ARP spoofing by network security experts

ARP spoofing by network security experts

The dark night gave me black eyes, but I used them to turn white eyes. If you have signed a forum using this sentence, you are a veteran hacker or an information security enthusiast. We will discuss remote overflow and weak password scanning in the forum. There will also be a forum where we will discuss the open period of weak password bots that allow you to practice, with the use of light and gray pigeons, occasionally, my computer is still suffering from a wave of shock and virus, and the computer is in the countdown time of restarting again and again.

At every stage of the development of information security, there are many people who have experienced such problems. The more powerful the tool is, the more popular the attack techniques are, I have been wandering in the field of information security for more than ten years. I have learned that there are people outside of the People, mountains outside the people, and high people outside the people. This has made me a low-key character. I never show off my profound knowledge, rich experience, cool code, terrible work efficiency, proficient in all kinds of development languages, proficient in various attack techniques, Sunrise, sunset farming, and more than 20 years of hard work skills, only sleep for 3 hours a day, and is physically strong. It can be used for 100 consecutive hours without rest on the black station. It also disconnects anyone who does not support my black station business. If you read this article, you will feel dizzy, there is a kind of impulse to blow off the computer and smash the keyboard. Congratulations, this is a normal mood. If you read this section, it feels very comfortable, as if you have broken through the second pulse of Ren du, congratulations, you should take the medicine.

I have worked with Party A for many years and experienced many interesting attacks and tried some interesting techniques. At least at that time, I was able to make many colleagues laugh and laugh at it, and then yell at dengjiu with a keyboard.

In earlier years, the main work of information security in enterprises was to conduct penetration tests, explore code vulnerabilities, conduct security training, and formulate various iconic systems and specifications. Penetration testing must be the first place to start. At least a bunch of seemingly harmful vulnerabilities that cannot be measured internally can be found to the leaders to prove their merits.

The security risks caused by chaotic management of the internal environment are common manifestations. So far, such problems still exist in many companies. Chaotic IP management, weak passwords, low-version applications, and various O & M support systems without security tests are still common intranet problems.

I like to pretend to be mysterious. I like to use a cool way to perform penetration tests on the intranet of an enterprise. At the beginning of the penetration test, I will only send emails to my leaders, I am about to start doing this. At the same time, I will start to work on time at noon, because at this time everyone has gone to lunch, and many people are not used to lock the screen, create an administrator account on the PC and enable the remote terminal. At the same time, in order to understand everyone's habits of using passwords, we developed a more cool idea to use ARP spoofing to collect passwords in a unified manner, 10 thousand actions of past sinners ......

Under this uncalm idea, I did something uncool. I didn't judge whether the network environment at that time supported the hybrid mode. I started arpsnifer directly, and as a result, the public network in the office area was disconnected. Fortunately, everyone's inertial thinking saved me. At the moment of network disconnection, I only heard the Network Manager shout that the ARP virus is coming out of the Intranet, and everyone is going to kill the virus. Haha. I quickly stopped ARP attacks and the network went back to normal.

It seems that we can only change our thinking. arp sniffer has two application scenarios: one is to use itself as the main character to cheat the gateway, and the other is to only listen to local data packets. After attempting to trick everyone into making themselves a gateway failure, you can only use the second method. To use a local listener, you must obtain the permissions of the host. Considering that enterprises generally adopt unified account authentication for internal systems such as ERP, OA, and MAIL. You only need to win the permissions of one of the hosts.

After some attempts, I selected the target email server. In order to maximize the use of resources within the enterprise, the internal system will put several applications together to share one server. This is the case with the mail server. The weak password of ms SQL is used to obtain the administrator privilege of the system, and HTTP SNIFFER is successfully deployed on the server. Listen to FTP, HTTP, and 25. After staring at the screen for a while, we found that the password acquisition method is not efficient. You need to collect the most passwords in a short time.

Now, a chat next door makes me feel refreshed. Today is the day of payroll. The company has a convention that the HR system will mail you the salary details on the day of payroll.

I woke up with a disappointing phrase "my salary hasn't been paid yet. So I shouted in a large group of companies in the company's internal communication platform RTX, "My salary has been paid." A second later, SNIFFER's email server quickly turned pages. In a short time, I got a lot of people. password. When James looked at me inexplicably, I was proud to give it a loose look. At the corner of my eye, I also saw James and his friends quietly clicked a receive button, and I watched my harvest with a "liar" in his hate and hate.

 

During this test, I not only gained the passwords of most people, but also obtained authorization from the company's first Information Security Open Course and nearly one hundred first class students.

Explanation: ARP attack principles

The attacker sent A forged ARP response to computer A, telling the computer A that the MAC address corresponding to computer B's IP address 192.168.0.2 is 00-aa-00-62-c6-03, write the corresponding relationship to your ARP cache table. Later, when sending data, the data that should have been sent to computer B will be sent to the attacker. Likewise, attackers send A forged ARP response to computer B, telling computer B that the MAC address of computer A's IP address 192.168.0.1 is 00-aa-00-62-c6-03, computer B also sends data to attackers.

At this point, the attacker controls the traffic between computer A and computer B. He can passively monitor the traffic, obtain passwords and other confidential information, or forge data, change the communication content between computer A and computer B.

If you think this explanation is too difficult, I will use a simpler example to tell you How ARP attacks are.

I am the Old Wang next door, and I owe him 500 yuan. Then I paid my salary today to pay back the money. When I knocked on the house of Mr. Wang, I found that Mr. Wang's daughter-in-law was very sexy in his nightgown, so I told my wife Wang that I gave you 500 yuan. You gave me a look at the naked, and she agreed to let me see her naked, and then I paid 500 yuan, she was very happy to accept the money and close the door, successfully deceiving and gaining trust.