用python3发送伪造arp探针应答包:修订间差异
来自三线的随记
小无编辑摘要 |
小无编辑摘要 |
||
(未显示同一用户的3个中间版本) | |||
第2行: | 第2行: | ||
在这种情况下于另一个节点上执行脚本发送伪造arp response即可曲线救国 | 在这种情况下于另一个节点上执行脚本发送伪造arp response即可曲线救国 | ||
运行环境需要 pip3 install scapy<br /> | |||
===version 1=== | ===version 1=== | ||
需要指定目标节点ip 网卡 网关ip地址 | 需要指定目标节点ip 网卡 网关ip地址 | ||
# !/usr/bin/python | #!/usr/bin/python | ||
# -*- coding: UTF-8 -*- | #-*- coding: UTF-8 -*- | ||
import os | import os | ||
第81行: | 第84行: | ||
慎用 | 慎用 | ||
<br /> | <br /> | ||
# !/usr/bin/ | #!/usr/bin/env python3 | ||
# -*- coding: UTF-8 -*- | #-*- coding: UTF-8 -*- | ||
# | |||
# Author: sanXian | |||
# capute the arp probe packets and response automatically | |||
import os | import os | ||
第146行: | 第153行: | ||
sniff(iface=options.interface, filter=sniff_filter, prn=sniff_callback) | sniff(iface=options.interface, filter=sniff_filter, prn=sniff_callback) | ||
if __name__ == '__main__': | |||
main() | |||
<br /> | |||
===version3=== | |||
适配vlan(trunk网卡) | |||
#!/usr/bin/env python3 | |||
#-*- coding: UTF-8 -*- | |||
# | |||
# 自动获取arp probe报文的source mac address进行回包 | |||
# capute the arp probe packets and response automatically | |||
# Options: -i 指定监听网卡 --gateway 指定监听的探针报文target地址(arp probe target ip) --vlan 指定vlan id[可选] | |||
# Author: sanXian | |||
# | |||
# Attention: 在跨vlan的情况下,代码层面不能简易获取得到跨vlan的网关mac地址 | |||
# 遂会使用一个假的mac地址构造arp probe response | |||
### 新手面向搜索引擎写bug | |||
### 慎用 | |||
import os | |||
import sys | |||
import signal | |||
from scapy.all import ( | |||
get_if_hwaddr, # 获取本机网络接口的函数 | |||
getmacbyip, # 通过IP地址获取其Mac地址的函数 | |||
ARP, # 构造ARP数据包 | |||
Ether, # 构造以太网数据包 | |||
Dot1Q, # vlan | |||
sendp, # 在第二层发送数据包 | |||
sniff # capture network traffic | |||
) | |||
from optparse import OptionParser #格式化用户输入的参数 | |||
# build arp response package | |||
def build_rep(src_ipaddr, src_mac, dst_ipaddr, dst_mac , vlan_id): | |||
if vlan_id >= 0 and vlan_id <= 4095: | |||
pkt = Ether(src=src_mac, dst=dst_mac) / Dot1Q(vlan=vlan_id) / ARP(hwsrc=src_mac, psrc=src_ipaddr, hwdst=dst_mac, pdst=dst_ipaddr, op=2) | |||
else: | |||
pkt = Ether(src=src_mac, dst=dst_mac) / ARP(hwsrc=src_mac, psrc=src_ipaddr, hwdst=dst_mac, pdst=dst_ipaddr, op=2) | |||
return pkt | |||
def sniff_callback(package): | |||
global gw_mac | |||
print("get a arp probe package from {}".format(package.src)) | |||
pkt = build_rep(src_ipaddr=package.pdst, src_mac=gw_mac, dst_ipaddr=package.psrc, dst_mac=package.hwsrc, vlan_id=options.vlan) | |||
sendp(pkt, inter=0, iface=options.interface) | |||
def quit(signum, frame): | |||
print('\nYou choose to stop me.') | |||
exit() | |||
def main(): | |||
#自定义程序使用方法,当中的 %prog,optparse会以当前程序名的字符串来替代 | |||
usage = 'Usage: %prog [-i interface] [--gateway gateway_ip]' | |||
#创建一个 OptionParser 对象 | |||
parser = OptionParser(usage) | |||
#add_option 来定义命令行参数 | |||
parser.add_option('-i', dest='interface', default="dce-br", help='Specify the interface to use') | |||
parser.add_option('--gateway',dest="gatewayip",help="gateway ip address") | |||
parser.add_option('--vlan',default="-1", dest="vlan",help="vlan id") | |||
global options | |||
(options, args) = parser.parse_args() | |||
options.vlan = int(options.vlan) | |||
signal.signal(signal.SIGINT, quit) | |||
if options.interface is None or options.gatewayip is None: | |||
parser.print_help() | |||
print("[debug]interface value is ",options.interface) | |||
print("[debug]gateway ip value is ",options.gatewayip) | |||
print("[debug]vlan id value is ",options.vlan) | |||
sys.exit(1) | |||
# get gateway mac address | |||
global gw_mac | |||
gw_mac = getmacbyip(options.gatewayip) | |||
if gw_mac is None: | |||
print("[x]Fatal Error: can not get the mac address") | |||
sys.exit(1) | |||
print("gateway ip address is:{}, mac address is: {}".format(options.gatewayip, gw_mac)) | |||
sniff_filter = "arp and src 0.0.0.0 and dst " + options.gatewayip | |||
if options.vlan >= 0 and options.vlan <= 4095: | |||
print("vlan mode: {}".format(options.vlan)) | |||
sniff_filter = "vlan " + str(options.vlan) + " and " + sniff_filter | |||
sniff(iface=options.interface, filter=sniff_filter, prn=sniff_callback) | |||
if __name__ == '__main__': | if __name__ == '__main__': | ||
main() | main() |
2020年8月11日 (二) 10:52的最新版本
部分网络环境下交换机无法对src address 为0.0.0.0 的arp 报文(即ARP探针)做出应答
在这种情况下于另一个节点上执行脚本发送伪造arp response即可曲线救国
运行环境需要 pip3 install scapy
version 1
需要指定目标节点ip 网卡 网关ip地址
#!/usr/bin/python #-*- coding: UTF-8 -*- import os import sys import signal from scapy.all import ( get_if_hwaddr, # 获取本机网络接口的函数 getmacbyip, # 通过IP地址获取其Mac地址的函数 ARP, # 构造ARP数据包 Ether, # 构造以太网数据包 sendp # 在第二层发送数据包 ) from optparse import OptionParser #格式化用户输入的参数 def main(): #自定义程序使用方法,当中的 %prog,optparse会以当前程序名的字符串来替代 usage = 'Usage: %prog [-i interface] [--gateway gateway_ip] target' #创建一个 OptionParser 对象 parser = OptionParser(usage) #add_option 来定义命令行参数 parser.add_option('-i', dest='interface', help='Specify the interface to use') parser.add_option('--gateway',dest="gatewayip",help="gateway ip address") #调用optionparser的解析函数 (options, args) = parser.parse_args() if len(args) != 1 or options.interface is None or options.gatewayip is None: parser.print_help() print("debug args:",len(args)) print("debug ",options.interface) print("debug ",options.gatewayip) sys.exit(1) # For dce # get gateway mac address gw_mac = getmacbyip(options.gatewayip) print("gateway ip address is:{}, mac address is: {}".format(options.gatewayip, gw_mac)) target_mac = getmacbyip(args[0]) print("arp probe response to {} {}".format("0.0.0.0", target_mac)) if target_mac is None: print("[-] Error: Could not resolve targets MAC address") sys.exit(1) #响应包 def build_rep(): pkt = Ether(src=gw_mac, dst=target_mac) / ARP(hwsrc=gw_mac, psrc=options.gatewayip, hwdst=target_mac, pdst="0.0.0.0", op=2) return pkt pkt = build_rep() def quit(signum, frame): print('\nYou choose to stop me.') exit() signal.signal(signal.SIGINT, quit) while True: #在两次发送数据包之间有一定的时间间隔,使用inter选项,表示每隔2秒发送一个数据包 sendp(pkt, inter=0.5, iface=options.interface) print("arp response sent to {} {}".format("0.0.0.0", target_mac)) if __name__ == '__main__': main()
version 2
自动获取arp probe报文的source mac address进行回包
新手面向搜索引擎写bug
慎用
#!/usr/bin/env python3 #-*- coding: UTF-8 -*- # # Author: sanXian # capute the arp probe packets and response automatically import os import sys import signal from scapy.all import ( get_if_hwaddr, # 获取本机网络接口的函数 getmacbyip, # 通过IP地址获取其Mac地址的函数 ARP, # 构造ARP数据包 Ether, # 构造以太网数据包 sendp, # 在第二层发送数据包 sniff # capture network traffic ) from optparse import OptionParser #格式化用户输入的参数 # build arp response package def build_rep(src_ipaddr, src_mac, dst_ipaddr, dst_mac ): pkt = Ether(src=src_mac, dst=dst_mac) / ARP(hwsrc=src_mac, psrc=src_ipaddr, hwdst=dst_mac, pdst=dst_ipaddr, op=2) return pkt def sniff_callback(package): global gw_mac print("get a arp probe package from {}".format(package.src)) pkt = build_rep(src_ipaddr=package.pdst, src_mac=gw_mac, dst_ipaddr=package.psrc, dst_mac=package.hwsrc) sendp(pkt, inter=0, iface=options.interface) def quit(signum, frame): print('\nYou choose to stop me.') exit() def main(): #自定义程序使用方法,当中的 %prog,optparse会以当前程序名的字符串来替代 usage = 'Usage: %prog [-i interface] [--gateway gateway_ip]' #创建一个 OptionParser 对象 parser = OptionParser(usage) #add_option 来定义命令行参数 parser.add_option('-i', dest='interface', default="dce-br", help='Specify the interface to use') parser.add_option('--gateway',dest="gatewayip",help="gateway ip address") global options (options, args) = parser.parse_args() signal.signal(signal.SIGINT, quit) if options.interface is None or options.gatewayip is None: parser.print_help() print("[debug]interface value is ",options.interface) print("[debug]gateway ip value is ",options.gatewayip) sys.exit(1) # get gateway mac address global gw_mac gw_mac = getmacbyip(options.gatewayip) print("gateway ip address is:{}, mac address is: {}".format(options.gatewayip, gw_mac)) if gw_mac is None: print("[x]Fatal Error: can not get the mac address") sys.exit(1) sniff_filter = "arp and src 0.0.0.0 and dst " + options.gatewayip sniff(iface=options.interface, filter=sniff_filter, prn=sniff_callback) if __name__ == '__main__': main()
version3
适配vlan(trunk网卡)
#!/usr/bin/env python3 #-*- coding: UTF-8 -*- # # 自动获取arp probe报文的source mac address进行回包 # capute the arp probe packets and response automatically # Options: -i 指定监听网卡 --gateway 指定监听的探针报文target地址(arp probe target ip) --vlan 指定vlan id[可选] # Author: sanXian # # Attention: 在跨vlan的情况下,代码层面不能简易获取得到跨vlan的网关mac地址 # 遂会使用一个假的mac地址构造arp probe response ### 新手面向搜索引擎写bug ### 慎用 import os import sys import signal from scapy.all import ( get_if_hwaddr, # 获取本机网络接口的函数 getmacbyip, # 通过IP地址获取其Mac地址的函数 ARP, # 构造ARP数据包 Ether, # 构造以太网数据包 Dot1Q, # vlan sendp, # 在第二层发送数据包 sniff # capture network traffic ) from optparse import OptionParser #格式化用户输入的参数 # build arp response package def build_rep(src_ipaddr, src_mac, dst_ipaddr, dst_mac , vlan_id): if vlan_id >= 0 and vlan_id <= 4095: pkt = Ether(src=src_mac, dst=dst_mac) / Dot1Q(vlan=vlan_id) / ARP(hwsrc=src_mac, psrc=src_ipaddr, hwdst=dst_mac, pdst=dst_ipaddr, op=2) else: pkt = Ether(src=src_mac, dst=dst_mac) / ARP(hwsrc=src_mac, psrc=src_ipaddr, hwdst=dst_mac, pdst=dst_ipaddr, op=2) return pkt def sniff_callback(package): global gw_mac print("get a arp probe package from {}".format(package.src)) pkt = build_rep(src_ipaddr=package.pdst, src_mac=gw_mac, dst_ipaddr=package.psrc, dst_mac=package.hwsrc, vlan_id=options.vlan) sendp(pkt, inter=0, iface=options.interface) def quit(signum, frame): print('\nYou choose to stop me.') exit() def main(): #自定义程序使用方法,当中的 %prog,optparse会以当前程序名的字符串来替代 usage = 'Usage: %prog [-i interface] [--gateway gateway_ip]' #创建一个 OptionParser 对象 parser = OptionParser(usage) #add_option 来定义命令行参数 parser.add_option('-i', dest='interface', default="dce-br", help='Specify the interface to use') parser.add_option('--gateway',dest="gatewayip",help="gateway ip address") parser.add_option('--vlan',default="-1", dest="vlan",help="vlan id") global options (options, args) = parser.parse_args() options.vlan = int(options.vlan) signal.signal(signal.SIGINT, quit) if options.interface is None or options.gatewayip is None: parser.print_help() print("[debug]interface value is ",options.interface) print("[debug]gateway ip value is ",options.gatewayip) print("[debug]vlan id value is ",options.vlan) sys.exit(1) # get gateway mac address global gw_mac gw_mac = getmacbyip(options.gatewayip) if gw_mac is None: print("[x]Fatal Error: can not get the mac address") sys.exit(1) print("gateway ip address is:{}, mac address is: {}".format(options.gatewayip, gw_mac)) sniff_filter = "arp and src 0.0.0.0 and dst " + options.gatewayip if options.vlan >= 0 and options.vlan <= 4095: print("vlan mode: {}".format(options.vlan)) sniff_filter = "vlan " + str(options.vlan) + " and " + sniff_filter sniff(iface=options.interface, filter=sniff_filter, prn=sniff_callback) if __name__ == '__main__': main()