Today, my friend asked me if I know WinArpspoofer gateway spoofing.
I don't know. I searched the internet and found out that it was the tool used in the recent MSN eavesdropping event.
Later, my friend also wanted to test and play. I found a meeting on the Internet and did not find it. I found a version modified by someone else, which is an enhanced version, as shown below:
Http://www.xfocus.net/tools/200606/WinArpAttacker3.50.rar
Instructions :()
The WinArpAttacker interface is divided into four Output Areas.
The first area: the host list area displays the IP address, MAC address, host name, online status, monitoring status, and Attack Status of the machines in the LAN.
In addition, there are some ARP packet and forwarded packet statistics, such
ArpSQ: Number of arp request packets sent by the machine
ArpSP: number of response packets sent by the machine
ArpRQ: Number of request packets received by the machine
ArpRQ: number of response packets received by the machine
Packets: the number of data Packets forwarded. This information is useful for SPOOF.
Traffic: The forwarded Traffic, in the unit of K. This information is useful for SPOOF.
The second area is the event detection area, where the detected host status changes and attack events are displayed. For the list of events that can be detected, see the English description.
There are mainly IP conflicts, scans, SPOOF listeners, local ARP table changes, and new machines going online. When you move the cursor over it, a description of the event is displayed.
The third area displays items in the local ARP table, which is good for real-time monitoring of local ARP table changes and preventing SPOOF attacks.
The fourth area is the information display area, which mainly displays some output during software running. If an error occurs during running, it will be output from here.
Well, here is the software interface.
The following describes several important functions.
1. Scan.
When you click the "Scan" toolbar icon, the software automatically scans machines on the LAN. And displayed in it.
When you click "Scan checked", you must select some machines in the machine list to Scan the selected machines.
When you click "Advanced", a scan box is displayed. This scan box has three scan methods.
The first is to scan a host to obtain its MAC address.
The second method is to scan a network range, which can be a class C address or a class B address. We recommend that you do not use Class B address scanning because it is too time-consuming, it has some impact on the network.
It can be set to a local class C address scan, or another class C address, such as 192.168.0.1-254. The scan is successful.
The third method is multi-network segment scan. If there are more than two IP addresses on the local machine, two subnet options will appear. The following two options are available: normal scan, offline scan, and anti-listener scan.
The machine being monitored is scanned.
Okay. This is the scanning function. Next we will talk about attacks.
Ii. Attacks
There are six attack functions:
FLOOD: uninterrupted IP conflict attacks
BANGATEWAY: no Internet access
IPConflict: timed IP address conflict
SniffGateway: monitors the communication between the selected machine and the gateway.
SniffHosts: monitors the communication between the selected machines
SniffLan: monitors the communication between any machine in the network. This function is too dangerous and may disrupt the entire network. We recommend that you do not use it indiscriminately.
Click STOP to STOP all attacks that you think can be stopped. Otherwise, the attack will continue.
FLOOD: select a machine and select a FLOOD attack in the attack. The default FLOOD attack is one thousand. You can change this value in the options.
FLOOD attacks can bring up an IP conflict dialog box on the other machine, so you must be careful when using it.
BANGATEWAY: select the machine and select the BANGATEWAY attack. This prevents the other machine from accessing the Internet.
IPConflict: the IP conflict dialog box is displayed on the target machine. This demonstration uses the local machine.
SniffGateway: monitors the Internet traffic of the other machine. After the attack is launched, use the packet capture software to capture the content. We can see Packets,
Two statistics for Traffic are increasing. We can now see the Internet traffic of the other machine.
SniffHosts and SniffLan are similar, so they are not demonstrated.
You can control the attack time and behavior in the options. In addition to the number of FLOOD values, all the other values are duration. If the FLOOD value is 0, it is not stopped.
The following three options: one is to automatically restore the ARP table after the attack, and the other two are to ensure that the monitored machine can access the Internet normally, so data forwarding is required. We recommend that you keep your selections.
In the detection event list, the attack we just launched has been detected in the detection event list. Here you can see if someone is interested in you
Attack to take measures.
Okay. Here is an introduction to the attack function.
Iii. Options
Adapter is the network Adapter and IP address to be bound, as well as the gateway IP address, MAC, and other information. Sometimes a computer has many NICs, and you need to select the correct Ethernet NIC.
A Nic can also have multiple IP addresses. You need to select the IP address you want to select. The same is true for gateways.
If you see all 0 Mac in Gateway MAC, the Gateway MAC may not be obtained correctly. You can refresh it to obtain it again.
UPDATE is for updating the machine list. There are two options,
The first is to regularly scan the network to update the machine list.
The second is passive listening, which obtains information about the new machine from the previous data packets. You can set the scan interval for a scheduled scan.
For passive listeners, you can select the data packet type. Because some data packets can be fake, the obtained IP address and MAC address may be incorrect.
Therefore, you need to carefully select.
The first option of DETECT is to check whether it is necessary to run the command as soon as it is run. The second option refers to the number of packets per second that are considered to be scanned, this is related to event detection output.
The third is the amount of time in which we regard many identical events as an event, such as scanning. When scanning a csegment, we need to scan 254 machines, which will generate 254 events, when these events are in a certain period of time
(Only one scan event is output in 5 minutes by default .)
ANALYSIS: only saves data packets for ANALYSIS by advanced users.
ARP Proxy: these options are valid only when the proxy function is enabled. In Arp Packet Send Mode, I want to select who will respond when sending the ARP request Packet,
The Mac address is the MAC address to be selected, which can be a local machine, gateway, or any MAC address.
When a machine in the LAN needs to access another machine or gateway, it sends an ARP request packet. If you enable this function, the host automatically responds to your set MAC address, therefore, if you set a wrong MAC, many machines may not be able to access the network.
PROTECT: This is a protection function. When someone attempts to listen to ARP attacks on your or LAN machines, it can automatically block them.
There are two options: one is local protection, the protection is not SPOOF, the second is remote protection, that is, protection against other machines. However, it is estimated that the second function will not be well implemented, so when the SPOOF is on another two machines,
ARP packets are unlikely to arrive at the local machine. However, local protection is more practical. When you disable Internet access attacks on the local machine, the software can correctly detect four events:
Two Access prohibited events, said 0.0.0.0 sent special ARP packets prohibit local and gateway 192.168.253.1 communications, the third event said a IP-MAC pair is added to the local ARP table, and is the wrong IP-MAC pair,
In the last event, it is said that 01-01-01-01-01 has been modified to the correct MAC: 00-11-22-33-44-54, which means PROTECT works, the software modifies the incorrect MAC address in ARP Based on the MAC address in the machine list.
The following software operation information also confirms this point.
4. Manually send ARP packets
Let's talk about the function of manually sending ARP packets. This is intended for advanced users and should be familiar with the structure of ARP packets. If you know how ARP attacks work, you can create any attack packets here.
Follow these steps to create an IP conflict package. The conflicted object is the local machine.
The target MAC address is a local host, and the source MAC address can be any MAC address. The target IP address and source IP address are both local IP addresses. Try sending the source MAC address after completion.
If the operation is correct, you will see an IP conflict alert, and the software has also detected that this is an IP conflict package.
You can try multiple combinations to test the results.
Now, the basic features of WinArpAttacker are introduced here. You can try other features by yourself, BYEBYE!