The latest articles on Forem by Artur (@focarica). https://forem.com/focarica https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3385070%2F3fa47a4e-a655-4be1-9874-a52a38794b9c.jpeg https://forem.com/focarica en Artur Wed, 30 Jul 2025 01:59:20 +0000 https://forem.com/focarica/icmp-spoofing-with-scapy-responding-to-pings-as-a-fake-ip-82o https://forem.com/focarica/icmp-spoofing-with-scapy-responding-to-pings-as-a-fake-ip-82o <p>Spoofing is a commonly used technique in cyberattacks, especially in scenarios like <strong>email spoofing</strong>, <strong>SMS spoofing</strong>, and <strong>ARP poisoning</strong>. In this article, I’ll share a small lab I built using Scapy to explore spoofing at a lower level: the network layer, using ICMP packets.</p> <p>The core idea is simple:<br> <em>When a host sends a ping to a nonexistent IP address, the script intercepts the ICMP Echo Request and replies as if it were the intended destination.</em></p> <h2> Core Concepts </h2> <p>Before diving into the code, let’s briefly go over the key concepts used in this project:</p> <p><em>ARP Spoofing</em></p> <ul> <li>This technique involves tricking a host’s ARP table by claiming that a specific IP is associated with the attacker’s MAC address. As a result, all traffic to that IP gets redirected to the attacker.</li> </ul> <p><em>ICMP Spoofing</em></p> <ul> <li>Once ARP poisoning is successful, ICMP packets (ping requests) will reach the attacker. The attacker can then respond with spoofed ICMP Echo Replies, pretending to be the targeted IP.</li> </ul> <p>You can find the full source code on GitHub: <a href="https://github.com/focarica/ICMP-Spoof" rel="noopener noreferrer">ICMP-Spoof</a></p> <h2> Interesting Details </h2> <p><em>Using <code>icmp[icmptype]=8</code> as a BPF Filter</em></p> <p>This BPF filter captures only ICMP Echo Requests (ping). It avoids processing unrelated ICMP messages, like Echo Replies or Destination Unreachables.</p> <p>Alternative filters include:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>icmp — all ICMP packets icmp[icmptype]=0 — only Echo Replies icmp[icmptype]=8 — only Echo Requests </code></pre> </div> <p><em>Using the ARP Destination IP as ICMP Source</em></p> <p>Our attacker doesn’t know in advance which IP will be pinged. Instead, the script listens for ARP requests and captures the IP the victim is trying to reach:</p> <p><code>ip_src = pkt[ARP].psrc</code></p> <p>Then it sends an ARP reply claiming to own that IP and saves it. When the ICMP Echo Request arrives, the script responds using that IP as the source.</p> <p>This dynamic behavior makes the tool useful for demonstrating spoofing against arbitrary targets.</p> <h2> Setting Up the Lab </h2> <p>To test this safely, use two virtual machines connected via an internal or bridged network in VirtualBox, VMware, or similar hypervisor.</p> <p>Example setup:<br> Create an attacker machine with some IP like 10.9.0.10 and runs the script with another machine, the victim with IP 10.9.0.1 and run <code>ping 10.9.0.99</code></p> <p>This IP does not exist, but the script will respond as if it does.</p> <h2> What I Learn </h2> <p>Although this lab is simple, it reveals several fundamental insights about how real-world networks behave:</p> <ul> <li>A hands-on understanding of low-level packet structures and protocols</li> <li>How ARP caches can be manipulated through spoofed replies</li> <li>The stateless nature of ICMP and its trust in source IPs</li> <li>How systems and routers react to unexpected traffic, including ICMP Redirects and Host Unreachables</li> </ul> cybersecurity network beginners python