Foreword
When freshman new to kali linux, the first to do penetration is wifi and network penetration, in which middle attack opened the door to my new world
though it is learned how the principle, but more is better to know too write himself a.
Today, it is time to give it "seating arrangement" of the
ARP poisoning principle
ARP protocol
We all know the TCP / IP model, divided into four levels.
- Application layer
- Transport Layer
- Network layer
- data link layer
After each layer of which perform their duties and carry out their tasks passed to the next layer processing
forgot a word in which to see, it is reasonable
Due to the hierarchical structure of each layer independent of each other, to computer network security has brought great risks. But I did not say nothing hierarchy, on the contrary, precisely because it is, in order to fast and efficient data processing, logic, transactions, in order to make up our universe. This is its greatness.
In the "TCP / IP Volume: Agreement", ARP protocol is classified as a network layer, and online aspects of the ARP protocol works have a lot of controversy, a lot of people think that ARP is working at the data link layer .
The role of ARP protocol is the IP address and MAC address-one mapping together. The network is divided into several categories - personal area networks, local area networks, metropolitan area networks, wide area networks, the Internet. Acting on the LAN MAC address and the IP address is applied to address the Internet address. Therefore, in the LAN to find the corresponding machine would have to use the MAC address
In a LAN packet transmitted at a start sender only knows which IP address should be sent without knowing which MAC address, it will broadcast to inside the LAN, the IP which MAC addresses, since the ARP protocol, when when you receive this package you will check that you are not IP, if that is the case you will send back a packet tells it, this is your contracted fish ponds , no, this is my MAC address in the IP here, then it will update its ARP table, this is your IP write on the MAC, and the back of the newsletter will be based on this record to perform
and record MAC and IP mapping table relationship is a very simple structure
ARP protocol is built on the foundation of trust on the network, that is to say in the era of protocol design, and will not take into account middle attack this thing (after all, can afford a computer at that time are national research institutions). By now widespread use of computers today, ARP protocol that trust it created a big problem --ARP deceive
ARP spoofing
Assume that when the LAN Aand Btime are communicating, we send an ARP reply packet of both of them, tell Ame B, tell Bme A, then they will foolishly listen to you, and then sent to the other side of things to you and then you will get all their data packets
Of course, you want to steal steady Aand Bdata, Hackeryou can turn on IP forwarding, ICMP is based on the Redirectmechanism of implementation. In the Linux rootpermission to execute a command like
|
1
|
echo 1> /proc/sys/net/ipv4/ip_forward
|
ARP packet structure
Once you know the principles we know that as long as the corresponding ARP packets sent enough
we look at the structure of ARP packets
Clearly the contents of ARP is encapsulated in a data link layer content, wherein
| Field | meaning |
|---|---|
| Frame Type | Means the contents inside the packet type, we write the code corresponding protocol ARP0x0806 |
| Hardware Type | It refers to the type of Ethernet |
| agreement type | Mean that we want what ARP protocol mapping, we set this field to the IPv4 code\x0800 |
| Hardware address length | I.e., MAC address length |
| Protocol address length | I.e., IP address length |
It is worth noting that the fields are filled with fill 18 characters. This is because the shortest link layer frame length is 64 bytes, fixed 目的MAC+ 源MAC+ 帧类型+ CRC = 18 bytes, 46 bytes is still a need to achieve the minimum frame length, and the contents of the ARP packet is only 28 bytes, it is necessary to fill 18 bytes for the job
Everything is ready
It took more than a day's time to write a command-line tool ARP spoofing, using Pythonthe socketclass, learn scapythe source class library with the package
directory structure is as follows
|
1
2
3
4
5
6
|
│ main.py
│
├──wsocket
│ arp.py
│ wsocket.py
│ __init__.py
|
I can take the written wsocketand arpclass very convenient for contracting receiving packets (of course wsocket which combines the python's socket), arpthe class provides functionality to quickly package ARP, then we can use these two classes to do some things, such as writing a command-line tool
NOTE: use of ARP to establish a transceiver port in Python the like socket packet needs more underlying root privileges
small tools
The process is relatively simple, just a simple beautiful
- Select card
- Select the corresponding function, such as ARP and ARP spoofing scanning, customize the ARP packet, etc.
ARP scan after obtaining card information to calculate the size of the subnet, and then one by one requests an IP's MAC address, that is broadcast ARP request can be achieved, the principle of ARP spoofing have said
when we bidirectional attack is successful, you can use wiresharkor driftnetother tools to extract and analysis of data
Of course, the program also added some exception handling mechanism, the default option, the frequency of contract, contract time, so that the program more robust
Program source code Download:
https://github.com/WananpIG/ARP-Spoof
The final say
One teacher taught us to say quite right - "We are now a lot of students over-reliance on the tool out of the tool would not know how to do our technical education should be the creator of the tool, rather than relying on those."
I hope this little tool that allows readers and I rethink the meaning of wheels and wheel made.