Foreword:
table of Contents
lab environment
Client:
IP: 10.8.161.61
NAC: 00-90-F5-EB-3F-3F
Kali equipment:
IP: 10.8.161.163
MAC: 00-0C-29-48-ED-82
Server:
IP: 10.8.161.165
MAC: 00-0C-29-40-C1-AF
Principle of Attack
Common man-in-the-middle attack methods : arp spoofing, a host and gateway in the LAN perform ARP spoofing, change the ARP cache table of this host and gateway, and intercept information.
-
Simulation 1: The picture client accesses the server, enters the login account and password, and kali intercepts the account password.
Normal access situation:
client ------- (broadcast via mac address) all devices--(identified by mac address) After device 2
is intercepted by kali:
client ------- (kali right The client's arp table cheats, replaces the server's mac, and receives the information by himself) ----Kali sends the information to the server -
Simulation 2: Kali intercepts all the device information in the same network segment and replaces the gateway.
Normal access situation:
Client ------ (via switch) ---- (router gateway) ------ Cloud After the server
is intercepted by kali:
client ----- (spoofing, change the gateway mac address) ----- kali receives the client's request-----kali forwards to the cloud server
Attack process
Kali comes with a tool Ettercat
Brief introduction of Ettercat:
- ettercap is a powerful deception tool under linux, of course windows can also be used
- Is a unified man-in-the-middle attack tool
- Forward data packets whose MAC is the same as this machine but whose IP is different from this machine
- Support SSH1, SSL man-in-the-middle attack
1. Kali enables Ettercat tool
ettercap -G
Ettercat interface pops up
2. Select virtual network card
3. Scan LAN hosts
4. Add the monitored host
There are two ways, choose one of them
- If you are only monitoring a host in the LAN, you only need to add the client (the monitored machine) 10.8.161.61 to Add to Target 1 The server to be accessed 10.8.161.165 is added to Add to Target 2
- If it is monitoring all hosts in the intranet, use Ctrl+a to select all hosts, except for the kali host address and 10.8.11.254 gateway address. After selecting, add it to Add to Target 1 and add the gateway address 10.8.16.154 to Add to Target 2.
3. Turn on deception.
ClickMitm
– on the toolbarARP poisonning
, and tickSniff remote connections
4. For testing,
we use the client to access the server machine and enter the account password. I saw the Ettercat tool recorded the account password in the status bar.
How to prevent
1. Add a static Arp table, bind ip (to prevent operation in the client)
①Check the Idx number of the network card, select which network card to bind to ②Set the
binding static mapping
netsh -c "i i" add neighbors 连接的Idx号 网关IP 网关MAC 添加一条静态映射
例如:
netsh -c "i i" add neighbors 13 10.8.161.165 00-0C-29-40-C1-AF
③Check, you can see that the bound server is static, so that it will not be deceived
arp -a
④ If you need to unbind, use arp -d plus ip to unbind
2. Bind ip and mac addresses in the switch or router.
3. Use Anti ARP Sniffer anti-Arp spoofing software.
Functions:
①100% defense against all malicious programs that use ARP technology, and can automatically rewrite ARP data when suspected.
②The software has the function of tracking ARP attackers, and can track the other party's IP address.
③The software automatically repairs the ARP data and keeps the network uninterrupted.
④The software can automatically obtain the number of broadcast packets sent and received by this machine.
================================================= ================================================= ================================================= ================================================= ================================================= =============================================
Hard browsing and watching, if right You are helpful, please like it (σ゚∀゚)σ…:*☆