Table of Contents
Preface
1. Overview of ARP
1.1 What is ARP
1.2 Basic functions of ARP protocol
1.3 ARP cache table
1.4 Common ARP commands
2. ARP disconnection experiment
3. ARP spoofing experiment
3.1 Pictures intercepted from the intranet
3.2 Obtain HTTP account password
4. DNS spoofing experiment
Summarize
Hi! I am Filotimo__. Nice to meet you all, I hope my blog can be helpful to you.
This article was originally created by Filotimo__ and was first published on CSDN.
If you need to reprint, please contact me in advance to obtain authorization.
Everyone is welcome to like me, collect it, and interact with me in the message area. These are the motivation for me to move forward!
My motto: Forests and trees all have their own angles that they think are right.
Foreword
In this blog, I introduced several common network attack methods such as ARP disconnection, ARP spoofing and DNS spoofing. However, it needs to be clear that these experiments are for educational and research purposes only and should be conducted in a legal and ethical manner.
The attack behaviors simulated in the experiment are only to allow readers to understand and understand these network attack methods, so as to improve their understanding and awareness of network security. Please do not use these technologies for unauthorized activities or cause harm or loss of any kind to others.
The tools and methods involved in the experiments are only intended to demonstrate attack principles and demonstrate possible defense measures. In any actual deployment and operation, be sure to comply with laws and regulations and only operate within the authorized scope.
This is the context diagram of this article:
1. ARP Overview
1.1 What is ARP
ARP (Address Resolution Protocol) is a protocol used to obtain a physical address (MAC address) based on an IP address in a TCP/IP network. When the host sends data, it needs to know the physical address of the target device to communicate. ARP determines the physical address of the target device by sending a broadcast request and receiving a return message. At the same time, after receiving the return message, the host stores the IP address and physical address of the target device in the local ARP cache table and remains valid for a certain period of time. In this way, the ARP cache can be directly queried during the next communication to save resources. .
1.2 Basic Functions of ARP Protocol
The basic function of the ARP protocol is to query the corresponding MAC address of the target device through its IP address to ensure communication. It operates within a LAN and will only work within a LAN. The ARP protocol establishes a mapping relationship between IP addresses and MAC addresses so that data can be correctly transmitted to the target device during network communication.
1.3 ARP cache table
The ARP cache table is a buffer used to store IP addresses and MAC addresses. It is essentially a mapping table from IP addresses to MAC addresses. Each host or network adapter has its own ARP cache table. When it is necessary to query the MAC address corresponding to a known IP address, ARP first searches the local ARP cache table. If a corresponding record exists, the corresponding MAC address is directly returned. If the corresponding record is not found in the cache, ARP will send an ARP request broadcast to the LAN to query the MAC address of the target device.
1.4 ARP common commands
In the ARP protocol, there are some commonly used commands for managing and operating the ARP cache table.
(1)
'arp -a' or 'arp -g'
This command is used to view all entries in the ARP cache table. On UNIX platforms, you can use the `-g` option, and on Windows, use the `-a` option. The result of both options is the same, both are used to display all items in the ARP cache.
(2)
'arp -a <ip>'
If you have multiple network interfaces, you can use this command plus the IP address of the interface to display only the ARP cache entries related to that interface.
2. ARP network disconnection experiment
ARP disconnection means that the attacker modifies the MAC address corresponding to the IP address of the target host and gateway to the attacker’s own MAC address by deceiving the ARP cache table of the target host and gateway. In this way, the data packets sent by the disconnected host will be sent to the attacker’s network card instead of continuing to flow to the gateway or other targets, causing the target host to be unable to connect to the network normally.
Prerequisite information:
The win7 and kali mentioned in this article are virtual machines, and they are on the same network segment.
Victim: win7
ip:192.168.216.128
mac:00-0C-29-9C-CD-25
win7 gateway:
ip:192.168.216.2
mac:00-50-56-f0-6a-ceAttacker: kali
ip:192.168.216.129
mac:00:0c:29:be:d4:09
Experimental steps:
2.1
Use the fping command to check which hosts exist on the current LAN to determine the IP address of the host to be attacked:
fping -g 192.168.216.0/24
Or scan with nmap:
nmap -sn 192.168.216.0/24
2.2
arpspoof is a command line tool commonly used for ARP spoofing attacks. Its usage is as follows:
arpspoof -i <network card name> -t <target IP> <gateway>
By running this command, it will send fake ARP response packets to the target host and gateway, and modify the MAC address corresponding to the IP address in the ARP cache table of the target host and gateway to the attacker’s MAC address. In this way, all data packets sent to the gateway will be intercepted and forwarded to the attacker, thereby achieving ARP spoofing attacks.
Perform network disconnection attack: arpspoof -i eth0 -t 192.168.216.128 192.168.216.2
As you can see, when the ARP attack starts, a request timeout message appears:
2.3
arp -a View changes in the target machine gateway mac address.
This is the original mac address:
This is the current mac address:
3. ARP Spoofing Experiment
ARP spoofing is an attack technique against the Ethernet Address Resolution Protocol (ARP). The attacker deceives the hosts in the LAN and changes the mapping relationship between IP addresses and MAC addresses in the ARP cache table to the corresponding relationship specified by the attacker. In this way, when the host sends data, the data will be sent to the attacker’s host instead of the real target host, thereby achieving the purpose of network deception and data theft.
A common method of ARP spoofing is to spoof a host and gateway in the LAN at the same time. The attacker sends false ARP response packets to the attacked host and gateway, and changes the MAC address corresponding to the IP address in the ARP cache table to the attacker’s MAC address. In this way, the attacked host and gateway will send all data packets to the attacker’s host, and the attacker can intercept, tamper with, or steal these data packets. In addition, since ARP is a protocol within the LAN, ARP spoofing attacks are only effective against hosts within the same LAN.
Prerequisite information:
The win7 and kali mentioned in this article are virtual machines, and they are on the same network segment.
Victim: win7
ip:192.168.216.128
mac:00-0C-29-9C-CD-25
win7 gateway:
ip:192.168.216.2
mac:00-50-56-f0-6a-ceAttacker: kali
ip:192.168.216.129
mac:00:0c:29:be:d4:09
3.1 Intranet intercepted pictures
Experimental steps:
3.1.1
To allow traffic forwarding in a Linux system, you can modify the sysctl.conf configuration file. Here are the modification steps:
(1) Open a terminal window and enter the following command to open the sysctl.conf file with root privileges:
sudo vim /etc/sysctl.conf
(2) Find the following lines in the sysctl.conf file:
#net.ipv4.ip_forward=1
(3) Remove the comment symbol “#” from this line and modify it to the following:
net.ipv4.ip_forward=1
(4) Save and close the file. In the vim editor, you can press the Esc key, then enter a colon (:) and enter wq, then press the Enter key.
(5) To apply the new configuration, you can enter the following command to make the sysctl.conf configuration take effect:
sudo sysctl -p /etc/sysctl.conf
3.1.2
Perform ARP spoofing: arpspoof -i eth0 -t 192.168.216.128 192.168.216.2
Because IP traffic forwarding is enabled, win7 can access the Internet at this time (different from ARP disconnection attacks).
Check the ARP cache table and you can see that the spoofing was successful.
3.1.3
At this time, my kali will become the transfer of data traffic between win7 and the gateway. All data packets passing through kali will be intercepted, allowing further network attacks.
For example, driftnet is a command line tool that can be used to listen to network traffic and extract any data that can be recognized as images.
Run the following command in kali:
driftnet –i eth0
In this way, driftnet will start listening to the traffic on the eth0 network card and display images in real time in the graphical interface window. These images are extracted from the network traffic.
It should be noted that driftnet can only extract images transmitted on the network, not all files or data. And it can only intercept images with http protocol.
When you use Firefox to access Baidu in Win7 and search for pictures, this driftnet window can capture the pictures you visit in Win7 (when searching for pictures in Firefox, some websites show an unsafe connection, and when you search for pictures, When a website shows an insecure connection, it usually means it is using the http protocol instead of https protocol).
3.2 HTTP account password acquisition
Experimental steps:
ettercap is a very commonly used network sniffing tool based on ARP spoofing. It can sniff switched LANs and intercept, modify, replace or inject network data packets, thereby achieving a variety of attack methods and security detection methods.
For example, on a local network, you can run the ettercap command to sniff the traffic and view the sniffed data, as shown below:
ettercap -Tq -i eth0
This command starts ettercap in text mode and uses the eth0 network card to sniff packets. At the same time, it turns off the interactive mode of ettercap and outputs the details of all sniffing information to facilitate quiet data monitoring. In ettercap, there are many parameters and plug-ins available for configuration and use. For details, please refer to its documentation and official website.
Start ettercap:
Visit the website in win7 (I visited a pirated website just for experiments), enter the username and password. Here I enter filotimo/666666.
Return to the kali attack machine and view the records.
4. DNS spoofing experiment
DNS (Domain Name System) is a distributed key network service that resolves domain names into corresponding IP addresses to help users easily access Internet resources.
DNS spoofing refers to an attacker taking advantage of the working principles and weaknesses of DNS to redirect a user’s domain name resolution request to a fake domain name server controlled by the attacker, causing the user to be directed to the wrong website or resource, or subject to other types of attacks or fraud. .
Prerequisite information:
The win7 and kali mentioned in this article are virtual machines, and they are on the same network segment.
Victim: win7
ip:192.168.216.128
mac:00-0C-29-9C-CD-25
win7 gateway:
ip:192.168.216.2
mac:00-50-56-f0-6a-ceAttacker: kali
ip:192.168.216.129
mac:00:0c:29:be:d4:09
Experimental steps:
First open the dns file of ettercap for editing. In kali, the file path under linux2.0 is /etc/ettercap/etter.dns:
Add the corresponding logo and IP address in the corresponding location, * represents all domain names.
Enter the command /etc/init.d/apache2 start in the kali terminal to start the apache2 server.
(1) Enter the command ettercap -G to enter the graphical interface of ettercap.
(2) Click the check mark in the upper right corner.
(3) Scan all online computer hosts under the gateway.
(4) Continue to open the Hosts option, list the scanned hosts, and click on the three horizontal bars above.
(5) Select a gateway in the list to add it. The gateway here is 192.168.216.2, click it first. Then click Add to target 1.
(6) Then select the IP address of the target.
(7) Follow the picture to perform arp spoofing
Click OK
(8) You can see that the gateway mac address of the target machine win7 is already the mac address of the attacking machine kali (192.168.216.2 is the win7 gateway ip, and 192.168.216.129 is the ip of kali).
(9) Perform the following operations to perform dns spoofing.
(10) Double-click to run dns_spoof to enable spoofing.
(11) After the spoofing is successful, any URL ending in .com will be parsed into the address of the attacking machine kali.
This is the result of pinging Baidu before deception:
This is now, after the deception is successful, the result of pinging Baidu:
Summary
Although network attack methods such as ARP disconnection, ARP spoofing and DNS spoofing exist, it needs to be clear that these attack methods should be regarded as potential threats rather than widespread risks.
Cyber security is an important issue and we should all pay attention to and protect our own cyber security. There are some precautions we can take to reduce risks when using the Internet on a daily basis. First, keep your operating system and applications updated with the latest security patches and fixes. Second, use a strong password and change it regularly. Also, be careful when clicking on emails and links from unknown sources and avoid downloading and installing suspicious software. In addition, enabling firewalls, installing security software, and using virtual private networks (VPNs) are also effective security measures.
The knowledge points of the article match the official knowledge files, and you can further learn related knowledge. Network Skill TreeHomepageOverview 42240 people are learning the system