用python3发送伪造arp探针应答包:修订间差异

来自三线的随记
无编辑摘要
无编辑摘要
 
(未显示同一用户的3个中间版本)
第2行: 第2行:


在这种情况下于另一个节点上执行脚本发送伪造arp response即可曲线救国
在这种情况下于另一个节点上执行脚本发送伪造arp response即可曲线救国
运行环境需要 pip3 install scapy<br />


===version 1===
===version 1===
需要指定目标节点ip 网卡 网关ip地址
需要指定目标节点ip 网卡 网关ip地址
  # !/usr/bin/python
  #!/usr/bin/python
  # -*- coding: UTF-8 -*-
  #-*- coding: UTF-8 -*-
   
   
  import os
  import os
第81行: 第84行:
慎用
慎用
<br />
<br />
  # !/usr/bin/python
  #!/usr/bin/env python3
  # -*- coding: UTF-8 -*-
  #-*- coding: UTF-8 -*-
#
# Author: sanXian
# capute the arp probe packets and response automatically
   
   
  import os
  import os
第146行: 第153行:
     sniff(iface=options.interface, filter=sniff_filter, prn=sniff_callback)
     sniff(iface=options.interface, filter=sniff_filter, prn=sniff_callback)
        
        
if __name__ == '__main__':
    main() 
 
<br />
===version3===
适配vlan(trunk网卡)
#!/usr/bin/env python3
#-*- coding: UTF-8 -*-
#
# 自动获取arp probe报文的source mac address进行回包
# capute the arp probe packets and response automatically
# Options: -i 指定监听网卡  --gateway 指定监听的探针报文target地址(arp probe target ip)  --vlan 指定vlan id[可选]
# Author: sanXian
#
# Attention: 在跨vlan的情况下,代码层面不能简易获取得到跨vlan的网关mac地址
#            遂会使用一个假的mac地址构造arp probe response
### 新手面向搜索引擎写bug
### 慎用
 
import os
import sys
import signal
from scapy.all import (
    get_if_hwaddr,  # 获取本机网络接口的函数
    getmacbyip,      # 通过IP地址获取其Mac地址的函数
    ARP,            # 构造ARP数据包
    Ether,          # 构造以太网数据包
    Dot1Q,          # vlan
    sendp,          # 在第二层发送数据包
    sniff            # capture network traffic
)
 
from optparse import OptionParser    #格式化用户输入的参数
 
# build arp response package
def build_rep(src_ipaddr, src_mac, dst_ipaddr, dst_mac , vlan_id):
    if vlan_id >= 0 and vlan_id <= 4095:
        pkt = Ether(src=src_mac, dst=dst_mac) / Dot1Q(vlan=vlan_id) / ARP(hwsrc=src_mac, psrc=src_ipaddr, hwdst=dst_mac, pdst=dst_ipaddr, op=2)
    else:
        pkt = Ether(src=src_mac, dst=dst_mac) / ARP(hwsrc=src_mac, psrc=src_ipaddr, hwdst=dst_mac, pdst=dst_ipaddr, op=2)
    return pkt
   
def sniff_callback(package):
    global gw_mac
    print("get a arp probe package from {}".format(package.src))
    pkt = build_rep(src_ipaddr=package.pdst, src_mac=gw_mac, dst_ipaddr=package.psrc, dst_mac=package.hwsrc, vlan_id=options.vlan)
    sendp(pkt, inter=0, iface=options.interface)
 
def quit(signum, frame):
        print('\nYou choose to stop me.')
        exit()
 
def main():
 
    #自定义程序使用方法,当中的 %prog,optparse会以当前程序名的字符串来替代
    usage = 'Usage: %prog [-i interface] [--gateway gateway_ip]'
 
    #创建一个 OptionParser 对象
    parser = OptionParser(usage)
    #add_option 来定义命令行参数
    parser.add_option('-i', dest='interface', default="dce-br", help='Specify the interface to use')
    parser.add_option('--gateway',dest="gatewayip",help="gateway ip address")
    parser.add_option('--vlan',default="-1", dest="vlan",help="vlan id")
 
    global options
    (options, args) = parser.parse_args()
    options.vlan = int(options.vlan)
 
    signal.signal(signal.SIGINT, quit)
 
    if options.interface is None or options.gatewayip is None:
        parser.print_help()
        print("[debug]interface value is  ",options.interface)
        print("[debug]gateway ip value is ",options.gatewayip)
        print("[debug]vlan id value is ",options.vlan)
        sys.exit(1)
 
    # get gateway mac address
    global gw_mac
    gw_mac = getmacbyip(options.gatewayip)
    if gw_mac is None:
        print("[x]Fatal Error: can not get the mac address")
        sys.exit(1)
    print("gateway ip address is:{}, mac address is: {}".format(options.gatewayip, gw_mac))
    sniff_filter = "arp and src 0.0.0.0 and dst " + options.gatewayip
 
    if options.vlan >= 0 and options.vlan <= 4095:
        print("vlan mode: {}".format(options.vlan))
        sniff_filter = "vlan " + str(options.vlan) + " and " +  sniff_filter
 
    sniff(iface=options.interface, filter=sniff_filter, prn=sniff_callback)
     
  if __name__ == '__main__':
  if __name__ == '__main__':
     main()
     main()

2020年8月11日 (二) 10:52的最新版本

部分网络环境下交换机无法对src address 为0.0.0.0 的arp 报文(即ARP探针)做出应答

在这种情况下于另一个节点上执行脚本发送伪造arp response即可曲线救国


运行环境需要 pip3 install scapy

version 1

需要指定目标节点ip 网卡 网关ip地址

#!/usr/bin/python
#-*- coding: UTF-8 -*-

import os
import sys
import signal
from scapy.all import (
    get_if_hwaddr,   # 获取本机网络接口的函数
    getmacbyip,      # 通过IP地址获取其Mac地址的函数
    ARP,             # 构造ARP数据包
    Ether,           # 构造以太网数据包
    sendp            # 在第二层发送数据包
)
 
from optparse import OptionParser     #格式化用户输入的参数
 
def main():
 
    #自定义程序使用方法,当中的 %prog,optparse会以当前程序名的字符串来替代
    usage = 'Usage: %prog [-i interface] [--gateway gateway_ip] target'
 
    #创建一个 OptionParser 对象
    parser = OptionParser(usage)
    #add_option 来定义命令行参数
    parser.add_option('-i', dest='interface', help='Specify the interface to use')
    parser.add_option('--gateway',dest="gatewayip",help="gateway ip address")
 
    #调用optionparser的解析函数
    (options, args) = parser.parse_args()
 
    if len(args) != 1 or options.interface is None or options.gatewayip is None:
        parser.print_help()
        print("debug args:",len(args))
        print("debug ",options.interface)
        print("debug ",options.gatewayip)
        sys.exit(1)

    # For dce
    # get gateway mac address
    gw_mac = getmacbyip(options.gatewayip)
    print("gateway ip address is:{}, mac address is: {}".format(options.gatewayip, gw_mac))
    target_mac = getmacbyip(args[0])
    print("arp probe response to {} {}".format("0.0.0.0", target_mac))
    if target_mac is None:
       print("[-] Error: Could not resolve targets MAC address")
       sys.exit(1)
 
    #响应包
    def build_rep():
        pkt = Ether(src=gw_mac, dst=target_mac) / ARP(hwsrc=gw_mac, psrc=options.gatewayip, hwdst=target_mac, pdst="0.0.0.0", op=2)
        return pkt
 
    pkt = build_rep()

    def quit(signum, frame):
        print('\nYou choose to stop me.')
        exit()
    signal.signal(signal.SIGINT, quit)

    while True:
        #在两次发送数据包之间有一定的时间间隔,使用inter选项,表示每隔2秒发送一个数据包
        sendp(pkt, inter=0.5, iface=options.interface)
        print("arp response sent to {} {}".format("0.0.0.0", target_mac))
 
if __name__ == '__main__':
    main()
 


version 2

自动获取arp probe报文的source mac address进行回包

新手面向搜索引擎写bug

慎用

#!/usr/bin/env python3
#-*- coding: UTF-8 -*-
#
# Author: sanXian
# capute the arp probe packets and response automatically


import os
import sys
import signal
from scapy.all import (
    get_if_hwaddr,   # 获取本机网络接口的函数
    getmacbyip,      # 通过IP地址获取其Mac地址的函数
    ARP,             # 构造ARP数据包
    Ether,           # 构造以太网数据包
    sendp,           # 在第二层发送数据包
    sniff            # capture network traffic
)

from optparse import OptionParser     #格式化用户输入的参数

# build arp response package
def build_rep(src_ipaddr, src_mac, dst_ipaddr, dst_mac ):
   pkt = Ether(src=src_mac, dst=dst_mac) / ARP(hwsrc=src_mac, psrc=src_ipaddr, hwdst=dst_mac, pdst=dst_ipaddr, op=2)
   return pkt

def sniff_callback(package):
    global gw_mac
    print("get a arp probe package from {}".format(package.src))
    pkt = build_rep(src_ipaddr=package.pdst, src_mac=gw_mac, dst_ipaddr=package.psrc, dst_mac=package.hwsrc)
    sendp(pkt, inter=0, iface=options.interface)

def quit(signum, frame):
        print('\nYou choose to stop me.')
        exit()

def main():
 
    #自定义程序使用方法,当中的 %prog,optparse会以当前程序名的字符串来替代
    usage = 'Usage: %prog [-i interface] [--gateway gateway_ip]'
 
    #创建一个 OptionParser 对象
    parser = OptionParser(usage)
    #add_option 来定义命令行参数
    parser.add_option('-i', dest='interface', default="dce-br", help='Specify the interface to use')
    parser.add_option('--gateway',dest="gatewayip",help="gateway ip address")
 
    global options
    (options, args) = parser.parse_args()

    signal.signal(signal.SIGINT, quit)
 
    if options.interface is None or options.gatewayip is None:
        parser.print_help()
        print("[debug]interface value is  ",options.interface)
        print("[debug]gateway ip value is ",options.gatewayip)
        sys.exit(1)

    # get gateway mac address
    global gw_mac
    gw_mac = getmacbyip(options.gatewayip)
    print("gateway ip address is:{}, mac address is: {}".format(options.gatewayip, gw_mac)) 
    if gw_mac is None:
        print("[x]Fatal Error: can not get the mac address")
        sys.exit(1)

    sniff_filter = "arp and src 0.0.0.0 and dst " + options.gatewayip
    sniff(iface=options.interface, filter=sniff_filter, prn=sniff_callback)
     
if __name__ == '__main__':
    main()  
 


version3

适配vlan(trunk网卡)

#!/usr/bin/env python3
#-*- coding: UTF-8 -*-
#
# 自动获取arp probe报文的source mac address进行回包
# capute the arp probe packets and response automatically
# Options: -i 指定监听网卡  --gateway 指定监听的探针报文target地址(arp probe target ip)  --vlan 指定vlan id[可选]
# Author: sanXian
#
# Attention: 在跨vlan的情况下,代码层面不能简易获取得到跨vlan的网关mac地址
#            遂会使用一个假的mac地址构造arp probe response
### 新手面向搜索引擎写bug
### 慎用
 
import os
import sys
import signal
from scapy.all import (
    get_if_hwaddr,   # 获取本机网络接口的函数
    getmacbyip,      # 通过IP地址获取其Mac地址的函数
    ARP,             # 构造ARP数据包
    Ether,           # 构造以太网数据包
    Dot1Q,           # vlan
    sendp,           # 在第二层发送数据包
    sniff            # capture network traffic
)
 
from optparse import OptionParser     #格式化用户输入的参数
 
# build arp response package
def build_rep(src_ipaddr, src_mac, dst_ipaddr, dst_mac , vlan_id):
    if vlan_id >= 0 and vlan_id <= 4095:
        pkt = Ether(src=src_mac, dst=dst_mac) / Dot1Q(vlan=vlan_id) / ARP(hwsrc=src_mac, psrc=src_ipaddr, hwdst=dst_mac, pdst=dst_ipaddr, op=2)
    else:
        pkt = Ether(src=src_mac, dst=dst_mac) / ARP(hwsrc=src_mac, psrc=src_ipaddr, hwdst=dst_mac, pdst=dst_ipaddr, op=2)
    return pkt
   
def sniff_callback(package):
    global gw_mac
    print("get a arp probe package from {}".format(package.src))
    pkt = build_rep(src_ipaddr=package.pdst, src_mac=gw_mac, dst_ipaddr=package.psrc, dst_mac=package.hwsrc, vlan_id=options.vlan)
    sendp(pkt, inter=0, iface=options.interface)
 
def quit(signum, frame):
        print('\nYou choose to stop me.')
        exit()
 
def main():
  
    #自定义程序使用方法,当中的 %prog,optparse会以当前程序名的字符串来替代
    usage = 'Usage: %prog [-i interface] [--gateway gateway_ip]'
  
    #创建一个 OptionParser 对象
    parser = OptionParser(usage)
    #add_option 来定义命令行参数
    parser.add_option('-i', dest='interface', default="dce-br", help='Specify the interface to use')
    parser.add_option('--gateway',dest="gatewayip",help="gateway ip address")
    parser.add_option('--vlan',default="-1", dest="vlan",help="vlan id")
  
    global options
    (options, args) = parser.parse_args()
    options.vlan = int(options.vlan)
 
    signal.signal(signal.SIGINT, quit)
  
    if options.interface is None or options.gatewayip is None:
        parser.print_help()
        print("[debug]interface value is  ",options.interface)
        print("[debug]gateway ip value is ",options.gatewayip)
        print("[debug]vlan id value is ",options.vlan)
        sys.exit(1)
 
    # get gateway mac address
    global gw_mac
    gw_mac = getmacbyip(options.gatewayip)
    if gw_mac is None:
        print("[x]Fatal Error: can not get the mac address")
        sys.exit(1)
    print("gateway ip address is:{}, mac address is: {}".format(options.gatewayip, gw_mac))
    sniff_filter = "arp and src 0.0.0.0 and dst " + options.gatewayip
 
    if options.vlan >= 0 and options.vlan <= 4095:
        print("vlan mode: {}".format(options.vlan))
        sniff_filter = "vlan " + str(options.vlan) + " and " +  sniff_filter
 
    sniff(iface=options.interface, filter=sniff_filter, prn=sniff_callback)
      
if __name__ == '__main__':
    main()