Obtaining the password of the academic Office website based on ARP cache poisoning

This article is only for the Exchange study use, this article experiment uses the host also already through the party authorizes, does not use for other uses, otherwise the consequence is conceited.

(I do not want to wordy this sentence):-)

The first time to write a technical blog, there will be some problems, we'll see it >_<

Friday night in the library to discuss things in the time to find: The Academic Office website of the website using the HTTP protocol, the Post form is sent in plaintext. After intercepting the form, a string similar to Ipt_loginusername=xxxxxxxxx (x for account number) &ipt_loginpassword=*********** (my password) was found. So if you can grab this HTTP POST request, you will be able to filter out the password.

So say dry, in the discussion after the purchase of a consistent beer, two packets of potato chips, take the computer to a good base friends, began to use the base friends WiFi experiment up. Initially wanted to use the wireless promiscuous mode to grab the packet, but because the base friend router is a three-tier device, promiscuous mode can not capture packets, and then began to use ARP cache poisoning.

First of all, I have a little understanding of the ARP cache poisoning: The two-layer Ethernet device is to identify the target IP packets through the MAC, so the IP address has a correspondence with the MAC address, and ARP is the protocol of the corresponding relationship. ARP working mechanism: if one host of the LAN wants to reach another device, it first sends a data broadcast packet to all the devices under the LAN, including the IP address of the target device, and its own Mac. The destination host sends an ARP packet reply that contains its own IP and Mac after it is received. The ARP table exists on both the gateway and the host in the LAN, and a row in this table is cleared if it is not used for a period of time. The corresponding relationship is written to the ARP table after the host receives the ARP packet, either by the target device or not. So ARP poisoning is to constantly send ARP reply or request packet to the gateway and the attacked host, so that the corresponding MAC in its ARP table becomes the attack.

After consulting and referring to the related books and Daniel's blog, wrote a python script to implement ARP cache poisoning, the picture is as follows (with detailed remarks):

Notes for several codes:

Usage= "Usage%prog [-I interface] [-t target] host"
        parser= Optionparser (usage)
        parser.add_option ('-i ', dest= ' interface ', help= ' Specify the interface to use ')
        parser.add_option ('-t ', dest= ' target ', Help= ' Specify a particular host to APR Posion. (None to send broadcast packet) '
        parser.add_option ('-M ', dest= ' mode ', default= ' req ', help= ' poisoning mode:requests (req) or replies (rep) [Default:%default] ')
         parser.add_option ('-s ', action= ' store_true ', dest= ' summary ', default=false,help= ' Show packet Summary and ask for confirmation before poisoning ')
        (Options,args) = Parser.parse_args ()

Use the Optionparser package here, usage as a demonstration, first create Optionparser object, use Optionparser. Optionparser method, parameter is Usage. Using the Add_option () method,-i ', dest= ' interface ' means that the contents of the command line parameter-I are stored in interface. The help document is after help, and when it is like the-h parameter, it outputs a helper document. The following is the same. You can see that parser is an object similar to a Dictionary object. The Parser_args () method is then called to parse, returning a dictionary, a list. The dictionary key is dest, and the value is the contents of the command line arguments. Args is a list of command-line content in addition to the contents of the dictionary.

Pkt=ether (scr = mac.dst= ' ff:ff:ff:ff:ff:ff:)/arp (Hwsrc=mac,psrc=args[0],pdst=args[0])

This is the key to this script, the encapsulation of the ARP package.

First an Ethernet packet, SCR is native MAC,PDST for the target host Mac, here is the broadcast packet, non-broadcast packet using GETMACBYIP (options.target) conversion parameter IP for Mac. The following is the ARP packet. HWSCR source MAC,PSCR As the source IP is args 0"

HWDST the target host's mac,pdst is the IP of the destination host, the two items of the broadcast packet are not filled in.

After encapsulating the package, use SENDP () to send, pass in the packet, inter represents the second layer of TCP/IP, iface for your NIC interface. View via terminal input iwconfig.

Poison the target host with the command line parameter-I (here is your network card)-T (attack target IP)-M rep (here is the gateway address).

Then in the other terminal, with the parameter-I (here is your network card)-T (here is the gateway address)-M rep (attack target IP) to poison the network card.

：-）

Forgive me for forgetting, for the first time I have no experience.

At this time with the base friends of the computer to view the ACR table, found that the deception success, the gateway IP corresponding to the MAC for my computer. However at this time with the base friend's computer opened Baidu found broken network. It's been a while. IP forwarding was not turned on when this machine was discovered. This means that the data packets from the base computer will be sent to my computer, but will not go out. Use Sysctl net.ipv4.ipforward=1 to turn on IP forwarding. The packet from the base friend's computer is sent to the gateway, and the packet from the gateway is sent to the base friend.

OK, everything has, before the east wind. The second script: Use the sniff function of the Scapy module to pass the packet to the parsing function and then filter the account password through the Python regular expression module re in the parse function. The code map is as follows:

About the use of regular expressions please Baidu, it is raining in the middle of the night, just want to sleep, too lazy code word, forgive me:-)

OK, after the attack by deception, run this script, will wait, if you log in at this time, the account and password will be stolen. After the use of a mobile phone to the Internet to log on, no problem.

On defense: My idea is to write a script that notes the MAC address of the gateway, and if this address changes, you're under attack.

Of course, this idea is too weak, because how do you know when you go out to connect your Mac on the WiFi router? Specific defensive measures may have been taken in the summer vacation to experiment. After writing this first article will have to enter half a month of low production (although it is not high-yielding):-), wholeheartedly into the final exam review. But I promise I'll have a day or two in the summer, including a summary and experimental article on the knowledge of backend development and computer system principles of the website.

So do not go out after the WiFi, face on the future do not login what account. Even the private pictures do not look (referring to the Internet), with a gadget driftnet can see the friends open pictures.

>_ is here, there are questions to welcome the discussion. (There must be some inappropriate writing)

Obtaining the password of the academic Office website based on ARP cache poisoning