《Python黑帽子:黑客与渗透测试编程之道》 网络:原始套接字和流量嗅探
Windows 上的包嗅探
#!/usr/bin/python
import socket
import os #监听的主机
host = "10.10.10.160" #创建原始套接字,然后绑定在公开接口上
if os.name == "nt":
socket_protocol = socket.IPPROTO_IP
else:
socket_protocol = socket.IPPROTO_ICMP sniffer = socket.socket(socket.AF_INET,socket.SOCK_RAW,socket_protocol) sniffer.bind((host,0)) #设置在捕获的数据包中包含IP头
sniffer.setsockopt(socket.IPPROTO_IP,socket.IP_HDRINCL,1)
#在Windows平台上,我们需要设置IOCTL以启动混杂模式
if os.name == "nt":
sniffer.ioctl(socket.SIO_RCVALL,socket.RCVALL_ON) #读取单个数据包
print sniffer.recvfrom(65565) #在Windows平台上关闭混杂模式
if os.name == "nt":
sniffer.ioctl(socket.SIO_RCVALL,socket.RCVALL_OFF)
使用scapy DNS 嗅探
# -*- coding: UTF-8 -*-
from scapy.all import * scapy.config.conf.sniff_promisc=True #设置混杂模式 def packetHandler(pkt):
print(pkt.summary())
udp = pkt.getlayer(UDP)
print(udp.show())
if __name__ == '__main__':
dev = "en0"
filter = "udp port 53"
sniff(filter=filter,prn=packetHandler,iface=dev)
使用scapy DNS 欺骗
#coding=utf-8 import os
import sys
import subprocess
from scapy.all import * RSN = 48 #管理帧信息元素(Dot11Elt)ID48是RSN信息
WPA = 221 #管理帧信息元素ID221是WPA信息
Dot11i = {0:'GroupCipher',
1:'WEP-40',
2:'TKIP',
4:'CCMP',
5:'WEP-104'
} #RSN信息的第6字节
WPA_Auth = {1:'802.11x/PMK',
2:'PSK'
} #RSN信息的第22字节
DN = open(os.devnull,'w') def get_wlan_interfaces():
'''
返回当前PC上所有的无线网卡以及网卡所处的模式
'''
interfaces = {'monitor':[],'managed':[],'all':[]}
proc = subprocess.Popen(['iwconfig'],stdout=subprocess.PIPE,stderr=DN)
lines = proc.communicate()[0].split('\n')
for line in lines:
if line:
if line[0] != ' ':
iface = line.split(' ')[0]
if 'Mode:Monitor' in line:
interfaces['monitor'].append(iface)
if 'IEEE 802.11' in line:
interfaces['managed'].append(iface)
interfaces['all'].append(iface)
if len(interfaces['managed']) == 0:
sys.exit('[!]没有无线网卡,请插入网卡')
return interfaces interfaces = get_wlan_interfaces() #获取当前的无线网卡 def get_strongest_inface():
'''
通过iwlist dev scan命令,根据无线网卡可获取到的AP数量来判断哪个网卡的功率最强
'''
iface_APs = []
#interfaces = get_wlan_interfaces()
for iface in interfaces['managed']:
count = 0
if iface:
proc = subprocess.Popen(['iwlist',iface,'scan'],stdout=subprocess.PIPE,stderr=DN)
lines = proc.communicate()[0].split('\n')
for line in lines:
if line:
if '- Address:' in line:
count += 1
iface_APs.append((count,iface))
interface = max(iface_APs)[1]
return interface def start_monitor_mode():
'''
通过airmon-ng工具将无线网卡启动为监听状态
'''
if interfaces['monitor']:
print '[*]监听网卡为:%s' % interfaces['monitor'][0]
return interfaces['monitor'][0]
interface = get_strongest_inface()
print '[*]网卡%s开启监听模式...' % interface
try:
os.system('/usr/sbin/airmon-ng start %s' % interface)
moni_inface = get_wlan_interfaces()['monitor']
print '[*]监听网卡为:%s' % moni_inface[0]
return moni_inface
except:
sys.exit('[!]无法开启监听模式') def get_AP_info(pkt):
'''
从Dot11数据包中获取AP的SSID,BSSID,chanle,加密等信息
'''
AP_info = {}
bssid = pkt[Dot11][Dot11Elt].info
ssid = pkt[Dot11].addr2
chanle = str(ord(pkt[Dot11][Dot11Elt][:3].info))
AP_infos = [bssid,chanle]
wpa_info,cipher_info = get_Dot11_RSN(pkt)
if wpa_info and cipher_info:
AP_infos = AP_infos + [wpa_info,cipher_info]
AP_info[ssid]=AP_infos
return AP_info APs_info = {}
def get_APs_info(pkt):
global APs_info
if pkt.haslayer(Dot11) and (pkt.haslayer(Dot11Beacon) or pkt.haslayer(Dot11ProbeResp)):
AP_info = get_AP_info(pkt) if not APs_info.has_key(AP_info.keys()[0]):
APs_info.update(AP_info)
return APs_info already_shows = []
def show_APs_info(pkt):
global already_shows
APs_info = get_APs_info(pkt)
for (key,value) in APs_info.items():
if key not in already_shows:
already_shows.append(key)
print '-' * 40
print ' [+]AP的BSSID:%s' % value[0]
print ' [+]AP的SSID:%s' % key
print ' [+]AP当前的chanle:%s' % value[1]
if len(value) == 4:
print ' [+]AP的认证方式为:%s' % value[2]
print ' [+]AP的加密算法为:%s' % value[3]
else:
print ' [+]开放验证!!'
print '-' * 40 def get_Dot11_RSN(pkt):
'''
从Beacon帧以及ProbeResponse帧获取cipher及auth信息
'''
ssid = pkt[Dot11].addr2
len_Elt = len(pkt[Dot11Elt].summary().split('/'))
#print pkt.show()
for i in range(len_Elt):
if pkt[Dot11Elt][i].ID == RSN:
try:
RSN_info = hexstr(pkt[Dot11Elt][i].info)
cipher_index = RSN_info.find('ac') #第一个00 0f ac 02中的‘02’代表cipher
auth_index = RSN_info.rfind('ac') #从后往前数第一个00 0f ac 02中的‘02’代表AUTH
cipher_num = int(RSN_info[(cipher_index + 3):(cipher_index + 5)])
auth_num = int(RSN_info[(auth_index + 3):(auth_index + 5)])
for key,value in Dot11i.items():
if cipher_num == key:
cipher_info = value
for key,value in WPA_Auth.items():
if auth_num == key:
wpa_info = value
#print wpa_info,cipher_info
return wpa_info,cipher_info
except:
pass
return None,None def sniffering(interface,action):
'''
嗅探5000个数据包
'''
print '[*]附近AP信息如下:'
sniff(iface=interface,prn=action,count=5000,store=0) def main():
moni_inface = start_monitor_mode()
sniffering(moni_inface, show_APs_info) if __name__ == '__main__':
main()
自己实现IP层的解码
#!/usr/bin/python
#coding=utf-8
import socket
import os
import struct
from ctypes import * #监听的主机
host = "192.168.1.2" #IP头定义
class IP(Structure):
"""docstring for IP"""
_fields_ = [
("ihl", c_ubyte, 4),
("version", c_ubyte, 4),
("tos", c_ubyte),
("len", c_ushort),
("id", c_ushort),
("offset", c_ushort),
("ttl", c_ubyte),
("protocol_num", c_ubyte),
("sum", c_ushort),
("src", c_ulong),
("dst", c_ulong)
] def __new__(self,socket_buffer=None):
return self.from_buffer_copy(socket_buffer) def __init__(self, socket_buffer=None):
#协议字段与协议名称对应
self.protocol_map = {1:"ICMP",6:"TCP",17:"UDP"} #可读性更强的IP地址
self.src_address = socket.inet_ntoa(struct.pack("<L",self.src))
self.dst_address = socket.inet_ntoa(struct.pack("<L",self.dst)) #协议类型
try:
self.protocol = self.protocol_map[self.protocol_num]
except:
self.protocol = str(self.protocol_num) #下面的代码类似于之前的例子
if os.name == "nt":
socket_protocol = socket.IPPROTO_IP
else:
socket_protocol = socket.IPPROTO_ICMP sniffer = socket.socket(socket.AF_INET,socket.SOCK_RAW,socket_protocol) sniffer.bind((host,0))
sniffer.setsockopt(socket.IPPROTO_IP,socket.IP_HDRINCL,1) if os.name == "nt":
sniffer.ioctl(socket.SIO_RCVALL,socket.RCVALL_ON) try:
while True: #读取数据包
raw_buffer = sniffer.recvfrom(65565)[0] #将缓冲区的前20个字节按IP头进行解析
ip_header = IP(raw_buffer[0:20]) #输出协议和通信双方IP地址
print("Protocol : %s %s -> %s"%(ip_header.protocol,ip_header.src_address,ip_header.dst_address))
#处理CTRL-C
except KeyboardInterrupt: #如果运行在Windows上,关闭混杂模式
if os.name == "nt":
sniffer.ioctl(socket.SIO_RCVALL,socket.RCVALL_OFF)
改进的可在Kali中运行的代码
#!/usr/bin/python
import socket
import os
import struct
from ctypes import * #监听的主机
host = "192.168.1.2" #IP头定义
class IP(Structure):
"""docstring for IP"""
_fields_ = [
("ihl", c_ubyte, 4),
("version", c_ubyte, 4),
("tos", c_ubyte),
("len", c_ushort),
("id", c_ushort),
("offset", c_ushort),
("ttl", c_ubyte),
("protocol_num", c_ubyte),
("sum", c_ushort),
("src", c_uint32),
("dst", c_uint32)
] def __new__(self,socket_buffer=None):
return self.from_buffer_copy(socket_buffer) def __init__(self, socket_buffer=None):
#协议字段与协议名称对应
self.protocol_map = {1:"ICMP",6:"TCP",17:"UDP"} #可读性更强的IP地址
self.src_address = socket.inet_ntoa(struct.pack("@I",self.src))
self.dst_address = socket.inet_ntoa(struct.pack("@I",self.dst)) #协议类型
try:
self.protocol = self.protocol_map[self.protocol_num]
except:
self.protocol = str(self.protocol_num) #下面的代码类似于之前的例子
if os.name == "nt":
socket_protocol = socket.IPPROTO_IP
else:
socket_protocol = socket.IPPROTO_ICMP sniffer = socket.socket(socket.AF_INET,socket.SOCK_RAW,socket_protocol) sniffer.bind((host,0))
sniffer.setsockopt(socket.IPPROTO_IP,socket.IP_HDRINCL,1) if os.name == "nt":
sniffer.ioctl(socket.SIO_RCVALL,socket.RCVALL_ON) try:
while True: #读取数据包
raw_buffer = sniffer.recvfrom(65565)[0] #将缓冲区的前20个字节按IP头进行解析
ip_header = IP(raw_buffer[0:20]) #输出协议和通信双方IP地址
print "Protocol : %s %s -> %s"%(ip_header.protocol,ip_header.src_address,ip_header.dst_address)
#处理CTRL-C
except KeyboardInterrupt: #如果运行在Windows上,关闭混杂模式
if os.name == "nt":
sniffer.ioctl(socket.SIO_RCVALL,socket.RCVALL_OFF)
解码ICMP层信息
#!/usr/bin/python
#coding=utf-8
import socket
import os
import struct
from ctypes import * class IP(Structure):
"""docstring for IP"""
_fields_ = [
("ihl", c_ubyte, 4),
("version", c_ubyte, 4),
("tos", c_ubyte),
("len", c_ushort),
("id", c_ushort),
("offset", c_ushort),
("ttl", c_ubyte),
("protocol_num", c_ubyte),
("sum", c_ushort),
("src", c_ulong),
("dst", c_ulong)
] def __new__(self,socket_buffer=None):
return self.from_buffer_copy(socket_buffer) def __init__(self, socket_buffer=None):
self.protocol_map = {1:"ICMP",6:"TCP",17:"UDP"} self.src_address = socket.inet_ntoa(struct.pack("<L",self.src))
self.dst_address = socket.inet_ntoa(struct.pack("<L",self.dst)) try:
self.protocol = self.protocol_map[self.protocol_num]
except:
self.protocol = str(self.protocol_num) class ICMP(Structure):
"""docstring for ICMP"""
_fields_ = [
("type", c_ubyte),
("code", c_ubyte),
("checksum", c_ushort),
("unused", c_ushort),
("next_hop_mtu", c_ushort)
] def __new__(self,socket_buffer):
return self.from_buffer_copy(socket_buffer) def __new__(self,socket_buffer):
pass if os.name == "nt":
socket_protocol = socket.IPPROTO_IP
else:
socket_protocol = socket.IPPROTO_ICMP sniffer = socket.socket(socket.AF_INET,socket.SOCK_RAW,socket_protocol) sniffer.bind(("192.168.1.2",0))
sniffer.setsockopt(socket.IPPROTO_IP,socket.IP_HDRINCL,1) if os.name == "nt":
sniffer.ioctl(socket.SIO_RCVALL,socket.RCVALL_ON) try:
while True: raw_buffer = sniffer.recvfrom(65565)[0] ip_header = IP(raw_buffer[0:20]) print ("Protocol : %s %s -> %s"%(ip_header.protocol,ip_header.src_address,ip_header.dst_address)) #如果为ICMP,进行处理
if ip_header.protocol == "ICMP": #计算ICMP包的起始位置
offset = ip_header.ihl*4
buf = raw_buffer[offset:offset + sizeof(ICMP)] #解析ICMP数据
icmp_header = ICMP(buf) print ("ICMP -> Type : %d Code : %d"%(icmp_header.type,icmp_header.code)) except KeyboardInterrupt: if os.name == "nt":
sniffer.ioctl(socket.SIO_RCVALL,socket.RCVALL_OFF)
自己实现PING
# encoding:utf-
import time,struct,socket,select def chesksum(data):
n = len(data)
m = n %
sum =
for i in range(, n - m, ):
# 传入data以每两个字节(十六进制)通过ord转十进制,第一字节在低位,第二个字节在高位
sum += (data[i]) + ((data[i+]) << )
sum = (sum >> ) + (sum & 0xffff)
if m:
sum += (data[-])
sum = (sum >> ) + (sum & 0xffff)
answer = ~sum & 0xffff
# 主机字节序转网络字节序列
answer = answer >> | (answer << & 0xff00)
return answer def request_ping(data_type, data_code, data_checksum, data_ID, data_Sequence, payload_body):
# 把字节打包成二进制数据
imcp_packet = struct.pack('>BBHHH32s', data_type, data_code, data_checksum, data_ID, data_Sequence, payload_body)
# 获取校验和
icmp_chesksum = chesksum(imcp_packet)
# 把校验和传入,再次打包
imcp_packet = struct.pack('>BBHHH32s', data_type, data_code, icmp_chesksum, data_ID, data_Sequence, payload_body)
return imcp_packet # 初始化套接字,并发送
def raw_socket(dst_addr,imcp_packet):
# 实例化一个socket对象,ipv4,原套接字(普通套接字无法处理ICMP等报文),分配协议端口
rawsocket = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.getprotobyname("icmp"))
# 记录当前请求时间
send_request_ping_time = time.time()
# 发送数据到网络
rawsocket.sendto(imcp_packet, (dst_addr, ))
return send_request_ping_time, rawsocket def reply_ping(send_request_ping_time, rawsocket, data_Sequence, timeout=):
while True:
# 实例化select对象(非阻塞),可读,可写为空,异常为空,超时时间
what_ready = select.select([rawsocket], [], [], timeout)
# 等待时间 wait_for_time = (time.time() - started_select)
wait_for_time = (time.time() - send_request_ping_time)
# 没有返回可读的内容,判断超时
if what_ready[] == []: # Timeout
return -
# 记录接收时间
time_received = time.time()
# 设置接收的包的字节为1024
received_packet, addr = rawsocket.recvfrom()
# 获取接收包的icmp头
icmpHeader = received_packet[:]
# 反转编码
type, code, r_checksum, packet_id, sequence = struct.unpack(
">BBHHH", icmpHeader
)
if type == and sequence == data_Sequence:
return time_received - send_request_ping_time
# 数据包的超时时间判断
timeout = timeout - wait_for_time
if timeout <= :
return - def ping(host):
sumtime, shorttime, longtime, avgtime = , , ,
# TODO icmp数据包的构建
# 8回射请求 11超时 0回射应答
data_type =
data_code =
# 检验和
data_checksum =
# ID
data_ID =
# 序号
data_Sequence =
# 可选的内容
payload_body = b'abcdefghijklmnopqrstuvwabcdefghi' #data
# 将主机名转ipv4地址格式,返回以ipv4地址格式的字符串,如果主机名称是ipv4地址,则它将保持不变
dst_addr = socket.gethostbyname(host)
print("正在 Ping {0} [{1}] 具有 32 字节的数据:".format(host, dst_addr))
# 默认发送3次
for i in range(, ):
# 请求ping数据包的二进制转换
icmp_packet = request_ping(data_type, data_code, data_checksum, data_ID, data_Sequence + i, payload_body)
# 连接套接字,并将数据发送到套接字
send_request_ping_time, rawsocket = raw_socket(dst_addr, icmp_packet)
# 数据包传输时间
times = reply_ping(send_request_ping_time, rawsocket, data_Sequence + i)
if times > :
print("来自 {0} 的回复: 字节=32 时间={1}ms".format(dst_addr, int(times*)))
return_time = int(times * )
sumtime += return_time
if return_time > longtime:
longtime = return_time
if return_time < shorttime:
shorttime = return_time
time.sleep(0.7)
else:
print("请求超时") if __name__ == "__main__":
ping("www.baidu.com")
《Python黑帽子:黑客与渗透测试编程之道》 网络:原始套接字和流量嗅探的更多相关文章
- python黑帽子-黑客与渗透测试编程之道(源代码)
链接: https://pan.baidu.com/s/1i5BnB5V 密码: ak9t
- 读书笔记 ~ Python黑帽子 黑客与渗透测试编程之道
Python黑帽子 黑客与渗透测试编程之道 <<< 持续更新中>>> 第一章: 设置python 环境 1.python软件包管理工具安装 root@star ...
- 2017-2018-2 20179204 PYTHON黑帽子 黑客与渗透测试编程之道
python代码见码云:20179204_gege 参考博客Python黑帽子--黑客与渗透测试编程之道.关于<Python黑帽子:黑客与渗透测试编程之道>的学习笔记 第2章 网络基础 t ...
- 《Python黑帽子:黑客与渗透测试编程之道》 扩展Burp代理
下载jython,在Burpsuite的扩展中配置jython路径: Burp模糊测试: #!/usr/bin/python #coding=utf-8 # 导入三个类,其中IBurpExtender ...
- 《Python黑帽子:黑客与渗透测试编程之道》 Web攻击
Web的套接字函数库:urllib2 一开始以urllib2.py命名脚本,在Sublime Text中运行会出错,纠错后发现是重名了,改过来就好: #!/usr/bin/python #coding ...
- 《Python黑帽子:黑客与渗透测试编程之道》 Scapy:网络的掌控者
窃取email认证: 测试代码: #!/usr/bin/python #coding=utf-8 from scapy.all import * #数据包回调函数 def packet_callbac ...
- 《Python黑帽子:黑客与渗透测试编程之道》 网络基础
TCP客户端: 示例中socket对象有两个参数,AF_INET参数表明使用IPv4地址或主机名 SOCK_STREAM参数表示是一个TCP客户端.访问的URL是百度. #coding=utf-8 i ...
- 《Python黑帽子:黑客与渗透测试编程之道》 玩转浏览器
基于浏览器的中间人攻击: #coding=utf-8 import win32com.client import time import urlparse import urllib data_rec ...
- 《Python黑帽子:黑客与渗透测试编程之道》 Windows下木马的常用功能
有趣的键盘记录: 安装pyHook: http://nchc.dl.sourceforge.net/project/pyhook/pyhook/1.5.1/pyHook-1.5.1.win32-py2 ...
随机推荐
- iOS.AVCaptureSession
AVCaptureSession的使用容易freeze的问题 1. http://stackoverflow.com/questions/11905505/avcapturesession-stop- ...
- crontab定时任务操作
一.查看定时任务 crontab -l 二.添加定时任务 crontab -e (一)执行外部链接 //每隔10分钟执行1次 */ * * * * /usr/bin/curl "http:/ ...
- 【UML】UML类图关系(泛化 、继承、实现、依赖、关联、聚合、组合)
http://www.cnblogs.com/olvo/archive/2012/05/03/2481014.html 继承.实现.依赖.关联.聚合.组合的联系与区别 分别介绍这几种关系: 继承 指的 ...
- common常用到的类
org.apache.commons.codec.digest.DigestUtils.md5Hex(String) md5
- sqoop 安装使用
安装配置: 1.将sqoop-1.4.4.tar.gz 上传到/usr/local/ 2.解压 tar -zxvf sqoop-1.4.4.tar.gz 3.配置 vim /etc/profile 在 ...
- 常用C字符串函数
static void str_repalce(char *src,char *from,char *to) { char *p,*q; int lenFrom; int le ...
- apk签名方法
生成签名文件: 1.右击项目管理器 选择 Export... 菜单: 2.在弹出的Export窗口中选择 Android->Export Android Application 后 next: ...
- pyspider示例代码七:自动登陆并获得PDF文件下载地址
自动登陆并获得PDF文件下载地址 #!/usr/bin/env python # -*- encoding: utf- -*- # Created on -- :: # Project: pdf_sp ...
- AJAX学习必备三本书
<AJAX基础教程>AJAX必备图书之一.国内发行的第一本AJAX图书,也是目前最好的AJAX入门书,如果您是AJAX新手,此书是最好的入门图书.本书基本包括了实现Ajax需要了解的大部分 ...
- slice、substring、substr
slice() 定义和用法 slice() 方法可从已有的数组中返回选定的元素. string.slice(start, end)提取一个字符串 string.substring(start, end ...