arp attack原理很簡單,主要是利用arp protocol的弱點,我的理解是,攻擊的機器可以主動申請被攻擊的機器修改自己的 arp cache table, 問題就在這裡,所以,所有的攻擊和反攻擊也是圍繞它來進行
arp 的命令
[root@TEST2 ~]# arp #主要是查詢本機內的arp cache table
Address HWtype HWaddress Flags Mask Iface
server.aaa.com ether 00:AA:BB:CC:DD:2C C eth0
172.16.1.67 ether 00:1E:4F:C8:66:08 C eth0
如何獲得所有的本段的MAC呢?
發起一個廣播
ping –b <ip段>
例如
[root@CRRACTEST2 ~]# ping -b 172.16.1.255
WARNING: pinging broadcast address
PING 172.16.1.255 (172.16.1.255) 56(84) bytes of data.
64 bytes from 172.16.1.68: icmp_seq=1 ttl=64 time=0.320 ms
64 bytes from 172.16.1.124: icmp_seq=1 ttl=64 time=0.326 ms (DUP!)
64 bytes from 172.16.1.112: icmp_seq=1 ttl=64 time=0.501 ms (DUP!)
64 bytes from 172.16.1.17: icmp_seq=1 ttl=64 time=0.506 ms (DUP!)
64 bytes from 172.16.1.83: icmp_seq=1 ttl=64 time=0.530 ms (DUP!)
64 bytes from 172.16.1.31: icmp_seq=1 ttl=255 time=0.553 ms (DUP!)
64 bytes from 172.16.1.25: icmp_seq=1 ttl=64 time=1.12 ms (DUP!)
64 bytes from 172.16.1.200: icmp_seq=1 ttl=64 time=1.45 ms (DUP!)
64 bytes from 172.16.1.254: icmp_seq=1 ttl=64 time=2.46 ms (DUP!)
64 bytes from 172.16.1.250: icmp_seq=1 ttl=64 time=6.71 ms (DUP!)
…
目的是獲得(更新)arp cache table <IP MAC>
[root@CRRACTEST2 ~]# arp
Address HWtype HWaddress Flags Mask Iface
172.16.1.25 ether 00:15:C7:8F:B6:D0 C eth0
172.16.1.67 ether 00:1E:5F:C6:44:08 C eth0
172.16.1.83 ether 00:0C:40:72:D4:21 C eth0
[root@CRRACTEST2 ~]#
如何根據MAC獲取IP呢?
arp -n |grep EC:4F |awk '{print $1}'
nmap -sP 172.16.1.0/24 |grep arp -n |grep EC:6F |awk '{print $1}'
[root@test ~]# rpm -Uvh fping-2.4-1.b2.2.el5.rf.x86_64.rpm
warning: fping-2.4-1.b2.2.el5.rf.x86_64.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing... ########################################### [100%]
1:fping ########################################### [100%]
fping -v
fping: Version 2.4b2_to_ipv6 $Date: 2002/01/16 00:33:42 $
fping: comments to david@remote.net
fping -c 1 -g 172.16.1.0/24
如果發現arp cache table中發現2個ip對應MAC相同, 或者 gatway的不是缺省設定的,就有要引起懷疑了
另外,在gatway 的設定時儘量不要使用192.168.*.1 or 172.16.*.1類似的 IP地址, 而是使用 *.2 這樣也可以繞過一些attack tool
没有评论:
发表评论