Foreword:
table of Contents
lab environment
Client:
IP: 10.8.161.61
NAC: 00-90-F5-EB-3F-3F
Kali equipment:
IP: 10.8.161.163
MAC: 00-0C-29-48-ED-82
Server:
IP: 10.8.161.165
MAC: 00-0C-29-40-C1-AF
Principle of Attack
Common man-in-the-middle attack methods : arp spoofing, a host and gateway in the LAN perform ARP spoofing, change the ARP cache table of this host and gateway, and intercept information.
-
Simulation 1: The picture client accesses the server, enters the login account and password, and kali intercepts the account password.
Normal access situation:
client ------- (broadcast via mac address) all devices--(identified by mac address) After device 2
is intercepted by kali:
client ------- (kali right The client's arp table cheats, replaces the server's mac, and receives the information by himself) ----Kali sends the information to the server -
Simulation 2: Kali intercepts all the device information in the same network segment and replaces the gateway.
Normal access situation:
Client ------ (via switch) ---- (router gateway) ------ Cloud After the server
is intercepted by kali:
client ----- (spoofing, change the gateway mac address) ----- kali receives the client's request-----kali forwards to the cloud server
Attack process
Kali comes with a tool Ettercat
Brief introduction of Ettercat:
- ettercap is a powerful deception tool under linux, of course windows can also be used
- Is a unified man-in-the-middle attack tool
- Forward data packets whose MAC is the same as this machine but whose IP is different from this machine
- Support SSH1, SSL man-in-the-middle attack
1. Kali enables Ettercat tool
ettercap -G
Ettercat interface pops up
2. Select virtual network card
3. Scan LAN hosts
4. Add the monitored host
There are two ways, choose one of them
- If you are only monitoring a host in the LAN, you only need to add the client (the monitored machine) 10.8.161.61 to Add to Target 1 The server to be accessed 10.8.161.165 is added to Add to Target 2
- If it is monitoring all hosts in the intranet, use Ctrl+a to select all hosts, except for the kali host address and 10.8.11.254 gateway address. After selecting, add it to Add to Target 1 and add the gateway address 10.8.16.154 to Add to Target 2.
3. Turn on deception.
ClickMitm– on the toolbarARP poisonning, and tickSniff remote connections
4. For testing,
we use the client to access the server machine and enter the account password. I saw the Ettercat tool recorded the account password in the status bar.
How to prevent
1. Add a static Arp table, bind ip (to prevent operation in the client)
①Check the Idx number of the network card, select which network card to bind to ②Set the
binding static mapping
netsh -c "i i" add neighbors 连接的Idx号 网关IP 网关MAC 添加一条静态映射
例如:
netsh -c "i i" add neighbors 13 10.8.161.165 00-0C-29-40-C1-AF
③Check, you can see that the bound server is static, so that it will not be deceived
arp -a
④ If you need to unbind, use arp -d plus ip to unbind
2. Bind ip and mac addresses in the switch or router.
3. Use Anti ARP Sniffer anti-Arp spoofing software.
Functions:
①100% defense against all malicious programs that use ARP technology, and can automatically rewrite ARP data when suspected.
②The software has the function of tracking ARP attackers, and can track the other party's IP address.
③The software automatically repairs the ARP data and keeps the network uninterrupted.
④The software can automatically obtain the number of broadcast packets sent and received by this machine.
================================================= ================================================= ================================================= ================================================= ================================================= =============================================
Hard browsing and watching, if right You are helpful, please like it (σ゚∀゚)σ…:*☆