**
1. ARP theoretical basis
**
1. What is ARP
ARP: Address Resolution Protocol, obtain MAC address through IP address, it is common in local area network. effect:
- Check whether the IP address conflicts
- In the second layer network, obtain the MAC address by IP address
- Obtain the gateway IP address to achieve cross-network communication (Proxy ARP)
2. ARP protocol process
- PC1 wants to communicate with PC2 but does not know the MAC address of PC2
- Send an ARP request packet to the switch, and the switch sends a broadcast packet to find PC2 across the network
- Other hosts do not respond
- After PC2 receives the ARP request packet, it will send an ARP response packet to PC1
- Form communication
3. ARP table
ARP table: records the corresponding information of the MAC address obtained through the ARP protocol;
WIN10/WIN7 to view the ARP table: in cmd, type "arp -a" command; Huawei equipment: display arp
MAC table: records the corresponding information between the interface and the MAC address. When the switch forwards data, it forwards it according to the MAC address table. The entries in the MAC address table are restricted.
Huawei devices view the MAC address table: display mac-address
2. MAC flood attack
1. Principle: By sending a large number of useless MAC addresses to the switch in a short time, the MAC address table of the switch is filled up, resulting in the effect of not being able to access the Internet;
2. Experimental demonstration:
(1) The topology is as follows:
(2) PC1, PC2, Cloud configuration and IP addresses of kali
(3) to ensure interoperability between the three computers
(4) Check the Mac address and Mac attack with kali
this time PC1 and PC2 can not communicate properly, will be hindered
at this time will be a large number of Mac address
·
(5) We can configure switch security to defend against Mac flooding attacks
交换机防范指令:
接口下:
port-security enable //开启接口保护
port-security max-mac-num 5 //最大学习MAC地址数量为5
port-security protec-action shutdown //超过5个MAC地址数量则关闭该接口
(6) Test again will not be affected
Three, ARP spoofing
1. Principle analysis
Under normal circumstances: user A who is connected to the hotspot will send data to the mobile phone (192.168.1.1) when accessing the external network, and then the mobile phone will send the data to the external network.
At this time, the attacker intervenes and sends it to user A The false ARP information makes the data that user A originally sent to the mobile phone is sent to himself, and then the data sent by user A can be intercepted
After intercepting user A’s data, the attacker needs to forward user A’s data to the mobile phone, and let the mobile phone send user A’s data to the Internet to get a response, in order to create the illusion that user A is online normally
When user A’s data comes back from the Internet, because the phone is not deceived by the attacker, the phone will forward the data to user A. If you want to get the data, you need to deceive the phone.
The attacker sends false ARP information to the mobile phone, which affects the data sending direction of the mobile phone, and finally achieves double deception. All the data of user A is obtained.
Then the attacker forwards the data to user A, so that user A can unknowingly. Steal all data.
2, experimental demonstration
(1) Equipment: Kali virtual machine, Win7 virtual machine
(2) determining kali and IP address win7 and can communicate
kali 
Win7
or determined by fping way
check network connectivity
(3) open forwarding
(1 is Open, 0 is closed)
(4) Use the arpspoof tool to spoof (arpspoof -i eth0 -t the host IP of the local gateway you want to spoof)
(5) Browse the web in win7 and use driftnet to capture the new window
Experiment completed