Ethical Hacking 简明教程

Ethical Hacking - ARP Poisoning

地址解析协议 (ARP) 是一种无状态协议,用于将 IP 地址解析为计算机的 MAC 地址。网络上需要进行通信的所有网络设备都会在系统中广播 ARP 查询,以找出其他计算机的 MAC 地址。ARP 欺骗也称为 ARP Spoofing

以下是 ARP 的工作原理:

  1. 当一台计算机需要与另一台计算机进行通信时,它会查询其 ARP 表。

  2. 如果表中找不到 MAC 地址,则 ARP_request 会在网络上广播。

  3. 网络上的所有计算机都会将此 IP 地址与 MAC 地址进行比较。

  4. 如果网络中的其中一台计算机识别出此地址,则它会使用自己的 IP 地址和 MAC 地址响应 ARP_request

  5. 请求计算机将在其 ARP 表中存储地址对,然后进行通信。

What is ARP Spoofing?

可以伪造 ARP 数据包以将数据发送到攻击者的计算机。

  1. ARP 欺骗会构造大量伪造的 ARP 请求和响应数据包来重载交换机。

  2. 交换机被设置为 forwarding mode ,并且在 ARP table 充斥着欺骗的 ARP 响应之后,攻击者就可以嗅探到所有网络数据包。

攻击者用伪造的条目随机填充目标计算机的 ARP 缓存,这也称为 poisoning 。ARP 欺骗使用中间人访问来污染网络。

What is MITM?

中间人攻击(缩写为 MITM、MitM、MIM、MiM、MITMA)暗示一种主动攻击,其中 adversaries 冒充用户,通过在受害者之间创建连接并发送他们之间的消息来进行攻击。在这种情况下,受害者认为他们在彼此通信,但实际上,恶意行为者控制着通信。

third person

存在第三人来控制和监视两方之间的通信流量。诸如 SSL 等一些协议有助于阻止这种类型的攻击。

ARP Poisoning − Exercise

In this exercise, we have used BetterCAP to perform ARP poisoning in LAN environment using VMware workstation in which we have installed Kali Linux and Ettercap tool to sniff the local traffic in LAN.

For this exercise, you would need the following tools −

  1. VMware workstation

  2. Kali Linux or Linux Operating system

  3. Ettercap Tool

  4. LAN connection

Note − This attack is possible in wired and wireless networks. You can perform this attack in local LAN.

Step 1 − Install the VMware workstation and install the Kali Linux operating system.

Step 2 − Login into the Kali Linux using username pass “root, toor”.

Step 3 − Make sure you are connected to local LAN and check the IP address by typing the command ifconfig in the terminal.

ifconfig

Step 4 − Open up the terminal and type “Ettercap –G” to start the graphical version of Ettercap.

ettercap

Step 5 − Now click the tab “sniff” in the menu bar and select “unified sniffing” and click OK to select the interface. We are going to use “eth0” which means Ethernet connection.

ettercap input

Step 6 − Now click the “hosts” tab in the menu bar and click “scan for hosts”. It will start scanning the whole network for the alive hosts.

Step 7 − Next, click the “hosts” tab and select “hosts list” to see the number of hosts available in the network. This list also includes the default gateway address. We have to be careful when we select the targets.

host tab

Step 8 − Now we have to choose the targets. In MITM, our target is the host machine, and the route will be the router address to forward the traffic. In an MITM attack, the attacker intercepts the network and sniffs the packets. So, we will add the victim as “target 1” and the router address as “target 2.”

In VMware environment, the default gateway will always end with “2” because “1” is assigned to the physical machine.

Step 9 − In this scenario, our target is “192.168.121.129” and the router is “192.168.121.2”. So we will add target 1 as victim IP and target 2 as router IP.

target

Step 10 − Now click on “MITM” and click “ARP poisoning”. Thereafter, check the option “Sniff remote connections” and click OK.

mitm attack

Step 11 − Click “start” and select “start sniffing”. This will start ARP poisoning in the network which means we have enabled our network card in “promiscuous mode” and now the local traffic can be sniffed.

Note − We have allowed only HTTP sniffing with Ettercap, so don’t expect HTTPS packets to be sniffed with this process.

Step 12 − Now it’s time to see the results; if our victim logged into some websites. You can see the results in the toolbar of Ettercap.

result

以下是嗅探是如何运作的。您一定已经明白了,只需启用 ARP 欺骗就可以轻松获得 HTTP 凭据。

ARP 欺骗有可能会给公司环境造成巨大损失。这就是任命道德黑客来保护网络的地方。

与 ARP 欺骗类似,还有其他攻击,例如 MAC 泛洪、MAC 欺骗、DNS 欺骗和 ICMP 欺骗,它们都可能给网络造成重大损失。

在下一章,我们将会讨论另一种称为 DNS poisoning 的攻击类型。