• cain内网嗅探

    今天用cain做个arp攻击的测试,环境说明:

    攻击机:win10 虚拟机,网络如下:

     靶机:kali虚拟机,网络如下:

     

    win10上先用cain做个内网扫描:

     网关尾号2,靶机尾号130,在这两者之间做个中间人,监听双方往来的流量:

    在靶机上执行arp -a,发现攻击机的MAC和网关的MAC一样了,说明arp欺骗成功:

     靶机浏览网页情况全盘掌握:

    随便找个网页输入账号也能看到:

     

    总结说明:

    1、安装cain时,会要求安装wincap4.1.3,顺着提示操作,又会弹出不兼容的错误,我是单独装的wincap4.1.3

    2、需要勾选DNS后缀(否则网卡地址显示0.0.0.0,而不是本机的内网地址),如下标红:

         

    3、最初我实在真实的物理路由器下测试,不论是windows下用cain,还是kali下用arpspoof/driftnet,确实能够欺骗目标主机,但同时也会让目标主机断网,无法正常浏览网页,猜测可能是路由器有拦截;

    4、内网抓包验证arp协议:

    • 先从arp缓存表删除网关的mac地址,同时访问百度,这时就会先发送arp广播包,询问网关的mac地址,再建立三次握手链接请求web数据;
    • 具体过程:

      (1)先查看本机arp缓存:

      root@kali:/home/kalix# arp -a
      ? (192.168.40.2) at 00:50:56:f7:09:97 [ether] on eth0
      ? (192.168.40.254) at 00:50:56:fb:3b:3a [ether] on eth0

        (2)删除网关的mac地址,同时访问百度: 

      root@kali:/home/kalix# tcpdump -nn -i eth0 port 80 or arp
      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
      listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
      21:47:43.334886 ARP, Request who-has 192.168.40.2 tell 192.168.40.130, length 28
      21:47:43.335056 ARP, Reply 192.168.40.2 is-at 00:50:56:f7:09:97, length 46
      21:47:43.379699 IP 192.168.40.130.60790 > 14.215.177.38.80: Flags [S], seq 657379436, win 64240, options [mss 1460,sackOK,TS val 4141369154 ecr 0,nop,wscale 7], length 0
      21:47:43.414515 IP 14.215.177.38.80 > 192.168.40.130.60790: Flags [S.], seq 150080013, ack 657379437, win 64240, options [mss 1460], length 0
      21:47:43.414626 IP 192.168.40.130.60790 > 14.215.177.38.80: Flags [.], ack 1, win 64240, length 0
      21:47:43.414828 IP 192.168.40.130.60790 > 14.215.177.38.80: Flags [P.], seq 1:78, ack 1, win 64240, length 77: HTTP: GET / HTTP/1.1
      21:47:43.414964 IP 14.215.177.38.80 > 192.168.40.130.60790: Flags [.], ack 78, win 64240, length 0
      21:47:43.451072 IP 14.215.177.38.80 > 192.168.40.130.60790: Flags [P.], seq 1:2782, ack 78, win 64240, length 2781: HTTP: HTTP/1.1 200 OK
      21:47:43.451090 IP 192.168.40.130.60790 > 14.215.177.38.80: Flags [.], ack 2782, win 62780, length 0
      21:47:43.451754 IP 192.168.40.130.60790 > 14.215.177.38.80: Flags [F.], seq 78, ack 2782, win 62780, length 0
      21:47:43.451915 IP 14.215.177.38.80 > 192.168.40.130.60790: Flags [.], ack 79, win 64239, length 0
      21:47:43.486490 IP 14.215.177.38.80 > 192.168.40.130.60790: Flags [FP.], seq 2782, ack 79, win 64239, length 0
      21:47:43.486530 IP 192.168.40.130.60790 > 14.215.177.38.80: Flags [.], ack 2783, win 62780, length 0
  • 相关阅读:
    用简单C程序分析DOS下的EXE文件【转】
    汇编函数的调用[转自KingofCoders]
    windows下的shellcode剖析浅谈[转自看雪]
    如何写一个简单的病毒程序[转]
    不用注册访问论坛技巧
    函数调用堆栈变化分析[转自看雪]
    IT学生解惑真经(下载)
    Windows 汇编语言编程教程[转]
    ESP定律介绍(转自看雪论坛贴)
    【Anti Virus专题】1.1 病毒的原理 [转自看雪]
  • 原文地址:https://www.cnblogs.com/theseventhson/p/13695797.html
Copyright © 2020-2023  润新知