Arp spoofing and sniffing in linux

Article Title: arp spoofing and sniffing in linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

It is a record process. After playing cain for a long time in windows, I found that he occupies a high cpu. The key is that there is no command line.

Today, I also met a linux user who directly obtained the root password. Go to centos's arp spoofing and sniff. (First, the local virtual machine was tested with federa core 10 ).

Dsniff is used. For more information, see the previous article. In addition, I installed tcpdump.

Here we will talk about the filter parameters of tcpdump:

The first type keyword mainly includes host, net, port, for example host 210.27.48.2. It indicates that 210.27.48.2 is a host, and net 202.0.0.0 indicates that 202.0.0.0 is a network address, port 23 indicates that the port number is 23. If no type is specified, the default type is host.

The second type is the key words for determining the transmission direction, including src, dst, dst or src, dst and src, which indicate the transmission direction. For example, src 210.27.48.2 indicates that the source address in the IP package is 210.27.48.2, and dst net 202.0.0.0 indicates that the destination network address is 202.0.0.0. If no direction keyword is specified, the src or dst keyword is used by default.

The third type is the protocol keyword, which mainly includes fddi, ip, arp, rarp, tcp, udp, and other types. Fddi indicates a specific network protocol on FDDI (Distributed Optical Fiber Data Interface Network). In fact, it is an alias of "ether". fddi and ether have similar source and destination addresses, therefore, the fddi protocol package can be processed and analyzed as the ether package. The other keywords indicate the Protocol content of the listener package. If no protocol is specified, tcpdump listens to the information packages of all protocols.

In addition to these three types of keywords, other important keywords include gateway, broadcast, less, greater, and three logical operations. The non-operation type is 'not ''! ', And the operation is 'and',' & '; or the operation is 'or',' │ '; these keywords can be combined to form a powerful combination condition to meet people's needs, the following are examples.

For example:

# Tcpdump host 210.27.48.1

# Tcpdump host 210.27.48.1 or 210.27.48.2

# Tcpdump tcp port 23 host 210.27.48.1

Reference: http://www.thismail.org/bbs/thread-2787-1-1.html

Note: If you want to dump the package for other software analysis, the tcpdump package length limit must be removed by default by 90 bytes.

The-s 0 parameter is added.

Dsniff usage:

Http://www.godupgod.com/post/102.html

Arpspoof [-I interface] [-t target ip] host

The ip address of the target and host can be used as needed in my test, but only one direction is determined.

For example, if the host writes the gateway and the target writes the ip address to be spoofed, all the packets sent by the gateway to the outside are used.

In turn, if the target is the gateway, It is the package that comes in outside.

If you want to implement bidirectional routing, you need to run two arp commands and replace the ip addresses of the target and the host.

Please.

In addition, we also found a problem. In addition to multiple ip Address Spoofing, We need to enable multiple arpspoof,

That is, he cannot forge a mac, so that he can easily expose himself.

========== Based on the above reasons, we recommend that you use ettercap