Network sniffing of vswitches using ARP Spoofing

Sniffing can be easily implemented in the Age of hub prevalence

You don't need to do anything. The hub will automatically send others' packets to your machine. But that time has passed, and nowVswitchInstead of hubs, vswitches will no longer forward packets that do not belong to you, you can no longer easily listen to other people's information. (If you are not familiar with the hub and switch working principles, you can read the article 《Basic network knowledge: hubs, bridges, and switchesMachine), note that it is no longer easy, not no! Well, there is still a way to perform sniffing in the vswitch network. Next we will introduce the network sniffing method of the vswitch and use ARP spoofing to assist sniffing.

ARP spoofing-based sniffing Technology(If you are not familiar with ARP attacks, read :《Network Protocol basics: ARP Analysis, WinArpAttacker in ARP attack Practice)

In the past, ARP attacks didn't mean much. At most, it means that some machines cannot access the Internet. It's really boring, but since the switch became the mainstream device for LAN construction, ARP attacks have a new purpose: Use ARP spoofing to assist sniffing! The principle is very simple. Let's take a look at the following two figures:

The figure on the left shows the data flow between the two machines during normal communication. The figure on the right shows the data flow between the two machines after B is cheated by machine A's ARP. The figure on the right shows that after B is cheated by ARP, the data flow changes. The data is first sent to, then, A forwards the data to the Gateway. When receiving data from the gateway, the gateway forwards the data sent to B to A, and then A forwards the data to B, a's data flow is normal. Now all the data of B needs to flow through A. It is easy for A to listen to B.

Let's talk about the ARP spoofing process, that is, how to change the data flow of B:

1 ). the IP address of A is 192.168.1.11 and the MAC address is 11-11-11-11-11-11. The IP address of B is 192.168.1.77, the MAC address is 77-77-77-77-77-77; the gateway IP address is 192.168.1.1 and the MAC address is 01-01-01-01-01-01.

2). A sends an ARP spoofing packet (ARP response packet) to B and tells B that I (A) is A gateway. You can send the data that accesses the Internet to me (! The ARP spoofing package is as follows:

SrcIP: 192.168.1.1, SrcMAC: 11-11-11-11-11-11

DstIP: 192.168.1.77, DstMAC: 77-77-77-77-77

3 ). A sends an ARP spoofing packet (ARP response packet) to the gateway and tells the gateway that I (A) is machine B. As A result, the gateway sends all the data sent to B to. The ARP spoofing package is as follows:

SrcIP: 192.168.1. 77, SrcMAC: 11-11-11-11-11-11

DstIP: 192.168.1. 1, DstMAC: 01-01-01-01-01-01

4). Machine A has A secondary Forwarding software that forwards data packets from "gateway-> B" and "B-> Gateway.

So far, the auxiliary task of ARP spoofing has been completed, and the next step is to use your sniffer to gain a peek ~ Oh ~ Haha!

Note the following points:

1). ARP spoofing packets should be sent once every time, otherwise the ARP cache of the gateway and B will be updated!

2 ). after ARP spoofing is completed, the gateway's ARP record has two identical MAC addresses: 192.168.1.11 (11-11-11-11-11-11) and 192.168.1.77 (11-11-11-11-11-11 ~ You can change A's ARP cache on the gateway to 192.168.1.11 (01-10-01-10-01-10), but there are two problems: one is that the MAC is garbled and there is no such MAC address in the LAN. According to the working principle of the switch, the data sent by the gateway to the machine with the IP address 192.168.1.11 will be broadcasted. The second is that at this moment, your (A) normal ability to communicate with the outside world will be lost. Consider the trade-offs.

The ARP attack tool "WinArpAttacker" used in a previous article, "WinArpAttacker", has the function of sniffing based on this principle. For details, see:

The ARP spoofing-assisted sniffing method is described for the network sniffing method of the switch. If you want to learn other methods, please read:

Network sniffing method of vswitch spoofing vswitch Cache