• 日期: 2028-08-28
  • 标签: 科技

代码实现:

import logging
from scapy.all import *

logging.basicConfig(filename='arp_attack.log', level=logging.INFO)

def arp_analysis(pkt):
    if pkt.haslayer(ARP):
        arp_pkt = pkt.getlayer(ARP)
        if arp_pkt.op == 1: # ARP Request
            if arp_pkt.pdst in ip_mac_dict:
                if arp_pkt.hwsrc != ip_mac_dict[arp_pkt.pdst]:
                    logging.warning(f"ARP Spoofing Detected! IP address {arp_pkt.pdst} is associated with multiple MAC addresses: {ip_mac_dict[arp_pkt.pdst]} and {arp_pkt.hwsrc}")
                    print(f"\033[31mARP Spoofing Detected! IP address {arp_pkt.pdst} is associated with multiple MAC addresses: {ip_mac_dict[arp_pkt.pdst]} and {arp_pkt.hwsrc}\033[0m")
            else:
                ip_mac_dict[arp_pkt.pdst] = arp_pkt.hwsrc
        elif arp_pkt.op == 2: # ARP Reply
            if arp_pkt.hwsrc in mac_ip_dict:
                if arp_pkt.psrc != mac_ip_dict[arp_pkt.hwsrc]:
                    logging.warning(f"ARP Spoofing Detected! MAC address {arp_pkt.hwsrc} is associated with multiple IP addresses: {mac_ip_dict[arp_pkt.hwsrc]} and {arp_pkt.psrc}")
                    print(f"\033[31mARP Spoofing Detected! MAC address {arp_pkt.hwsrc} is associated with multiple IP addresses: {mac_ip_dict[arp_pkt.hwsrc]} and {arp_pkt.psrc}\033[0m")
            else:
                mac_ip_dict[arp_pkt.hwsrc] = arp_pkt.psrc

        if len(ip_mac_dict) > 10:
            logging.warning("Possible ARP Flooding Detected! Large number of ARP requests detected.")
            print("\033[31mPossible ARP Flooding Detected! Large number of ARP requests detected.\033[0m")

        if len(mac_ip_dict) > 10:
            logging.warning("Possible ARP Cache Poisoning Detected! Large number of ARP replies detected.")
            print("\033[31mPossible ARP Cache Poisoning Detected! Large number of ARP replies detected.\033[0m")

        if arp_pkt.hwsrc != pkt[Ether].src:
            logging.warning(f"ARP Spoofing Detected! Source MAC address {arp_pkt.hwsrc} does not match the actual source MAC address {pkt[Ether].src}")
            print(f"\033[31mARP Spoofing Detected! Source MAC address {arp_pkt.hwsrc} does not match the actual source MAC address {pkt[Ether].src}\033[0m")

ip_mac_dict = {}
mac_ip_dict = {}

sniff(filter="arp", prn=arp_analysis)

代码说明:

  1. import logging:导入日志模块;
  2. from scapy.all import *:导入Scapy模块;
  3. logging.basicConfig(filename='arp_attack.log', level=logging.INFO):配置日志文件名和日志级别;
  4. def arp_analysis(pkt):定义分析ARP包的函数;
  5. if pkt.haslayer(ARP)::判断数据包是否为ARP包;
  6. arp_pkt = pkt.getlayer(ARP):获取ARP包;
  7. if arp_pkt.op == 1::判断ARP包是ARP请求还是ARP响应;
  8. if arp_pkt.pdst in ip_mac_dict::判断IP地址是否已经存在于字典中;
  9. if arp_pkt.hwsrc != ip_mac_dict[arp_pkt.pdst]::判断MAC地址是否与字典中存储的MAC地址不一致;
  10. logging.warning(f"ARP Spoofing Detected! IP address {arp_pkt.pdst} is associated with multiple MAC addresses: {ip_mac_dict[arp_pkt.pdst]} and {arp_pkt.hwsrc}"):记录日志;
  11. print(f"\033[31mARP Spoofing Detected! IP address {arp_pkt.pdst} is associated with multiple MAC addresses: {ip_mac_dict[arp_pkt.pdst]} and {arp_pkt.hwsrc}\033[0m"):输出警告信息,IP地址标为红色;
  12. else::如果IP地址不存在于字典中,则将IP地址和MAC地址存储到字典中;
  13. elif arp_pkt.op == 2::判断ARP包是ARP请求还是ARP响应;
  14. if arp_pkt.hwsrc in mac_ip_dict::判断MAC地址是否已经存在于字典中;
  15. if arp_pkt.psrc != mac_ip_dict[arp_pkt.hwsrc]::判断IP地址是否与字典中存储的IP地址不一致;
  16. logging.warning(f"ARP Spoofing Detected! MAC address {arp_pkt.hwsrc} is associated with multiple IP addresses: {mac_ip_dict[arp_pkt.hwsrc]} and {arp_pkt.psrc}"):记录日志;
  17. print(f"\033[31mARP Spoofing Detected! MAC address {arp_pkt.hwsrc} is associated with multiple IP addresses: {mac_ip_dict[arp_pkt.hwsrc]} and {arp_pkt.psrc}\033[0m"):输出警告信息,IP地址标为红色;
  18. else::如果MAC地址不存在于字典中,则将MAC地址和IP地址存储到字典中;
  19. if len(ip_mac_dict) > 10::判断字典中存储的IP地址和MAC地址对数是否超过10个;
  20. logging.warning("Possible ARP Flooding Detected! Large number of ARP requests detected."):记录日志;
  21. print("\033[31mPossible ARP Flooding Detected! Large number of ARP requests detected.\033[0m"):输出警告信息;
  22. if len(mac_ip_dict) > 10::判断字典中存储的MAC地址和IP地址对数是否超过10个;
  23. logging.warning("Possible ARP Cache Poisoning Detected! Large number of ARP replies detected."):记录日志;
  24. print("\033[31mPossible ARP Cache Poisoning Detected! Large number of ARP replies detected.\033[0m"):输出警告信息;
  25. if arp_pkt.hwsrc != pkt[Ether].src::判断ARP包中的源MAC地址是否与数据包中的源MAC地址不一致;
  26. logging.warning(f"ARP Spoofing Detected! Source MAC address {arp_pkt.hwsrc} does not match the actual source MAC address {pkt[Ether].src}"):记录日志;
  27. print(f"\033[31mARP Spoofing Detected! Source MAC address {arp_pkt.hwsrc} does not match the actual source MAC address {pkt[Ether].src}\033[0m"):输出警告信息,源MAC地址标为红色;
  28. ip_mac_dict = {}mac_ip_dict = {}:定义两个空字典,用于存储IP地址和MAC地址的对应关系;
  29. sniff(filter="arp", prn=arp_analysis):捕获ARP包,并调用arp_analysis()函数进行分析
基于Linux的ARP攻击检测软件 根据这几个规则用Python实现 首先捕获数据包过滤规则设置为ARP包其他则丢弃接着进行分析ARP包分出正常主机和疑似异常主机异常主机的IP地址标为红色。 -同一IP地址对应多个MAC地址; - 多个IP地址对应同一个MAC地址; - 大量的ARP请求或响应包; - ARP包中的源MAC地址和目标MAC地址不匹配;同时满足两种规则或以上的就输

原文地址: http://www.cveoy.top/t/topic/fyOU 著作权归作者所有。请勿转载和采集!

免费AI点我,无需注册和登录