Objective
you may not be familiar with PPPoE, but you are certainly familiar with dial-up access, which is the kind of communication protocol used for dial-up. General PPPoE authentication Internet is mainly used in campus network or cell Network, dial-up interface as shown.
But PPPoE is a communication protocol that has some security flaws. Here's a look at three ways to attack PPPoE and how to use Python to implement attack tools.
Pure technology sharing, do not violate national laws.
The first way:
Account password Theft
For the PPPoE authentication process as shown, divided into the discovery phase and session stage, the discovery phase is divided into padi,pado,padr,pads.
The problem of stealing account passwords appears in the first step, PADI. When the PPPoE client connects, a broadcast packet is sent during the PADI phase to find the PPPoE server in the LAN to complete the authentication.
What we need to do is pretend to be a PPPoE server, reply to request information, preempt and client communication, and force the client to use clear text transmission to obtain the account number and password. Let's take a look at the data packet by Wireshark and look at the process of finding the PPPoE server more intuitively. Click on the broadband connection, use Wireshark Monitor, will find the broadcast packet, this time the PPPoE server will reply.
attack Scenario : Turn on the PPPoE spoofing program on the local computer, start listening, and make broadband connection on other computers in the LAN, observe the deception effect. As shown, the account and password have been successfully spoofed.
the part of the code that steals the account is as follows :
Second way: Client off-network attack
after the dial-up client (broadband connection) has successfully connected to the PPPoE server, how does the server represent the client? In layman's words, the server must know which client it is, so that communication does not go awry. PPPoE uses the method of assigning IDs, which is to assign each client a random integer of type int. With the Wireshark grab, we can clearly see the allocation of the ID.
At first blush, there is no problem, but the problem is in the scope of the ID, which is the int type. The PPPoE server uniquely identifies the client by assigning a 1-65535 value to the client. As long as know the other computer MAC address, loop send 65,535 Padt broken network packet, that is, can achieve off-network attack, and the other computer's Mac can be obtained through ARP request.
What is a Padt broken network bag ? Through the Wireshark grab the bag, let's look at the contents of the broken net package. Disconnect the broadband connection, using Wireshark monitoring, you will find Padt broken network packet, data frame analysis and simulation can be.
attack Scenario : A computer running off-screen program, through the ARP request to obtain the other computer MAC address, simulated Padt package, the other computer's broadband connection broken off.
part of the code for a broken network attack is as follows :
Third Way: Server Dos attack
Dos attacks are for PPPoE servers, but the principle is simple. Now basically the advanced point of the route, the ARP flood attacks have done a good protection against a large number of ARP packets filtered, but the PPPoE packet is not to do protection, so that a large number of PPPoE packets can be directly to the PPPoE server, thus breaking the server, which will lead to a large-scale network.
part of the code for DOS attacks is as follows :
Final complete code
Python implementation of the PPPoE attack tool, using the Scapy package, can not be confused with the reptile frame scrapy. Scapy is a very good network protocol toolkit, with the ability to contract and receive packages, very powerful. Next we will explain the scapy package, as for the full code of the PPPoE attack tool , welcome to the public account to view the original text.
Python implements PPPoE attack tool