python-arp Passive Information Collection
Outline
Lateral movement when possible because unassigned IP local area network, if such a request may result unassigned IP is found (bypass testing equipment), what can be done to arp passive information gathering. Of course useless honeypot class equipment.
Code
from scapy.all import *
"""
arp信息被动收集
arp op=1 arp request information(brodcast)
arp op=2 arp reply information(unicast)
arp gratuitous op=1 sender IP address same as target IP and sender MAC address same as target MAC address
"""
# arp
arp_info = {}
# passive arp information collection
def arp_sniff():
return sniff(filter="arp",store=0,prn=arp_collect)
# arp information collect to dict like[IP:MAC]
def arp_collect(arp_pkg):
mac = arp_pkg[ARP].hwsrc
ip = arp_pkg[ARP].psrc
# 如果mac信息没存储在arp_info中就是新发现的mac
# 如果mac存在,分两种情况:新抓的包和原来IP不相等就是change,没有就什么都不用做
if arp_info.get(mac) == None:
arp_info[mac] = ip
print(mac,":",ip)
elif ip != arp_info[mac]:
arp_info[mac] = ip
print("change:")
print(mac,":",ip)
if __name__ == "__main__":
arp_sniff()