the Access Point, the attacker/hacker uses ARP Response to its advantage. The attacker sends an ARP Response message to the Access Point with the following information:

Opcode = 2
Sender MAC Address = *08:00:11:1a:25:ff *(Attacker’s MAC Address)
Sender IP Address = 10.0.2.15
Target MAC Address = 08:22:55:2a:ab:35
Target IP Address = 10.0.2.1

This shows that the attacker is forging an ARP Response message by setting the victim’s IP Address as the Sender’s IP Address. This fools the access point in thinking that the ARP Response was sent by the victim (a legitimate device), however, in reality, it was sent by the attacker. The attacker also sets its own machine’s MAC Address as the Sender MAC Address. Due to this, the access point updates the MAC Address of the IP Address 10.0.2.15 to the MAC Address of the attacker in its ARP table and therefore linking the attacker’s machine with a legitimate IP Address. With this, any message intended for *10.0.2.15 **will now be sent to the attacker’s machine. This is what *“10.0.2.15 is at 08:00:11:1a:25:ff” **means in Figure 5.

Read about ARP Table here.

Similarly, to pretend as the Access Point in front of the victim, the attacker again uses ARP Response and sends it to the victim machine using the following information in it:

Opcode = 2
Sender MAC Address = *08:00:11:1a:25:ff *(Attacker’s MAC Address)
Sender IP Address = 10.0.2.1
Target MAC Address = 00:22:11:55:33:aa
Target IP Address = 10.0.2.15

This ARP Response is received by the victim and thinks that this was sent by the Access point, and thus, updates the MAC Address of the access point’s IP Address with the attacker’s MAC Address in its ARP table. This fools the victim and the attacker successfully pretends to be the access point. This means that any message intended for the access point is now being sent to the attacker.

Now, as the only way to access the resources on the internet is through the Access Point itself, the victim’s requests now pass through the attacker’s machine instead of the actual access point. This gives a chance to the attacker to intercept, modify, or stop the data transit. The attacker can also relay the requests and responses to and from the victim and the access point without any changes.

After this, the communication between the victim and the access point happens through the attacker’s machine just as it is shown in Figure 4.

At this moment, I assume that you have understood how ARP Spoofing is carried out, so let’s jump on to the coding part.

Why is ARP Spoofing possible?

ARP was designed for security. There are two reasons why ARP spoofing is possible.

The machines in a network accept ARP Responses even if they haven’t sent an ARP Request.
The machines trust these ARP Responses without any verification.

Modules Used:

argparse: To understand what this does read my first article here.
Scapy: Enables the user to send, sniff and dissect and forge network packets. This capability allows the development of tools that can probe, scan, or attack networks. It can forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It easily handles most tasks like scanning, tracerouting, probing, unit tests, attacks, or network discovery.
time: We only use the time module to generate a delay of 2 seconds. To learn more about this module read the docs.

Okay, before jumping to writing the code in Python I’ll tell you about the setup that I have: I am currently on Windows 10 and I have Virtualbox running with two VMs (1. Kali Linux and 2. Windows 10). I will execute the python script on my Kali Linux machine and try to attack my Windows 10 VM. Note: The VMs are configured to use **NatNetwork **in Virtualbox. When the VMs are set to use **NatNetwork, **the VMs thinks the host as the router (access point). To know more about NatNetwork and how to configure a VM to use it, read this.

Python Script for ARP Spoofing

In this section, we’ll build the entire script from scratch that will enable us to carry out an ARP spoofing attack.

Step 1: Import the modules discussed above.

Step 2: Implementing the functionality to allow the users to pass command line arguments.

To add this feature to our script, we’ll need to make use of the argparse module that we imported in Step 1. The script needs the IP Address of the victim(target) as well as the access point(gateway).

To know more about how argparse works and what does the above part of the script does and what functionality it adds to the script, read the entire Step 2 from my previous article on how to change MAC Address of a device

The above code allows the user to provide the input values for target and gateway IP Address to be used in the script and it does this as follows:

root@kali:~# python3 arp_spoofer.py -t target_ip -g gateway_ip

root@kali:~# python3 arp_spoofer.py --target target_ip --gateway gateway_ip

target_ip = IP Address of the victim (target). In our example above, it’s 10.0.2.15

gateway_ip = IP Address of the access point (gateway). In our example above, it’s 10.0.2.1

These values of target_ip and gateway_ip are used by another function that fools the victim and the access point. We’ll discuss that function in the later steps.

Step 3: Writing a function to get the current MAC Address

This function takes the IP Address as an input and returns its MAC Address. We need this function to get the MAC Address of the victim and the access point.

Still, now we are not using this function anywhere in our code but we’ll use it inside another function that fools both the victim and the access point. To know technical details about the get_mac(IP) **function, read the entire step 3 of this article. The only difference is that the function name in the linked article is **scan(ip) **instead of **get_mac(ip).

Step 4: Writing the spoof function that fools both the access point and the victim.

Now, there’s a lot going on in this function so let’s break it down line by line so that we understand it completely.

The **spoof(target_ip, spoof_ip) **accepts two IP Addresses as an input, the **target_ip **is the IP Address of the machine that we want to fool and the **spoof_ip **is the IP Address of the machine whose IP Address we’ll use to fool the other (target) machine.

The first line, inside the spoof(target_ip, spoof_ip) **function definition, is where we make use of the **get_mac(ip) function that we wrote in step 3.

target_mac = get_mac(target_ip)

This returns the MAC Address of the target_ip and stores it inside the target_mac variable.

In the next line, we create an ARP Response packet using scapy’s ARP class. We achieve this using the following line of code.

spoof_packet = scapy.ARP(op = 2, pdst = target_ip, hwdst = target_mac, psrc = spoof_ip)

The above line of code creates an ARP Response with the field values as:

Opcode (op) = 2 — which means its an ARP Response. We’ve already covered this above.
Destination IP Address (pdst) — Target’s IP Address is set to **target_ip **that the function accepts as an input.
Destination Hardware Address (hwdst) — Target’s MAC Address is set to the target_mac variable that was used to store the value returned by the get_mac(ip) function in the previous line.
Source IP Address (psrc) — Sender’s IP Address is set to spoof_ip.

I know all of these do not make sense but if we consider the following:

target_ip = 10.0.2.1
spoof_ip = 10.0.2.15
target_mac = get_mac(target_ip)

Then, the ARP Response that we are created in the 2nd line of the function has the following information:

Opcode = 2
Sender MAC Address = Unknown
Sender IP Address = spoof_ip = 10.0.2.15
Target MAC Address = target_mac = 08:22:55:2a:ab:35
Target IP Address = target_ip = 10.0.2.1

Now, you would be wondering why we are not setting our MAC Address to fool the access point and pretend as the victim in this ARP Response? This is because the Scapy module adds the MAC Address of the machine where the ARP Response packet is created. In our case, the attacker would be us and therefore the Scapy packet is created on our machine so scapy will automatically add our MAC Address in the ARP Response message.

Also, note that the sender’s IP Address is set to **spoof_ip **so upon receiving, the access point thinks that the ARP Response is from the victim and this is how the attacker sends an ARP Response to the access point pretending to be the victim (legitimate machine).

Similarly, we can also fool the victim to think that the attacker is the access point.

Now, the third line of the function sends the ARP Response packet that we created on the second line.

scapy.send(spoof_packet, verbose = False)

The scapy.send() function requires the packet to be sent as a mandatory argument. The verbose = False argument tells the scapy to not print any output of its own.

This marks the end of the spoof function, all that’s left to do is call the function to start fooling both (victim and access point) machines.

Next, after the **spoof **function, the next three lines give us the input values of target_ip and the gateway_ip that are passed using the command line arguments in Step 2.

options = get_args()
target_ip = options.target_ip
gateway_ip = options.gateway_ip

After these lines, there is a **“try ” **block where we put a block of code that we think would generate an error. In this case, the script will generate an error when we press Control + C to end the execution of the script. We do this because when we want to quit the script execution we still need to restore the changes (fooling) that we did in the network.

In the try block, we start a while loop that will loop indefinitely as we want to continue to fool both the machines until we stop the execution.

try:
    while True:
        spoof(target_ip, gateway_ip)
        spoof(gateway_ip, target_ip)
        packets_sent += 2
        print("\r[+] Packets Sent: {}".format(packets_sent), end = "")
        time.sleep(2)

Inside the while loop, the first spoof() function call will fool the victim to think that the attacker is the access point and the second spoof() function call will fool the access point to think that the attacker is the victim.

packets_sent += 2

The above line simply calculates the number of packets sent in every iteration. As we call the spoof() function twice for every iteration, we send two packets every iteration and therefore we increment packets_sent by 2.

time.sleep(2)

The time.sleep(2) line, generates a delay of 2 seconds before executing the next iteration.

Step 5: Writing the restore function.

In this step, we create a restore **function that would restore the state of the network that was before the ARP Spoofing attack as soon as we encounter an error on KeyboardInterrupt Control + C .

**What is Restore Function?

In Fig 7., we can see that the attacker sends ARP Requests to both the machines (victim and access point) in order to restore the network into a normal state. The attacker sends the ARP requests with genuine information inside it.

With Restore Function

def restore(source_ip, destination_ip):
    source_mac = get_mac(source_ip)
    destination_mac = get_mac(destination_ip)
    restore_packet = scapy.ARP(op = 2, pdst = destination_ip, hwdst = destination_mac, psrc = source_ip, hwsrc = source_mac)
    scapy.send(restore_packet, count =1, verbose = False)

The restore function accepts two IP Addresses i.e. source_ip and destination_ip. Similarly to **spoof() **function, the **restore() **function also creates an ARP Response but instead of forging information, it creates the Request with genuine information.

You can see that the values of the pdst, hwdst, psrc and hwsrc is legitimate values as we want to restore the state. Also, note that in this function, online the spoof() function, we explicitly set the MAC Address of the sender.

In this function, we use get_mac() **function to get the MAC Address of the Source IP Address and the Destination IP Address. We store these values in two variables in order to access them later. Then, we create a **restore_packet **with genuine IP and MAC Addresses. After that, we send the **restore_packet **with **scapy.send().

Remember that we called the spoof() function in the try block and we did not mention the code block in except. We’ll use this **restore() **function inside the except block when we encounter a **KeyboardInterrupt **Control + C error. We call the **restore() **twice because we need to restore the normal state on both sides i.e. the access point and the victim as shown in Fig 7.

except KeyboardInterrupt:
    print("\n[-] Detected Ctrl + C..... Restoring the ARP Tables..... Be Patient")
    restore(target_ip, gateway_ip)
    restore(gateway_ip, target_ip)

The above code executes as soon as it encounters KeyboardInterrupt and restores the state on both the sides by calling the **restore() **function twice.

This is where the Python script ends and we have successfully implemented an ARP Spoofing attack. Now, all that’s left to do is to test the script by executing it.

Working Demo

Okay, before jumping to writing the code in Python I’ll tell you about the setup that I have: I am currently on Windows 10 and I have Virtualbox running with two VMs (1. Kali Linux and 2. Windows 10). I will execute the python script on my Kali Linux machine and try to attack my Windows 10 VM. Note: The VMs are configured to use **NatNetwork **in Virtualbox. When the VMs are set to use **NatNetwork, **the VMs thinks the host as the router (access point). To know more about NatNetwork and how to configure a VM to use it, read this.

Kali Linux Machine

IP Address = 10.0.2.9
MAC Address = 08:00:27:35:21:2e

Windows 10

IP Address = 10.0.2.15
MAC Address = 08:00:27:e6:e5:59

Access Point or Default Gateway

IP Address = 10.0.2.1
MAC Address = 52:54:00:12:35:00

Obtaining IP Address and the MAC Address of the target and the access point using a Network Scanner. If you haven’t read my article on how to build a network scanner then read Writing a Network Scanner using Python.

Access Point or Default Gateway of Windows 10 before attacking.

You can see that, before the ARP Spoofing attack, the access point with the IP Address 10.0.2.1 has a MAC Address **52:54:00:12:35:00, **which is the normal network flow.

Attacking the Windows 10.

In this step, we have started our ARP Spoofing attack by specifying the IP Addresses of the target (victim) and the access point (gateway) as the command line argument.

ARP Table.

In Fig 11., you can see that after carrying out the attack, the access point or the gateway’s MAC Address is the MAC Address of the Kali Linux Machine i.e. **08:00:27:35:21:2e. **As soon as this happens all the messages intended for the access point from Windows 10 will pass to the attacker (Kali Linux).

Restoring to the normal state.

ARP Table after Restoring.

Fig 13. displays the ARP Table after the attack was stopped and the network was restored to the normal state. See the second table where the access point’s MAC Address is the original IP Address.

Note: When the Windows 10 machine is being ARP spoofed, you cannot use the Internet (as shown in Fig 4.) unless you run a special command in your Kali Linux Machine.

**echo 1 > /proc/sys/net/ipv4/ip_forward**

The above command will make sure that the Internet works completely fine in Windows 10. The command enables IP Forwarding in Kali Linux which effectively says Kali Linux to forward the packets to the access point.

This is where Part 1 of the Man In The Middle (MITM) attack ends. Stay tuned for more parts in this series where we will intercept credentials, modify network traffic, replacing downloading files, etc. You can find the entire code for this tutorial on my Github Repository.

Thank you for reading. For any queries, you can ask me and any constructive feedback is always appreciated.

Writing a Network Scanner using Python

Dharmil Chhadva — Tue, 27 Feb 2024 00:52:19 +0000

Note: The following tutorial works on any Linux Distributions, provided you have the root access i.e. you’ll have to execute this script using the root user.

What is a Network Scanner?

A network scanner is a software tool that scans the network for connected devices. It is also used for diagnostic and investigative purposes to find and categorize what devices are running on a network. This tool takes an IP address or a range of IP addresses as input and then scans each IP Addresses sequentially and determines whether a device is present on that particular IP address or not. It scans the network and returns an IP address and it’s corresponding MAC address if the device is present. A popular tool that’s commonly used CyberSecurity professionals is **nmap**.

How does it work?

To understand how the Network Scanner scans the entire network we need to first understand what is ARP (Address Resolution Protocol).

In a network, most of the computers use the IP Address to communicate with other devices, however, in reality, the communication happens over the MAC Address. ARP is used to find out the MAC Address of a particular device whose IP address is known. For instance, a device wants to communicate with the other device on the network, then the sending device uses ARP to find the MAC Address of the device that it wants to communicate with. ARP involves two steps to find the MAC address:

The sending device sends an ARP Request containing the IP Address of the device it wants to communicate with. This request is broadcasted meaning every device in the network will receive this but only the device with the intended IP address will respond.
After receiving the broadcast message, the device with the IP address equal to the IP address in the message will send an ARP Response containing its MAC Adress to the sender.

Network Scanner uses ARP Request and Response to scan the entire network to find active devices on the network and also to find their MAC Addresses.

If it is still not clear what ARP is and how it works then refer to the images below.

Now that we know how does the network scanner works internally, let’s start writing it in Python.

Modules Used:

argparse: To understand what this does read my first article here.
Scapy: Enables the user to send, sniff and dissect and forge network packets. This capability allows the development of tools that can probe, scan, or attack networks. It can forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It easily handles most tasks like scanning, tracerouting, probing, unit tests, attacks, or network discovery.

Okay, before jumping to writing the code in Python I’ll tell you about the setup that I have: I am currently on Windows 10 and I have Virtualbox running with two VMs (1. Kali Linux and 2. Windows 10). I will execute the python script on my Kali Linux machine and try to scan the entire network. Note: The VMs are configured to use **NatNetwork **in Virtualbox. To know more about NatNetwork and how to configure a VM to use it, read this.

Writing the Network Scanner

As we know what modules are required, let’s start writing the script.

Step 1: Import the modules discussed above.

Step 2: Implementing the functionality to allow the users to pass command line arguments.

To add this feature to our script, we’ll need to make use of the argparse module that we imported in Step 1.

The above code allows the user to provide the input for interface value as follows:

root@kali:~# python3 network_scanner.py -t IP_Address/IP_Addresses

root@kali:~# python3 network_scanner.py --target IP_Address/IP_Addresses

IP_Address = Specific IP Address that you want to scan to check whether there is a device that’s using this IP Address or not.

IP_Addresses = Range of IP Addresses that you want to scan.

Step 3: Writing function that scans the network

In this function, we’ll have to do the following things to be able to scan the network:

Create an ARP Request.
Create an Ethernet Frame.
Place the ARP Request inside the Ethernet Frame.
Send the combined frame and receive responses.
Parse the responses and print the results.

Note that the function **scan **takes an IP Address as an argument. Now, let's break down the above code line by line.

def scan(ip):
.....
.....

scan('10.0.2.15')

Now the first thing that we want to do is to create an ARP Request (See Fig 1.) frame using scapy.

arp_req_frame = scapy.ARP(pdst = ip)

The above line of code creates an ARP Request frame using scapy’s ARP Class with the destination IP Address (pdst) provided as an argument to the function. The destination IP Address is set to the IP Address passed to the function because we want to direct the ARP Request frame to the IP Address we want. For instance, if ip = ‘10.0.2.15’ then the ARP Request is targetted for that IP Address only.

Now, the question is how did I come to know that destination IP Address is represented as **pdst **in ARP class? For this, scapy has a built-in function that we can use to find what member variables (variables) or fields a class has.

arp_req_frame = scapy.ARP(pdst = ip)
print(scapy.ls(scapy.ARP()))

**OUTPUT
**root@kali:~/Desktop/Network Scanner# python3 network_scanner.py -t 10.0.2.1/24

hwtype : XShortField        = 1               (1)
ptype  : XShortEnumField    = 2048            (2048)
hwlen  : FieldLenField      = None            (None)
plen   : FieldLenField      = None            (None)
op     : ShortEnumField     = 1               (1)
hwsrc  : MultipleTypeField  = **'08:00:27:35:21:2e'** (None)
psrc   : MultipleTypeField  = **'10.0.2.9'**      (None)
hwdst  : MultipleTypeField  = '00:00:00:00:00:00' (None)
pdst   : MultipleTypeField  = '0.0.0.0'       (None)

Note: 10.0.2.1/24 means IP Addresses from 10.0.2.1 to 10.0.2.254

The scapy.ls() function returns the fields a particular class has. It works for every class that scapy provides. We just have to pass the class name as scapy.class_name() to it. In the example above, we wanted to know about the fields or member variables the ARP class has and so we used the scapy.ls(scapy.ARP()). This function then gave us the response as shown in the output above. This function provides the name of the fields, a small description of that field, and the default value that each field holds.

The main fields to know are:

*hwsrc *= Source MAC Address.
*psrc *= Source IP Address.
*hwdst *= Destination MAC Address.
*pdst *= Destination IP Address.

Note: The hwsrc and psrc will always have the default value of the machine on which the ARP Request packet was created. In our case, the IP Address of my Kali machine is ‘10.0.2.9’ and MAC Address is ‘08:00:27:35:21:2e’ and therefore the field psrc and hwsrc has these values in them. Also, the default value for hwdst *and **pdst **will *‘00:00:00:00:00:00’ and **‘0.0.0.0’ **respectively.

So, this is how we can change any field’s value as we want while creating an instance of the class. Additionally, we can also view the ARP Request itself by another function that scapy provides.

arp_req_frame = scapy.ARP(pdst = ip)
print(arp_req_frame.summary())

Upon execution of the above code, we get the following output. You can see that it says ‘who has 10.0.2.3 says 10.0.2.9’, **this means the packet is a request packet and it’s asking everyone that who has the IP Address of **10.0.2.3. The second part i.e **says 10.0.2.9 **provides information about the source or sender of the ARP Request to all the receiving devices and thus the receiving device with the IP Address **10.0.2.3 **will know whom to send the ARP Response. You can see that the output generated below is the same as what Fig 1 illustrates.

root@kali:~/Desktop/Network Scanner# python3 network_scanner.py -t 10.0.2.3

**OUTPUT
**root@kali:~/Desktop/Network Scanner# python3 network_scanner.py -t 10.0.2.3

**ARP who has 10.0.2.3 says 10.0.2.9**

Another useful function that scapy provides is show().

arp_req_frame = scapy.ARP(pdst = ip)
print(arp_req_frame.show())

After the execution, it generates the following output.

root@kali:~/Desktop/Network Scanner# python3 network_scanner.py -t 10.0.2.3

**OUTPUT**
###[ ARP ]###
hwtype    = 0x1
ptype     = IPv4
hwlen     = None
plen      = None
op        = who-has
hwsrc     = 08:00:27:35:21:2e
psrc      = 10.0.2.9
hwdst     = 00:00:00:00:00:00
pdst      = 10.0.2.3

The above output shows the various fields of an ARP Request packet and its corresponding values. Note that the pdst (destination IP Address) **has a value of **10.0.2.3 **because when executing the code we provide a command-line argument for which IP Address to scan and this IP Address is then set to pdst. This is because at the time of creating an instance of the ARP class we provided the IP Address of the destination device using **scapy.ARP(pdst = ip) **where **ip is a variable name and its value is taken from the command-line argument that was passed at the time of execution. We already covered how to add command-line argument functionality that accepts input in Step 2.

After creating the ARP Request packet we need to now create an Ethernet Frame. The Ethernet frame contains fields such as Source and Destination Hardware (MAC) among others. Now, as the communication inside a network is carried out using the MAC Address, we can set the value of destination hardware address field to theMAC Address to which we want to communicate. Learn more about Ethernet Frame here.

The ARP Request is supposed to be broadcasted (transmitted to every IP Address in a network). Therefore, to broadcast the ARP Request we set the Destination Address field of Ethernet field to **‘ff:ff:ff:ff:ff:ff’ **as this is a broadcast MAC Address. We now do this using scapy.

broadcast_ether_frame = scapy.Ether(dst = "ff:ff:ff:ff:ff:ff")

The above line of code creates an Ethernet Frame with dst (Destination Address) is set to **‘ff:ff:ff:ff:ff:ff’. **Note, we can use scapy.ls() and show() function on Ethernet class. The fields of the Ethernet frame can be viewed using scapy.ls() function similarly to how we did it on ARP Class. The show() function can also be used similarly as we did for ARP Class. Output for both the function can be seen below.

print(scapy.ls(scapy.Ether()))

**OUTPUT
**dst  : DestMACField     = 'ff:ff:ff:ff:ff:ff' (None)
src  : SourceMACField   = '08:00:27:35:21:2e' (None)
type : XShortEnumField  = 36864           (36864)

--------------------------------------------------------------------

print(broadcast_ether_frame.show())

**OUTPUT
**###[ Ethernet ]###
dst       = ff:ff:ff:ff:ff:ff
src       = 08:00:27:35:21:2e
type      = 0x9000

The next step is to combine the ARP Request and the Ethernet Frame. We did this using scapy because it allows a very convenient way to combine frames. We do it by the following line of code.

broadcast_ether_arp_req_frame = broadcast_ether_frame/arp_req_frame

The above code creates a new frame by combining the ARP Request and Ethernet Frame using the **‘/’ **sign. This is because scapy allows us to combine frames using this.

Now if we call the show() function we can see that the final combined frame consists of both Ethernet and ARP Request.

root@kali:~/Desktop/Network Scanner# python3 network_scanner.py -t 10.0.2.3

**OUTPUT
**###[ Ethernet ]###
dst       = ff:ff:ff:ff:ff:ff
src       = 08:00:27:35:21:2e
type      = ARP

###[ ARP ]###
hwtype    = 0x1
ptype     = IPv4
hwlen     = None
plen      = None
op        = who-has
hwsrc     = 08:00:27:35:21:2e
psrc      = 10.0.2.9
hwdst     = 00:00:00:00:00:00
pdst      = 10.0.2.3

We can see that the type field of Ethernet Frame now holds ARP as its type. Also, the ARP part of the frame is identified as ARP Request **by the value of the **op **field. If **op = who-has then it means its an ARP Request and if op = is-at then it is ARP Response.

Now the only thing that is remaining is to sent the combined frame and to receive the responses. To send the requests and receive the responses we will use a function provided by scapy that not only sends the requests but also returns the responses.

This function returns the captured responses as a python tuple out of which the first element of the tuple has the answered responses where the devices responded and the second element has the responses which were unanswered. The responses which are in the unanswered list mean that there are no devices that use those IP Addresses.

The function that scapy provides to do the above tasks is called scapy.srp(). **This function takes the actual frame to be transmitted as an argument. You can see that we have passed **broadcast_ether_arp_req_frame (our final combined frame) **is passed to the function below. It also takes a **timeout **input which tells the scapy for how much time period it should wait to receive a response before moving further. What this means is, from the below example **timeout = 1 means the scapy will wait for 1 second for the response and if the response is not received it will move further to send the packet to the next IP Address. The argument verbose = False is not important and it only stops the scapy from printing its own messages on the screen.

answered_list= scapy.srp(broadcast_ether_arp_req_frame, timeout = 1, verbose = False)
    print('Total Number of Responses ->', len(answered_list))
    print('\n-----------Answered Responses---------')
    print('Number of Answered Responsed ->', len(answered_list[0]))
    print('\n')
    for i in range(0,len(answered_list[0])):
        print(answered_list[0][i])
        print('\n')
    print('\n-----------UnAnswered Responses---------')
    print('Number of UnAnswered Responsed ->', len(answered_list[1]))
    print('\n')
    for i in range(0,len(answered_list[1])):
        print(answered_list[1][i])
        print('\n')

The above code displays the total number of answered (responded) responses and the actual responses itself. It also displays the total number of unanswered (not responded) responses and the actual responses.

Note: This code is not used in the final script and is just for understanding the output returned by scapy.srp() function. The above code generates the following output.

From the above image, we can see that the total number of responses received was two. **This is because the tuple consists of two elements **answered and unanswered. Furthermore, we can see that the total answered responses are three which means that only three devices responded with ARP Response. Below this, we can also see the actual responses itself. After this, we see that the total unanswered responses are **253 **which means **253 **devices did not respond. We can also see some of the responses that scapy recorded for unanswered responses.

The main aim of showing the above output was to make you understand that we only need the answered responses and not the unanswered one. Therefore, we can access only the answered responses using the following line of code.

answered_list = scapy.srp(broadcast_ether_arp_req_frame, timeout = 1, verbose = False)[0]

As the answered_list is a tuple we can extract the individual elements by providing the index in square brackets. The above code will only store answered responses.

Now, all that is left is to extract the IP Address and the MAC Address from each of the answered responses. We’ll use Python dictionaries inside of a list for that purpose.

result = []
    for i in range(0,len(answered_list)):
        client_dict = {"ip" : answered_list[i][1].psrc, "mac" : answered_list[i][1].hwsrc}
        result.append(client_dict)

print(result)

The above code creates an empty list called result **and then creates a dictionary called **client_dict **for each response and then appends it to the **result list. The client_dict *has two keys *‘ip’ and ‘mac’ which stores the IP Address and MAC Address respectively. The output of the above code for our case will be:

root@kali:~/Desktop/Network Scanner# python3 network_scanner.py -t 10.0.2.1/24

[{'ip': '10.0.2.1', 'mac': '52:54:00:12:35:00'}, {'ip': '10.0.2.2', 'mac': '52:54:00:12:35:00'}, {'ip': '10.0.2.3', 'mac': '08:00:27:22:d8:10'}]

The next step in the scan() function is to return the result list. We’ll use the result list in another function to print the results in a certain format.

Step 4: Writing function to print the results in a certain format.

The above display() function takes the result list as an input and displays the result in a certain format. It produces the output shown below.

root@kali:~/Desktop/Network Scanner# python3 network_scanner.py -t 10.0.2.1/24
-----------------------------------
IP Address     MAC Address
-----------------------------------
10.0.2.1       52:54:00:12:35:00
10.0.2.2       52:54:00:12:35:00
10.0.2.3       08:00:27:22:d8:10

This is where the script is complete and we have created a network scanner using Python successfully.

Working Example

I am using a Virtualbox setup with two VMs (Kali Linux and Windows 10). I’ll show you that the scanner that we created works perfectly fine. I’ll execute the script in Kali Linux and I will also start Windows 10 VM. The expectation is that the output should contain the IP Address and MAC Address of the Windows 10 VM also.

From the above image, we can note two things about the Windows 10 VM:

IP Address = 10.0.2.15
MAC Address = 08-00-27-e6-e5-59 (represented as Physical Address in the image below the Description field)

Now, the output generated by the script on the Kali Linux machine.

From the above image, we can see that the network scanner script that we created scans the entire network including the Windows 10 VM which is in the same network.

Thank You for reading. The entire code can found in my Github Repository.

Changing the MAC Address using Python

Dharmil Chhadva — Tue, 27 Feb 2024 00:48:12 +0000

Note: The following tutorial works on any Linux Distributions, but you will need the root access to execute the system commands necessary in order to change the MAC Address successfully.

What is MAC Address?

To learn how to change the MAC Address, it is essential to learn about what a MAC Address is. We all use various electronic gadgets such as smartphones, desktops, laptops, tablets, and many more to browse the internet, for entertainment, among other tasks. Each of these electronic gadgets has its own MAC Address. MAC stands for Media Access Control Address. Every device needs a MAC Address to be uniquely identified by others on the network. For instance, when you watch a video on Youtube, you send a request for the video via your device, and this request is transmitted through your default gateway (usually through a router for a private home network). The router then sends this request to the World Wide Web and receives a response. Now, the World Wide Web (which is public) does not know who you are because your device has a private IP Address that is only recognized by your router, so the response received by the router is then given to you because the router knows your MAC Address associated with the private IP Address of your device.

MAC Address is a 48-bits hardware address that is hardcoded on the Network Interface Card (NIC) at the time of manufacturing. MAC Address is also known as the Physical Address of a device. MAC Addresses are used to transmit packets within the network.

For example, 00:1A:3F:F1:4C:C6 is a MAC Address. The first three octets (00:1A:3F) of the address identifies the manufacturer and is known as OUI (Organizational Unique Identifier). **The last three octets are **Network Interface Controller Specific.

Why do we need to change the MAC Address?

There are several reasons why you would want to change the MAC Address of your device. Let’s look at them one by one:

Increase Anonymity: When on a public network, you might want to change the MAC Address to stay anonymous, if you don’t then there are chances that the network you are on might log your MAC Address and thus leaving behind a trail.
Impersonate other devices: When you want to carry out an attack (for testing purposes), changing the MAC Address can be useful to impersonate any legitimate device.
Bypassing filters: If a MAC Address is blacklisted to use the network, and to overcome this is to change the MAC Address and fool the filters.

How to change the MAC Address?

To change the MAC Address, we need to execute a few system commands. The first step is to identify the interface whose MAC Address you want to change and you can do this using the following command in Linux.

dcode@dcode-pop-os:~$ ifconfig

The above command produces the following output.

**enp0s3:** flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.5  netmask 255.255.255.0  broadcast 10.0.2.255
        **ether 08:00:27:35:21:ff**  txqueuelen 1000  (Ethernet)
        RX packets 13962  bytes 17732985 (17.7 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 7969  bytes 975852 (975.8 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

First of all, to change the MAC Address we need to know the interface name and the existing MAC Address. **This information can be obtained by executing the **ifconfig command. We can get the interface name and the existing MAC Address from the output produced by ifconfig. For instance, from the above output, enp0s3 **is the name of the **interface **and the **ether field on the third line has the MAC Address (08:00:27:35:21:ff in our case).

Now that we know the interface name whose MAC Address we want to change, we can move to the next command.

dcode@dcode-pop-os:~$ sudo ifconfig enp0s3 down

The above command when executed, takes the interface down. What that means is you will no longer be able to connect to the internet. We need to take the interface down (disabling it) first if we need to change the MAC Address. After this, the next command to be executed will change the MAC Address.

dcode@dcode-pop-os:~$ sudo ifconfig enps03 hw ether 00:11:22:33:44:55

The above command changes the existing MAC Address (08:00:27:35:21:FF) to a new MAC Address (00:11:22:33:44:55) specified in the command itself. Now the MAC Address of the interface enp0s3 has been changed but to use it, we need to enable the interface again using the following command.

dcode@dcode-pop-os:~$ sudo ifconfig enp0s3 up

After executing the above command, you enable the interface again so that you can access the internet. To check whether the MAC Address was changed to what we specified, execute the ifconfig command.

dcode@dcode-pop-os:~$ ifconfig
**enp0s3:** flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.5  netmask 255.255.255.0  broadcast 10.0.2.255
        **ether 00:11:22:33:44:55**  txqueuelen 1000  (Ethernet)
        RX packets 13997  bytes 17737735 (17.7 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8892  bytes 1059117 (1.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

From the output, we can see that the MAC Address was changed to 00:11:22:33:44:55 from 08:00:27:35:21:ff.

Using Python to change the MAC Address

Up until now, we manually typed the commands and executed them but we can automate the entire process using Python so that we just have to provide the script with the interface name and the new MAC Address.

Modules Used:

The subprocess module is used to execute system commands using Python. It contains several functions that can be used. We are going to focus on one particular function that is used to execute the system commands. It is called the **call() **function.

Usage

subprocess.call([‘ifconfig’])

This instruction executes the ifconfig command using Python.

The **argparse **module makes it convenient to write user-friendly command-line interfaces. The program defines the arguments it requires and **argparse **will figure out how to parse these arguments. It also generates help and usage messages and issues errors when the user enters any invalid arguments.

Usage

dcode@dcode-pop-os:~$ python3 programs_name.py -op1 option -op2 option

With the help of argparse we can provide the user with the ability to pass the input values using command-line arguments. Even if you don’t understand now, it will be clear once we start coding 😃.

Next, the re **module provides **Regular Expression matching operations. You’ll know for what we use the re module as we progress ahead.

Python Script Coding

This is where we start coding in Python.

Step 1: Import the modules discussed above.

Step 2: Implementing the functionality to allow the users to pass command line arguments.

To add this feature to our script, we’ll need to make use of the argparse module that we imported in Step 1.

The above code allows the user to provide the input for interface value and new MAC Address as follows:

dcode@dcode-pop-os:~$ python3 mac_changer.py -i interface_name -m new_mac_address

dcode@dcode-pop-os:~$ python3 mac_changer.py --interface interface_name --mac new_mac_address

interface_name = Name of the interface whose MAC Address you want to change.

new_mac_address = MAC Address that you want to replace in place of the old one.

The **options **stores the values provided by the user. When you print it the output is as follow:

print(options)

**Output:** 
Namespace(interface='enp0s3', new_mac='00:55:22:33:44:11')

Individually accessing the **two **arguments is done as follows:

print(options.interface)
print(options.new_mac)

**Output:** 
enp0s3
00:11:22:33:44:55

Note: The dest **argument in the **add_argument() **method provides the name according to which the **parse_args() stores its corresponding values in the **options **variable.

The last thing in Step 2 is we created a variable command_args **and invoked the function **get_args().

command_args = get_args()

The above statement will store the **options **returned by the **get_args() **hence giving us access to the argument values outside of the scope of the function.

Step 3: Writing a function that changes the MAC Address.

Now that we have the two values that we require to change the MAC Address (interface and new MAC Address), *we’ll write a function that changes the MAC Address using system commands.

Look at the function that we just wrote, it accepts **two **arguments *
(interface and new_mac). **The two values are provided to **change_mac() function by command_args variable. It also checks whether the MAC Address provided is valid or not. After that, using the **subprocess **module we execute the system commands. Note: You require root access to execute these commands.

Now, at this point, we have completed a Python script that changes the MAC Address, but we still need to be sure that the new MAC Address was applied. And for that, we need a write another function that returns the current MAC Address of the interface.

Step 4: Writing a function to get the current MAC Address

This function takes interface as an input and returns the current MAC Address of that interface. We are writing this function to check whether the new MAC address was applied or not.

So, the get_current_mac() function extracts the current MAC Address of the interface provided. Now, let’s break down this function.

output = sub.check_output(['ifconfig', interface], universal_newllines = True)

The above statement is similar to sub.call() in the change_mac() function but there is one difference. The sub.check_output() functions returns the output of the command whereas sub.call() does not return anything. The returned output is stored in the variable output.

Also, the argument universal_newlines = True **is used because if this value is set to **False then the output returned is in bytes.

Official Docs -> By default, this function will return the data as encoded bytes. The actual encoding of the output data may depend on the command being invoked, so the decoding to text will often need to be handled at the application level. This behavior may be overridden by setting universal_newlines to True

The next statement is,

search_mac = re.search(r"\w\w:\w\w:\w\w:\w\w:\w\w:\w\w", output)

This is where the re module is being used. re stands for Regular Expressions and these are often used in string matching applications. The re.search() function accepts the regular expression and the string in which the pattern is supposed to be matched. In our case, the string is stored inside the variable output. *The *\w\w:\w\w:\w\w:\w\w:\w\w:\w\w **expression matches the MAC Address in the output variable which has the output of the **ifconfig command. See the image below to understand it better.

As you can see that the regular expression matches the MAC Address perfectly (Highlighted in green in the Match result box). Regular Expression Cheatsheet

Furthermore, there are chances that re.search() might find more than one string that matches the regex (regular expression). Therefore, the below statement will make sure to return the first matched element only. What if it matches more than one string and returns the string which is not desired? In the output returned by ifconfig, the chances of a getting string other than the desired one is next to zero.

search_mac.group(0)

This sums up the get_current_mac() function.

Now, the only thing remaining is to check whether the MAC Address provided by the user was applied. For this, you can see that we have called get_current_mac() function twice, once before calling change_mac() function and once after calling the change_mac() function. This ensures that we capture both the MAC Addresses (before and after change). We then compare changed_mac and **command_args.new_mac **and if both matches then the MAC Address has been changed successfully.

if changed_mac == command_args.new_mac:
    print('Successfully Changed the MAC Address')
else:
    print('Could not change the MAC Address')

This where the script ends and to execute the script do the following: This was covered in Step 2.

dcode@dcode-pop-os:~$ python3 mac_changer.py -i interface_name -m new_mac_address

**OR**

dcode@dcode-pop-os:~$ python3 mac_changer.py --interface interface_name --mac new_mac_address

The entire code can be found on my Github.