使用scapy检测ARP中毒

时间:2013-11-30 14:02:56

标签: python pcap scapy arp

我捕获了一些流量并存储在.pcap文件中。在那里,发生了ARP中毒攻击。

有没有办法在python脚本中使用scapy检测攻击者的IP和MAC地址以及受害者的IP和MAC地址?

1 个答案:

答案 0 :(得分:2)

我相信像这样的剧本可以胜任

#! /usr/bin/python
from scapy.all import *
pkts = rdpcap('capture2.pcap')
#these are from wireshark
ipadr=['192.168.0.1','192.168.0.2','192.168.0.3','192.168.0.30']
macadr['00:03:ff:98:98:01','00:03:ff:98:98:02','00:03:ff:98:98:03','00:03:ff:98:98:30']
c=-1
for p in pkts:
 c=c+1
 if p.haslayer(ARP):
  #find a packet where p.dst and p.pdst isn't a valid pair
  if p.dst != 'ff:ff:ff:ff:ff:ff':
   if not(( ipadr[0]==p.pdst and  macadr[0]==p.dst ) or ( ipadr[1]==p.pdst and      macadr[1]==p.dst) or ( ipadr[2]==p.pdst and  macadr[2]==p.dst ) or ( ipadr[3]==p.pdst and  macadr[3]==p.dst )) :
print 'packet data ' +p.psrc +"   "+p.src+"  " + p.pdst + " " + p.dst +" "+str(c)
print 'packet number = ' + str(c)
print 'MAC of attacker = ' + p.dst
print 'IP of attacker = ' + ipadr[macadr.index(p.dst)]
print 'MAC of target = ' + p.src
print 'IP of target = ' + p.psrc