Security Science: common methods of LAN attacks

Security Science: common methods of LAN attacks

Disclaimer: This site provides security tools and procedures (methods) that may be offensive and only for security research and teaching. You are at your own risk!

When talking about network attacks, the first response is cross-domain attacks, which take target permissions thousands of miles away. However, lan attacks also account for a certain proportion of network attacks.

Before introducing the next LAN practice, we have to talk about the arp protocol, because the following LAN attack methods are closely related to the arp protocol.

ARP Protocol

When a host communicates with another host, you need to know the target IP address, but the NIC that transmits data in the LAN cannot directly identify the IP address. Therefore, the IP address is resolved to a MAC address using ARP resolution protocol. The basic function of ARP is to query the mac address of the target device through the IP address of the target device.

Any host in the LAN has an ARP cache table, which stores the IP addresses and MAC addresses of each host and router in the local LAN. The life cycle of the ARP cache table is limited (generally no more than 20 minutes ).

For example, assume that there are four hosts in the LAN.

ARP spoofing attacks are based on mutual trust between LAN hosts. When A sends A broadcast question: I want to know what the IP address is for the hardware address 192.168.0.3?

At this time, B will certainly reply: I am IP192.168.0.3, and my hardware address is mac-B, but at this time, the IP address is 192.168.0.4 and C is also invalid: I am IP192.168.0.3, my hardware address is mac-c. There are also a large number.

Therefore, A will mistakenly believe that the hardware address of 192.168.0.3 is mac-c, and dynamically update the cache table so that host C will hijack the data that host A sends to host B, this is the process of ARP spoofing.

If C directly impersonates a gateway, host C will continuously send ARP spoofing broadcasts and say, "My IP address is 192.168.0.1, and my hardware address is mac-c, in this case, all hosts in the LAN are spoofed and Their cache tables are changed. C listens to the datagram sent to the Internet from the LAN.

The next attack process will be demonstrated by two hosts in a LAN, one being bt5 10.10.10.128 and the other being kali 10.10.138. The LAN gateway is 10.10.254.

Lan network disconnection attack

In a LAN, if we want to conduct a network disconnection attack on a host, we need to first check the ip address in the LAN.

fping –asg 10.10.10.0/24

 

Two hosts are found: 10.10.10.128 and 10.10.138.

Test the Internet access status of the host 10.10.128 to enable the Internet access before the attack starts.

 

Then, we need to check the number of gateways in the LAN.

 

Next, we will use the host 10.10.138 to perform arp spoofing attacks on the host 10.10.128.

 

In 10.10.10.128, we can see that the network is actually disconnected after we initiate a network disconnection attack.

 

Obtain the Image Browsing record of the target in the LAN

Here, the arp protocol is used to capture the Target Image Browsing records and network disconnection attacks, which have some similarities.

First, configure network forwarding on 10.10.138. After the target is spoofed, the traffic will be sent to your host and transferred to the gateway using your host as the transfer station.

 

Then arp spoofing continues.

The next step is to obtain the image of the local Nic.

 

(Capture image packets from the eth0 Nic)

Well, the following is the time to test the effect.

 

We have successfully obtained the image viewed by the target host on the host.

Integrated Application-http account password Interception

Http account password intercept is an extension based on the previous steps.

In the beginning, we set Nic forwarding and arp spoofing as before. Next, we will perform network account password sniffing in the http environment.

 

(Capture the account and password from network traffic,-T is displayed in text mode, and q is in quiet mode)

After that, let's test the results.

10.10.10.128.

 

 

As soon as 10.10.128 is logged on, we get the account and password.

Some websites support Chinese account passwords. Here we may obtain some garbled characters for the intercepted information. here we can use URL Decoding to obtain the Chinese account password.

Obtain the https account password

Https transmission with certificate authentication and transmission encryption is much more secure than http transmission. Here we get the account and password for https transmission. The idea is to change https to the original http transmission, and then capture the http account and password.

First, convert https transmission to http transmission.

 

Then, you can configure Nic forwarding, arp spoofing, and packet capture. This is basically the same as the above http, so I will not talk about it any more. (Some browsers have high security and may affect our work .)

Session hijacking

There are several methods for session hijacking in the LAN. Here we only talk about a simple and crude method. That is, use CookieCadger to capture packets.

First of all, it's not as complicated as above. Enable the cookie cadger first. Cookie cadger is a packet capture tool written in Java. It can also be used in windows.

 

Here, we have logged on to the Baidu Post Bar and QQ space on 10.10.10.128. We can open the session on 10.10.10.128 in the cookie cadger of 10.10.10.138.

 

As you can see, there is no need to log on at all. We can also hijack others' sessions in the LAN.

There are still many interesting areas in the LAN. It is easier to compare with the internet, but don't try to be a roommate. Otherwise, the roommate will catch up with 10 streets.