Sniffer attack and defensive--ettercap+driftnet in wireless LAN

 sniffer attack and defense in wireless LAN

-----ettercap+driftnet 1 Experimental requirements and purposes

Understanding the rules and protocols for local area network forwarding data

Understand the principle and operation process of grasping package software

A deeper understanding of the protocols for data transmission in the network 2 experimental principles and background knowledge 2.1 Grasping package software and analysis software

There are two tools used in the sniffer test, Ettercap and driftnet. Ettercap is an existing popular network grab software, he uses the computer in the LAN to communicate the ARP protocol flaw to attack, between the target and server as a middleman, sniffing between the data flow between the two, from which users to steal data information.

Introduction to Ettercap

Ettercap has two modes of operation, unified and bridged. The unified approach is to sniff through the middleman, the basic principle of which is to deceive hosts A and B, to act as a middleman, and to analyze data between A and B through the c,c to complete sniffing. Bridged mode is in the case of dual NIC, sniffing two of packets between the network card.

Ettercap's sniffing working methods are divided into five types:

1) ipbased: In sniffing mode based on IP address, Ettercap will capture packets according to source Ip-port and destination Ip-port;

2) macbased: In a MAC address mode, ETTERCAP will capture packets based on the source Mac and Destination Mac (which is useful when capturing packets passing through the gateway);

3) Arpbased: In the way of ARP spoofing, Ettercap uses ARP spoofing to monitor communication between two hosts in a switched LAN (FULL-DUPLEX);

4) Smartarp: In Smartarp mode, ETTERCAP uses ARP spoofing to monitor the communication between a host on the Exchange network and all known other hosts (hosts in the host table) (Full-duplex);

5) Publicarp: In Publicarp mode, ETTERCAP uses ARP spoofing to listen for communication between a host and all other hosts on the Exchange Network (HALF-DUPLEX). This method sends an ARP response in a broadcast manner, but if Ettercap already has the full host Address table (or the host on the LAN is scanned when ETTERCAP is started), Ettercap automatically selects the Smartarp method, And the ARP response is sent to all hosts outside of the listening host to avoid the message of an IP address conflict on the Windows host.

when operating ettercap, use the-m parameter, that is, to select the Man-in-the-middle attack mode, there are several ways to attack:

1 The Man-in-the-middle attack based on ARP poisoning: the principle of ARP poisoning can be easily understood as the corresponding relationship between the MAC address and IP, which causes the packet to be intercepted by the middleman. ARP poisoning has both bidirectional (remote) and one-way (OneWay) two ways. The bidirectional approach will poison the ARP cache for the two targets and listen for communication between the two. The one-way approach will only monitor the one-way communication content of the first target to the second target. You will typically choose to use bidirectional spoofing to get all the packets for sniffing analysis.

such as: #ettercap-M arp:remote/192.168.1.102//

The corresponding implication is that it represents the sniffing of all ports of the 192.168.1.102, including the packets it sends and the packets it receives.

2 ICMP spoofing: ICMP spoofing is a routing spoofing technique based on redirection (redirect). The rationale is to deceive other hosts, disguising themselves as the most recent route, so other masters send the data packages, and then the attacker who acts as a middleman forwards it back to the real router. So we can listen to these packets. Of course, ICMP spoofing does not apply to the environment of the switch, if the computer in the switch environment it is best to choose ARP poisoning way to attack. The parameter of ICMP spoofing is the MAC and IP of the real router, the Parameter form is (MAC/IP).

such as: #ettercap-M icmp:00:11:22:33:44:55/192.168.1.1

The corresponding meaning is: to disguise themselves as the real router's Mac and IP.

The principle of DHCPSPOOFING:DHCP spoofing is to disguise the native of the attacker as a DHCP server, instead of the real DHCP server allocating IP dynamically to the victim host of the new Access network. Such a disadvantage is that the real DHCP server can be repeatedly assigned to conflict with the IP, but only for the new access network segment of the host, it is difficult to affect the previous host. The parameters of the DHCP spoofing method are the IP address pool, subnet mask, and DNS that can be allocated, in the form of (Ip_pool/netmask/dns).

such as: #ettercap-M dhcp:192.168.1.102,35,50-60/255.255.255.0/192.168.1.1
The corresponding implication is that the address within the 192.168.1.102,35,50-60 is assigned, and the subnet mask is the 255.255.255.0,DNS server is 192.168.1.1.

Portstealing: This attack mode is applicable to the environment under the switch, and routers in the IP and Mac binding, can not be ARP spoofing. The basic idea is that since the router's IP and Mac correspondences cannot be spoofed, the switch is spoofed so that packets that should have reached the target host via the switch port are passed into the attacker's port. It should be noted that because this method is only used in the switch environment and produces a large number of packets, it can seriously affect network conditions.

Ettercap parameters and common operation

-I display available NIC interface devices
-I Selection interface
-T protocol selection, Tcp/udp/all, defaults to all
-p to sniff local packets without a poison attack
-F Load Filter file
-V-Text displays the packet as text on the screen
-l filename saves all packets (saved files can only be displayed with Etterlog)

Introduction to Driftnet

Driftnet is a software that captures the image above the specified interface data stream and displays the sniffer image in a window under Linux.

Use syntax for driftnet commands: driftnet [options] [Filter code]

Main parameters:

-B beep When new picture is captured

-I interface Select Listener interface

-f file reads a picture in a specified PCAP packet

-P does not allow the listening interface to use promiscuous mode

-A background mode: saves captured pictures to the directory (does not appear on the screen)

-M number specifies how many pictures to save

-D directory Specifies the path to save the picture

-x prefix the prefix name of the saved picture

2.2 ARP Spoofing principle

Since this sniffer method uses ARP spoofing, you need to understand the principle of ARP first.

Host A sends a message to Host B and queries the local ARP cache table to find B