Python ARP欺骗检测工具

Python ARP欺骗检测工具

本项目使用Python和Scapy库实现了一个简单的ARP欺骗检测工具。

功能：

• 扫描局域网内的设备
• 检测ARP缓存中的异常条目
• 实时监控网络流量，识别ARP欺骗攻击
• 发出警报，提醒用户潜在的安全威胁

代码示例：

import threading
import time
import netifaces
from scapy.all import *

class ArpDetectorPage:
    def __init__(self, master, timeout):
        self.master = master
        self.timeout = timeout
        self.interface = 'ens33'
        self.ip_mac_map = {}
        self.attacker_ip = None
        self.attacker_mac = None
        self.thread = None
        self.stop_event = threading.Event()

        self.frame = tk.Frame(self.master)
        self.frame.pack()

        self.status_label = tk.Label(self.frame, text='Idle')
        self.status_label.pack()

        self.start_button = tk.Button(self.frame, text='Start', command=self.start_detection)
        self.start_button.pack()

        self.stop_button = tk.Button(self.frame, text='Stop', command=self.stop_detection, state=tk.DISABLED)
        self.stop_button.pack()

    def start_detection(self):
        self.status_label.config(text='Running')
        self.start_button.config(state=tk.DISABLED)
        self.stop_button.config(state=tk.NORMAL)

        self.thread = threading.Thread(target=self.run)
        self.thread.start()

    def stop_detection(self):
        self.status_label.config(text='Idle')
        self.start_button.config(state=tk.NORMAL)
        self.stop_button.config(state=tk.DISABLED)

        self.stop_event.set()
        self.thread.join()

    def run(self):
        self.attacker_ip = netifaces.ifaddresses(self.interface)[netifaces.AF_INET][0]['addr']
        self.attacker_mac = getmacbyip(self.attacker_ip)
        print(f'Attacker IP: {self.attacker_ip}, MAC: {self.attacker_mac}')

        while not self.stop_event.is_set():
            self.scan_network()
            self.detect_arp_spoofing()
            time.sleep(5)
            self.timer += 5
            if self.timer >= self.timeout:
                print('No ARP spoofing detected')
                self.stop_event.set()

    def scan_network(self):
        for ip in netifaces.ifaddresses(self.interface)[netifaces.AF_INET][0]['addr'].split('.')[:-1]:
            for i in range(1, 255):
                target_ip = f'{ip}.{i}'
                if target_ip != self.attacker_ip:
                    arp_request = ARP(pdst=target_ip)
                    arp_reply = sr1(arp_request, timeout=1, verbose=0)
                    if arp_reply and arp_reply.hwsrc not in ('00:00:00:00:00:00', self.attacker_mac):
                        self.ip_mac_map[target_ip] = arp_reply.hwsrc

    def detect_arp_spoofing(self):
        for target_ip, target_mac in self.ip_mac_map.items():
            arp_request = ARP(op=1, pdst=target_ip, hwdst=target_mac, psrc=self.attacker_ip, hwsrc=self.attacker_mac)
            arp_reply = sr1(arp_request, timeout=1, verbose=0)
            if arp_reply and arp_reply.hwsrc != target_mac:
                print(f'ARP spoofing detected: {target_ip} ({target_mac}) -> {arp_reply.hwsrc}')

class ArpDetectorPageUI:
    def __init__(self, master):
        self.master = master
        self.master.title('ARP Detector')
        self.master.geometry('400x150')

        self.timeout_label = tk.Label(self.master, text='Detection Time (s)')
        self.timeout_label.pack()
        self.timeout_entry = tk.Entry(self.master)
        self.timeout_entry.pack()

        self.start_button = tk.Button(self.master, text='Start', command=self.start_detection)
        self.start_button.pack()

    def start_detection(self):
        timeout = int(self.timeout_entry.get())
        self.master.withdraw()
        ArpDetectorPage(self.master, timeout)

# ...
# 在其他代码中调用show_arp_page函数
self.arp_button = tk.Button(self.root, text='ARP Detection', command=self.show_arp_page)

使用方法：

1. 安装必要的Python库：pip install scapy netifaces
2. 修改代码中的网络接口名称 ens33 为实际使用的接口
3. 运行代码

注意：

• 该工具仅供学习和研究使用，请勿用于非法用途。
• 使用该工具需要一定的网络安全知识，请谨慎操作。