Principle and prevention of MITM (MITM attack) (I)

I don't know if you still remember that last year, an organization named TH4CK flipped through many big forums, and people began to speculate on its technology usage, such as 0-day, or dns hijacking, I have also mentioned section C Shenma, and of course there are arp machine rooms. In any case, one of the methods we talk about MITM today is arp spoofing (okay, I admit that this section is the one I used to start with the word count). If there are any steps online, I will use my poor descriptive skills to talk about the principles and prevention. The level is limited, please kindly advise

Test environment:

Gateway: 172.16.1.1

Test HOST: Ubuntu 12.04 LTS

IP: 172.16.1.31

Target Host: Android 4.2

IP: 172.16.1.11

 

1. Use ettercap for arp spoofing and hijacking of plaintext passwords

Arp spoofing principle:

First of all, how does arp spoofing work?

Suppose it is in my network segment

One Hub is connected to three devices.

Host0 Host1 Host2

Host0 address: IP: 172.16.1.1 MAC: AA-AA-AA-AA-AA-AA

Host1 address: IP: 172.16.1.2 MAC: BB-BB-BB-BB-BB-BB

Host2 address: IP: 172.16.1.3 MAC: CC-CC-CC-CC-CC-CC

Under normal circumstances, the arp information of Host2 is as follows:

Interface: 172.16.1.1 on Interface 0 × 1000003

Internet Address Physical Address Type

172.16.1.3 CC-CC-CC-CC-CC-CC (dynamic)

Now, the nonsense Host1 performs arp spoofing.

Host1 sends a self-built ARP response to Host0, and the data in this response is that the sender's IP address is 172.16.1.3 (the IP address of Host2 ), the MAC address is a SB-SB-SB-SB-SB-SB (the MAC address of Host2 should have been a CC-CC-CC-CC-CC-CC, Which is forged here ). When Host0 receives a spoofed ARP response from Host1, It updates the local ARP cache (Host0 does not know the truth and is not known to be forged ). And Host0 does not know is actually sent from Host1, Host0 here only 172.16.1.3 (Host2 IP address) and invalid SB-SB-SB-SB-SB-SB mac address

After the virus, arp is as follows:

Interface: 172.16.1.1 on Interface 0 × 1000003

Internet Address Physical Address Type

172.16.1.3 SB-SB-SB-SB-SB-SB (dynamic)

This is not a trivial matter. The FAKE mac cannot be pinged to Host2 after it is submitted to Host0. In the LAN, a host repeatedly sends an invalid arp response packet to a place, what if this machine is a gateway? Network Congestion does not mean that if we are deceiving the target host, and this sub-host is a gateway, every time the target host passes through the gateway package, it will be sent to me, you can do evil ~

The following is a demo ~

Enable ettercap

Open the graphic interface, select sniff, and select your Nic status

On the host tab, select scan, select host list to list hosts, and select your target host (also known as Host2)

Add to target 1

Select a gateway and add it to target2.

Here, I and the target host say that I am a gateway

On the MITM tab, select arp attack oning and then select sniff.

Then you can check the arp of the target host (my mobile phone is not convenient here ...)

As we just said, we need to steal plain text ~

Select start sniffing from the start tab.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~

Well, I went to the professor's cybersecurity class today. I don't have time to finish the later part of the course. Let's wait till the day after tomorrow ~

Poor writing, purely Popular Science, and the principle may be poor. I will try my best to write fresh articles later.