Python实现ARP检测防护软件设计模块包含能够获取局域网活动主机的MAC地址、IP地址
、ARP表的模块,以及能够检测ARP欺骗攻击的模块。
获取局域网活动主机的MAC地址、IP地址、ARP表的模块:
- 使用Python的socket模块获取本机的IP地址和MAC地址。
import socket
import fcntl
import struct
def get_ip_address(ifname):
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
return socket.inet_ntoa(fcntl.ioctl(
s.fileno(),
0x8915, # SIOCGIFADDR
struct.pack('256s', ifname[:15])
)[20:24])
def get_mac_address(ifname):
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
info = fcntl.ioctl(s.fileno(), 0x8927, struct.pack('256s', ifname[:15]))
return ':'.join(['%02x' % ord(char) for char in info[18:24]])
ip_address = get_ip_address('eth0')
mac_address = get_mac_address('eth0')
- 使用Python的scapy模块获取ARP表。
from scapy.all import ARP, Ether, srp
def get_arp_table(ip_range):
arp = ARP(pdst=ip_range)
ether = Ether(dst="ff:ff:ff:ff:ff:ff")
packet = ether/arp
result = srp(packet, timeout=3, verbose=0)[0]
arp_table = []
for sent, received in result:
arp_table.append({'ip': received.psrc, 'mac': received.hwsrc})
return arp_table
arp_table = get_arp_table('192.168.1.0/24')
检测ARP欺骗攻击的模块:
- 使用Python的scapy模块监听局域网中的ARP广播包。
from scapy.all import ARP, sniff
def arp_monitor_callback(pkt):
if ARP in pkt and pkt[ARP].op in (1,2): # who-has or is-at
return pkt.sprintf("%ARP.hwsrc% %ARP.psrc%")
def start_arp_monitor():
sniff(prn=arp_monitor_callback, filter="arp", store=0)
- 在监听到ARP广播包时,判断是否存在ARP欺骗攻击。
def arp_spoof_detect(pkt, arp_table):
if ARP in pkt and pkt[ARP].op == 2: # is-at
for entry in arp_table:
if pkt[ARP].psrc == entry['ip'] and pkt[ARP].hwsrc != entry['mac']:
print("ARP spoofing attack detected: {} is-at {}".format(pkt[ARP].psrc, pkt[ARP].hwsrc))
def start_arp_spoof_detect(arp_table):
sniff(prn=lambda pkt: arp_spoof_detect(pkt, arp_table), filter="arp", store=0)
完整代码:
import socket
import fcntl
import struct
from scapy.all import ARP, Ether, srp, sniff
def get_ip_address(ifname):
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
return socket.inet_ntoa(fcntl.ioctl(
s.fileno(),
0x8915, # SIOCGIFADDR
struct.pack('256s', ifname[:15])
)[20:24])
def get_mac_address(ifname):
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
info = fcntl.ioctl(s.fileno(), 0x8927, struct.pack('256s', ifname[:15]))
return ':'.join(['%02x' % ord(char) for char in info[18:24]])
def get_arp_table(ip_range):
arp = ARP(pdst=ip_range)
ether = Ether(dst="ff:ff:ff:ff:ff:ff")
packet = ether/arp
result = srp(packet, timeout=3, verbose=0)[0]
arp_table = []
for sent, received in result:
arp_table.append({'ip': received.psrc, 'mac': received.hwsrc})
return arp_table
def arp_monitor_callback(pkt):
if ARP in pkt and pkt[ARP].op in (1,2): # who-has or is-at
return pkt.sprintf("%ARP.hwsrc% %ARP.psrc%")
def start_arp_monitor():
sniff(prn=arp_monitor_callback, filter="arp", store=0)
def arp_spoof_detect(pkt, arp_table):
if ARP in pkt and pkt[ARP].op == 2: # is-at
for entry in arp_table:
if pkt[ARP].psrc == entry['ip'] and pkt[ARP].hwsrc != entry['mac']:
print("ARP spoofing attack detected: {} is-at {}".format(pkt[ARP].psrc, pkt[ARP].hwsrc))
def start_arp_spoof_detect(arp_table):
sniff(prn=lambda pkt: arp_spoof_detect(pkt, arp_table), filter="arp", store=0)
if __name__ == '__main__':
ip_address = get_ip_address('eth0')
mac_address = get_mac_address('eth0')
arp_table = get_arp_table('192.168.1.0/24')
print("IP address: {}".format(ip_address))
print("MAC address: {}".format(mac_address))
print("ARP table: {}".format(arp_table))
start_arp_monitor()
start_arp_spoof_detect(arp_table)
``
原文地址: https://www.cveoy.top/t/topic/ffwr 著作权归作者所有。请勿转载和采集!