实验一

dcbuild 下载容器所需的image镜像，如果已经有了，就跳过

dcup 即docker-compose up 安装容器并启动

cd Labsetup1

1-1

vi test1.py 写一个python程序

chmod a+x test1.py 添加执行权限

sudo python3 test1.py 用root权限运行

ping 10.0.2.4 ping任意一个IP

#test1.py #对于每个捕获的数据包，函数print pkt（）将被调用；此函数将打印出有关数据包的一些信息。 #!/usr/bin/python from scapy.all import * def print_pkt(pkt): pkt.show() pkt = sniff(filter="icmp",prn=print_pkt) 

1-2

vi test2.py

chmod a+x test2.py

vi send2.py

chmod a+x send2.py

sudo python3 test2.py

sudo python3 send2.py

讯享网#test2.py #只捕捉来自特定IP的TCP数据包 1 #!/usr/bin/python3 from scapy.all import * def print_pkt(pkt): return pkt.summary() pkt = sniff(filter="tcp and src host 10.0.2.4",prn=print_pkt) print(pkt) #发送数据包的代码 send2.py #!/usr/bin/python3 from scapy.all import * ip = IP() ip.src = "10.0.2.4" ip.dst = "10.0.2.15" tcp = TCP() send(ip/tcp) 

# 只捕捉ICMP数据包 2 #!/usr/bin/python3  from scapy.all import * def print_pkt(pkt): return pkt.summary() pkt = sniff(filter="icmp",prn=print_pkt) print(pkt) 

讯享网# 捕获来自一个特定的子网的数据包，这里使用的子网为128.230.0.0/16 3  #!/usr/bin/python3 from scapy.all import * def print_pkt(pkt): return pkt.summary() pkt = sniff(filter="net 128.230.0.0/16",prn=print_pkt) print(pkt) # 发送数据包的代码  #!/usr/bin/python3  from scapy.all import * ip = IP() ip.src = "10.0.2.15" ip.dst = "128.230.0.1" tcp = TCP() send(ip/tcp) ip.src = "128.230.0.1" ip.dst = "10.0.2.15" send(ip/tcp) 

1-3

vi test3.py

chmod a+x test3.py

sudo python3 test3.py

#test3.py #!/usr/bin/python3  from scapy.all import * ip = IP() ip.src = "192.168.31.33" #虚假IP，真实IP是192.168.31.245  ip.dst = "192.168.31.31" #是kali的IP  icmp = ICMP() send(ip/icmp) 

1-4

vi test4.py

chmod a+x test4.py

sudo python3 test4.py

ping 1.2.3.4

讯享网#test4.py  #A机器发送请求，B机器伪造响应 #!/usr/ bin/env python3 from scapy.all import* in sniff I do the exactly way until now in spoofing I cheak if the icmp packet is requst if it is I change only the icmp type to 0 -reply and chnge the source and destination def spoofing(pkt): if pkt[ICMP].type==8: dst=pkt[IP].dst src=pkt[IP].src ihll=pkt[IP].ihl idd=pkt[ICMP].id se=pkt[ICMP].seq load=pkt[Raw].load a=IP(src=dst,dst=src,ihl=ihll) b=ICMP(type=0,id=idd,seq=se) c=load ans=(a/b/c) send(ans) pkt=sniff(filter="icmp",prn=spoofing) 

1-5

5-1

vi test-c1.c

讯享网

gcc -o test-c1 test-c1.c -lpcap

sudo ./test-c1

ping baidu.com

#include <pcap.h> #include <stdio.h> #include <arpa/inet.h> /* Ethernet header */ struct ethheader { 
    u_char ether_dhost[6]; /* destination host address */ u_char ether_shost[6]; /* source host address */ u_short ether_type; /* protocol type (IP, ARP, RARP, etc) */ }; /* IP Header */ struct ipheader { 
    unsigned char iph_ihl:4, //IP header length iph_ver:4; //IP version unsigned char iph_tos; //Type of service unsigned short int iph_len; //IP Packet length (data + header) unsigned short int iph_ident; //Identification unsigned short int iph_flag:3, //Fragmentation flags iph_offset:13; //Flags offset unsigned char iph_ttl; //Time to Live unsigned char iph_protocol; //Protocol type unsigned short int iph_chksum; //IP datagram checksum struct in_addr iph_sourceip; //Source IP address struct in_addr iph_destip; //Destination IP address }; void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) { 
    struct ethheader *eth = (struct ethheader *)packet; if (ntohs(eth->ether_type) == 0x0800) { 
    // 0x0800 is IP type struct ipheader * ip = (struct ipheader *) (packet + sizeof(struct ethheader)); printf(" From: %s\n", inet_ntoa(ip->iph_sourceip)); printf(" To: %s\n", inet_ntoa(ip->iph_destip)); /* determine protocol */ switch(ip->iph_protocol) { 
    case IPPROTO_TCP: printf(" Protocol: TCP\n\n"); return; case IPPROTO_UDP: printf(" Protocol: UDP\n\n"); return; case IPPROTO_ICMP: printf(" Protocol: ICMP\n\n"); return; default: printf(" Protocol: others\n\n"); return; } } } int main() { 
    pcap_t *handle; char errbuf[PCAP_ERRBUF_SIZE]; struct bpf_program fp; char filter_exp[] = "ip proto icmp"; bpf_u_int32 net; // Step 1: Open live pcap session on NIC with name enp0s3 handle = pcap_open_live("enp0s3", BUFSIZ, 1, 1000, errbuf); printf("listening on network card, ret: %p...\n", handle); // Step 2: Compile filter_exp into BPF psuedo-code printf("try to compile filter...\n"); pcap_compile(handle, &fp, filter_exp, 0, net); printf("try to set filter...\n"); pcap_setfilter(handle, &fp); // Step 3: Capture packets printf("start to sniff...\n"); pcap_loop(handle, -1, got_packet, NULL); pcap_close(handle); //Close the handle return 0; } 

5-2

vi test-c2.c

gcc -o test-c2 test-c2.c -lpcap

sudo ./test-c2

讯享网#include <pcap.h> #include <stdio.h> #include <arpa/inet.h> /* Ethernet header */ struct ethheader { u_char ether_dhost[6]; /* destination host address */ u_char ether_shost[6]; /* source host address */ u_short ether_type; /* protocol type (IP, ARP, RARP, etc) */ }; /* IP Header */ struct ipheader { unsigned char iph_ihl:4, //IP header length iph_ver:4; //IP version unsigned char iph_tos; //Type of service unsigned short int iph_len; //IP Packet length (data + header) unsigned short int iph_ident; //Identification unsigned short int iph_flag:3, //Fragmentation flags iph_offset:13; //Flags offset unsigned char iph_ttl; //Time to Live unsigned char iph_protocol; //Protocol type unsigned short int iph_chksum; //IP datagram checksum struct in_addr iph_sourceip; //Source IP address struct in_addr iph_destip; //Destination IP address }; void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) { struct ethheader *eth = (struct ethheader *)packet; if (ntohs(eth->ether_type) == 0x0800) { // 0x0800 is IP type struct ipheader * ip = (struct ipheader *) (packet + sizeof(struct ethheader)); printf(" From: %s\n", inet_ntoa(ip->iph_sourceip)); printf(" To: %s\n", inet_ntoa(ip->iph_destip)); /* determine protocol */ switch(ip->iph_protocol) { case IPPROTO_TCP: printf(" Protocol: TCP\n\n"); return; case IPPROTO_UDP: printf(" Protocol: UDP\n\n"); return; case IPPROTO_ICMP: printf(" Protocol: ICMP\n\n"); return; default: printf(" Protocol: others\n\n"); return; } } } int main() { pcap_t *handle; char errbuf[PCAP_ERRBUF_SIZE]; struct bpf_program fp; char filter_exp[] = "icmp and src host 192.168.31.31 and dst host 192.168.31.245"; bpf_u_int32 net; // Step 1: Open live pcap session on NIC with name enp0s3 handle = pcap_open_live("enp0s3", BUFSIZ, 1, 1000, errbuf); printf("listening on network card, ret: %p...\n", handle); // Step 2: Compile filter_exp into BPF psuedo-code printf("try to compile filter...\n"); pcap_compile(handle, &fp, filter_exp, 0, net); printf("try to set filter...\n"); pcap_setfilter(handle, &fp); // Step 3: Capture packets printf("start to sniff...\n"); pcap_loop(handle, -1, got_packet, NULL); pcap_close(handle); //Close the handle return 0; } 

5-3

vi myheader.h checksum.c spoof.c

vi udp.c

gcc -o udp udp.c spoof.c -lpcap

sudo ./udp

vi icmp.c

gcc -o icmp icmp.c spoof.c checksum.c -lpcap

sudo ./icmp

myheader.h

/* Ethernet header */ struct ethheader { u_char ether_dhost[6]; /* destination host address */ u_char ether_shost[6]; /* source host address */ u_short ether_type; /* IP? ARP? RARP? etc */ }; /* IP Header */ struct ipheader { unsigned char iph_ihl:4, //IP header length iph_ver:4; //IP version unsigned char iph_tos; //Type of service unsigned short int iph_len; //IP Packet length (data + header) unsigned short int iph_ident; //Identification unsigned short int iph_flag:3, //Fragmentation flags iph_offset:13; //Flags offset unsigned char iph_ttl; //Time to Live unsigned char iph_protocol; //Protocol type unsigned short int iph_chksum; //IP datagram checksum struct in_addr iph_sourceip; //Source IP address struct in_addr iph_destip; //Destination IP address }; /* ICMP Header */ struct icmpheader { unsigned char icmp_type; // ICMP message type unsigned char icmp_code; // Error code unsigned short int icmp_chksum; //Checksum for ICMP Header and data unsigned short int icmp_id; //Used for identifying request unsigned short int icmp_seq; //Sequence number }; /* UDP Header */ struct udpheader { u_int16_t udp_sport; /* source port */ u_int16_t udp_dport; /* destination port */ u_int16_t udp_ulen; /* udp length */ u_int16_t udp_sum; /* udp checksum */ }; /* TCP Header */ struct tcpheader { u_short tcp_sport; /* source port */ u_short tcp_dport; /* destination port */ u_int tcp_seq; /* sequence number */ u_int tcp_ack; /* acknowledgement number */ u_char tcp_offx2; /* data offset, rsvd */ #define TH_OFF(th) (((th)->tcp_offx2 & 0xf0) >> 4) u_char tcp_flags; #define TH_FIN 0x01 #define TH_SYN 0x02 #define TH_RST 0x04 #define TH_PUSH 0x08 #define TH_ACK 0x10 #define TH_URG 0x20 #define TH_ECE 0x40 #define TH_CWR 0x80 #define TH_FLAGS (TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG|TH_ECE|TH_CWR) u_short tcp_win; /* window */ u_short tcp_sum; /* checksum */ u_short tcp_urp; /* urgent pointer */ }; /* Psuedo TCP header */ struct pseudo_tcp { unsigned saddr, daddr; unsigned char mbz; unsigned char ptcl; unsigned short tcpl; struct tcpheader tcp; char payload[1500]; }; 

checksum.c

讯享网#include <unistd.h> #include <stdio.h> #include <string.h> #include <sys/socket.h> #include <netinet/ip.h> #include <arpa/inet.h> #include "myheader.h" unsigned short in_cksum (unsigned short *buf, int length) { unsigned short *w = buf; int nleft = length; int sum = 0; unsigned short temp=0; /* * The algorithm uses a 32 bit accumulator (sum), adds * sequential 16 bit words to it, and at the end, folds back all * the carry bits from the top 16 bits into the lower 16 bits. */ while (nleft > 1) { sum += *w++; nleft -= 2; } /* treat the odd byte at the end, if any */ if (nleft == 1) { *(u_char *)(&temp) = *(u_char *)w ; sum += temp; } /* add back carry outs from top 16 bits to low 16 bits */ sum = (sum >> 16) + (sum & 0xffff); // add hi 16 to low 16 sum += (sum >> 16); // add carry return (unsigned short)(~sum); } / TCP checksum is calculated on the pseudo header, which includes the TCP header and data, plus some part of the IP header. Therefore, we need to construct the pseudo header first. */ unsigned short calculate_tcp_checksum(struct ipheader *ip) { struct tcpheader *tcp = (struct tcpheader *)((u_char *)ip + sizeof(struct ipheader)); int tcp_len = ntohs(ip->iph_len) - sizeof(struct ipheader); /* pseudo tcp header for the checksum computation */ struct pseudo_tcp p_tcp; memset(&p_tcp, 0x0, sizeof(struct pseudo_tcp)); p_tcp.saddr = ip->iph_sourceip.s_addr; p_tcp.daddr = ip->iph_destip.s_addr; p_tcp.mbz = 0; p_tcp.ptcl = IPPROTO_TCP; p_tcp.tcpl = htons(tcp_len); memcpy(&p_tcp.tcp, tcp, tcp_len); return (unsigned short) in_cksum((unsigned short *)&p_tcp, tcp_len + 12); } 

spoof.c

#include <unistd.h> #include <stdio.h> #include <string.h> #include <sys/socket.h> #include <netinet/ip.h> #include <arpa/inet.h> #include "myheader.h" /* Given an IP packet, send it out using a raw socket. / void send_raw_ip_packet(struct ipheader* ip) { struct sockaddr_in dest_info; int enable = 1; // Step 1: Create a raw network socket. int sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); printf("sock: %d\n", sock); // Step 2: Set socket option. setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &enable, sizeof(enable)); // Step 3: Provide needed information about destination. dest_info.sin_family = AF_INET; dest_info.sin_addr = ip->iph_destip; // Step 4: Send the packet out. sendto(sock, ip, ntohs(ip->iph_len), 0, (struct sockaddr *)&dest_info, sizeof(dest_info)); close(sock); } 

伪造UDP包

讯享网#include <unistd.h> #include <stdio.h> #include <string.h> #include <sys/socket.h> #include <netinet/ip.h> #include <arpa/inet.h> #include "myheader.h" void send_raw_ip_packet (struct ipheader* ip); / Spoof a UDP packet using an arbitrary source IP Address and port */ int main() { char buffer[1500]; memset(buffer, 0, 1500); struct ipheader *ip = (struct ipheader *) buffer; struct udpheader *udp = (struct udpheader *) (buffer + sizeof(struct ipheader)); /* Step 1: Fill in the UDP data field. / char *data = buffer + sizeof(struct ipheader) + sizeof(struct udpheader); const char *msg = "Hello Server!\n"; int data_len = strlen(msg); strncpy (data, msg, data_len); /* Step 2: Fill in the UDP header. / udp->udp_sport = htons(12345); udp->udp_dport = htons(9090); udp->udp_ulen = htons(sizeof(struct udpheader) + data_len); udp->udp_sum = 0; /* Many OSes ignore this field, so we do not calculate it. */ /* Step 3: Fill in the IP header. / ip->iph_ver = 4; ip->iph_ihl = 5; ip->iph_ttl = 20; ip->iph_sourceip.s_addr = inet_addr("1.1.1.1"); ip->iph_destip.s_addr = inet_addr("8.8.8.8"); ip->iph_protocol = IPPROTO_UDP; // The value is 17. ip->iph_len = htons(sizeof(struct ipheader) + sizeof(struct udpheader) + data_len); /* Step 4: Finally, send the spoofed packet / send_raw_ip_packet (ip); return 0; } 

伪造ICMP Echo请求

#include <unistd.h> #include <stdio.h> #include <string.h> #include <sys/socket.h> #include <netinet/ip.h> #include <arpa/inet.h> #include "myheader.h" unsigned short in_cksum (unsigned short *buf, int length); void send_raw_ip_packet(struct ipheader* ip); / Spoof an ICMP echo request using an arbitrary source IP Address */ int main() { char buffer[1500]; memset(buffer, 0, 1500); /* Step 1: Fill in the ICMP header. / struct icmpheader *icmp = (struct icmpheader *) (buffer + sizeof(struct ipheader)); icmp->icmp_type = 8; //ICMP Type: 8 is request, 0 is reply. // Calculate the checksum for integrity icmp->icmp_chksum = 0; icmp->icmp_chksum = in_cksum((unsigned short *)icmp, sizeof(struct icmpheader)); /* Step 2: Fill in the IP header. / struct ipheader *ip = (struct ipheader *) buffer; ip->iph_ver = 4; ip->iph_ihl = 5; ip->iph_ttl = 20; ip->iph_sourceip.s_addr = inet_addr("10.0.2.15"); ip->iph_destip.s_addr = inet_addr("8.8.8.8"); ip->iph_protocol = IPPROTO_ICMP; ip->iph_len = htons(sizeof(struct ipheader) + sizeof(struct icmpheader)); /* Step 3: Finally, send the spoofed packet / send_raw_ip_packet (ip); return 0; } 

5-4

vi ss.c

gcc -o ss ss.c checksum.c spoof.c -lpcap

sudo ./ss

讯享网//ss.c #include <pcap.h> #include <stdio.h> #include <arpa/inet.h> #include "myheader.h" void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) { struct ethheader *eth = (struct ethheader *)packet; if (ntohs(eth->ether_type) == 0x0800) { // 0x0800 is IP type struct ipheader * ip = (struct ipheader *) (packet + sizeof(struct ethheader)); printf("From: %s ", inet_ntoa(ip->iph_sourceip)); printf("To: %s ", inet_ntoa(ip->iph_destip)); if (ip->iph_protocol == IPPROTO_ICMP) printf("protocal: ICMP\n"); else printf("protocal: Others\n"); struct icmpheader *icmp_pkt = (struct icmpheader *)(packet + sizeof(struct ethheader) + sizeof(struct ipheader)); if (ip->iph_protocol == IPPROTO_ICMP) { char buffer[1500]; memset(buffer, 0, 1500); /* Step 1: Fill in the ICMP header. / struct icmpheader *icmp = (struct icmpheader *) (buffer + sizeof(struct ipheader)); icmp->icmp_type = 0; //ICMP Type: 8 is request, 0 is reply. icmp->icmp_code = 0; icmp->icmp_id = icmp_pkt->icmp_id; icmp->icmp_seq = icmp_pkt->icmp_seq; printf("icmp id: %d, seq: %d\n", ntohs(icmp_pkt->icmp_id), ntohs(icmp_pkt->icmp_seq)); // Calculate the checksum for integrity icmp->icmp_chksum = 0; icmp->icmp_chksum = in_cksum((unsigned short *)icmp, sizeof(struct icmpheader)); /* Step 2: Fill in the IP header. / struct ipheader *ipp = (struct ipheader *) buffer; ipp->iph_ver = 4; ipp->iph_ihl = 5; ipp->iph_ttl = 64; ipp->iph_sourceip.s_addr = ip->iph_destip.s_addr; ipp->iph_destip.s_addr = ip->iph_sourceip.s_addr; ipp->iph_protocol = IPPROTO_ICMP; ipp->iph_len = htons(sizeof(struct ipheader) + sizeof(struct icmpheader)); printf("send tt source :%s\n", inet_ntoa(ipp->iph_sourceip)); printf("send tt dest: %s\n", inet_ntoa(ipp->iph_destip)); /* Step 3: Finally, send the spoofed packet / // icmp_pkt->icmp_type = 0; // icmp_pkt->icmp_code = 0; // icmp->icmp_chksum = 0; // icmp->icmp_chksum = in_cksum((unsigned short *)icmp, // sizeof(struct icmpheader)); send_raw_ip_packet (ipp); } } } int main() { pcap_t *handle; char errbuf[PCAP_ERRBUF_SIZE]; struct bpf_program fp; char filter_exp[] = "icmp[icmptype]==icmp-echo"; bpf_u_int32 net; // Step 1: Open live pcap session on NIC with name enp0s3 handle = pcap_open_live("enp0s3", BUFSIZ, 1, 1000, errbuf); printf("listening on network card, ret: %p...\n", handle); // Step 2: Compile filter_exp into BPF psuedo-code printf("try to compile filter...\n"); pcap_compile(handle, &fp, filter_exp, 0, net); printf("try to set filter...\n"); pcap_setfilter(handle, &fp); // Step 3: Capture packets printf("start to sniff...\n"); pcap_loop(handle, -1, got_packet, NULL); pcap_close(handle); //Close the handle return 0; } 

附录

参考文章：

【网络攻防技术】实验九——嗅探与欺骗实验_whalien__52的博客-CSDN博客

网络攻防技术——嗅探与欺骗_啦啦啦啦啦啦啦噜噜的博客-CSDN博客_嗅探 欺骗

LAB 13 数据包嗅探和伪造__的博客-CSDN博客

数据包的嗅探与欺骗实验 | 望伊如西の博客 (dilidonglong.com)