ARP Poisoning Attack and Mitigation Techniques ARP欺骗 中间人攻击 Man-In-The-Middle (MITM) attack 嗅探 防范 Can one MAC address have two different IP addresses within the network?
小结:
1、
ARP缓存投毒,窃听中毒者之间的通信;
2、
ARP Poisoning Attack and Mitigation Techniques - Cisco
https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/white_paper_c11_603839.html
ARP Poisoning (Man-in-the-Middle) Attack and Mitigation Techniques
A CSSTG SE Residency Program White Paper
Jeff King, CCIE 11873, CCSP, CISSP 80875
Kevin Lauerman, CCSP, CISSP 80877
Abstract
Security is at the forefront of most networks, and many companies implement a comprehensive security policy encompassing many of the OSI layers, from application layer all the way down to IP security. However, one area that is often left untouched is hardening Layer 2 and this can open the network to a variety of attacks and compromises.
This document will have a focus on understanding and preventing the ARP Poisoning (also known as the Man-In-The-Middle [MITM]) Layer 2 attack on the Cisco® Catalyst® 6500 switching series switch running Cisco IOS® Software. The Ettercap attack tool will be used to initiate Layer 2 attacks that you might encounter. Mitigation techniques to stop this attack are also covered.
A MacBook Pro and a Lenovo T61P (laptops) was used for these test and acted as the attacker in some cases and the victim in others. Both computers also ran VMware.
Note that the attacks performed in this white paper were done in a controlled lab environment. We do not recommend that you perform this attack on your enterprise network.
ARP (Address Resolution Protocol) Poisoning (MITM) Attack
A Man-In-The-Middle (MITM) attack is achieved when an attacker poisons the ARP cache of two devices with the (48-bit) MAC address of their Ethernet NIC (Network Interface Card). Once the ARP cache has been successfully poisoned, each of the victim devices send all their packets to the attacker when communicating to the other device. This puts the attacker in the middle of the communications path between the two victim devices; hence the name Man-In-The-Middle (MITM) attack. It allows an attacker to easily monitor all communication between victim devices.
The objective of this MITM attack is to take over a session. The intent is to intercept and view the information being passed between the two victim devices.
Three (3) scenarios were used for the MITM attack. They were as follows:
Scenario |
Description |
1 |
Static IP Address on Attacker machine |
2 |
DHCP from 881 Router (DHCP Server) on Attacker machine |
3 |
DHCP from Cisco Catalyst 6509E DHCP Server on Attacker machine |
These (3) scenarios were chosen because they were all valid configurations that one might see in a customer's network; although scenario 2 and 3 are more likely in an enterprise network.
攻击步骤
Steps for the MITM (ARP Poisoning) Attack:
1. View initial ARP cache on the Victim PC (Windows XP)
2. View initial ARP cache on the Attacker PC (Ubuntu 9.04)
3. View initial MAC Address-Table on the Cisco Catalyst 6509E (Sup 720-3B)
4. Start Ettercap attack application on the Attacker PC (Ubuntu 9.04)
5. Configure Ettercap for “Unified Sniffing”
6. Select Interface (eth2) to sniff on Ubuntu 9.04 Attacker PC
7. Scan for host on wire
8. List hosts discovered and select targets for attack
9. Start sniffing
10. Start the MITM (ARP Poisoning) attack
11. Activate the “repoison_arp” plugin in Ettercap
12. Activate the “remote_browser” plugin in Ettercap
13. Open a Telnet session from the Victim to 10.1.0.1 (Int Vlan 7 on 6509E)
14. View “connections” in Ettercap for “active” connections (telnet session)
15. Select “active” session and then “view details”
16. View login and password between Victims (Windows XP and 6509E)
17. Perform “character injection” from Ettercap toward the 6509E (CLI)
18. Perform “character injection” from Ettercap toward Windows XP (Victim)
19. Open up web browser to from Windows XP Victim to CVDM on 6509E
20. Spawn browser on Attacker PC to view Victim's web pages being viewed
21. Scenario 2: DHCP from 881 Router (DHCP Server) on Attacker machine
22. Scenario 3: DHCP from Cisco Catalyst 6509E DHCP Server on Attacker machine
23. Mitigation of the MITM (ARP Poisoning) Attack
24. Summary
https://en.wikipedia.org/wiki/ARP_spoofing
ARP Poisoning Attack and Mitigation Techniques ARP欺骗 中间人攻击 Man-In-The-Middle (MITM) attack 嗅探 防范 Can one MAC address have two different IP addresses within the network?的更多相关文章
- 中间人攻击之arp欺骗 科普ARP欺骗
中间人攻击之arp欺骗 科普ARP欺骗 A <-> B A中有个ARP Table,每次发包都会在此Table中查找,若找不到,发APR Request包询问.此时若hacker冒充B的M ...
- ARP欺骗与中间人攻击
前言: 上一篇WPA/WAP2wifi 密码破解笔记说到如何探测附近开放的AP并且破解进入,那么进入别人据局域网我们能干些什么呢?换句话说如果别人进入了我们内部网络,会有什么影响?本文简要介绍了ARP ...
- ARP欺骗与MITM(中间人攻击)实例
ARP协议(address resolution protocol):地址解析协议 一台主机和另一台主机通信,要知道目标的IP地址,但是在局域网中传输数据的网卡却不能直接识别IP地址,所以用ARP解析 ...
- 关于ARP欺骗与MITM(中间人攻击)的一些笔记( 二 )
一直没有折腾啥东西,直到最近kali Linux发布,才回想起应该更新博客了….. 再次说明,这些技术并不是本人原创的,而是以前记录在Evernote的旧内容(排版不是很好,请谅解),本文是继关于AR ...
- 中间人攻击——ARP欺骗的原理、实战及防御
1.1 什么是网关 首先来简单解释一下什么是网关,网关工作在OSI七层模型中的传输层或者应用层,用于高层协议的不同网络之间的连接,简单地说,网关就好比是一个房间通向另一个房间的一扇门. 1.2 A ...
- 从Linux内核角度看中间人攻击(ARP欺骗)并利用Python scapy实现
邻居子系统与ARP协议 邻居子系统的作用就是将IP地址,转换为MAC地址,类似操作系统中的MMU(内存管理单元),将虚拟地址,转换为物理地址. 其中邻居子系统相当于地址解析协议(IPv4的ARP协议, ...
- 【网络编程4】网络编程基础-ARP响应(ARP欺骗之中间人攻击)
arp欺骗->arp响应 ARP 缓存中毒(ARP欺骗) arp传送原理在于主机发送信息时将包含目标IP地址的ARP请求广播到网络上的所有主机,并接收返回消息,以此确定目标的物理地址:收到返回消 ...
- arp协议分析&python编程实现arp欺骗抓图片
arp协议分析&python编程实现arp欺骗抓图片 序 学校tcp/ip协议分析课程老师布置的任务,要求分析一种网络协议并且研究安全问题并编程实现,于是我选择了研究arp协议,并且利用pyt ...
- 图解ARP协议(四)代理ARP原理与实践(“善意的欺骗”)
一.代理ARP概述 我:当电脑要访问互联网上的服务器,目标MAC是什么? 很多小伙伴在刚学习网络协议的时候,经常这样直接回应:不就是服务器的MAC嘛! 这时我会反问:那电脑怎么拿到这个服务器的MAC地 ...
随机推荐
- 关于NSOperationQueue,一个容易让初学者误解的问题
凡是学习NSOperationQueue的人,都会遇到setMaxConcurrentOperationCount这个函数.在网上的许多博文中,都将setMaxConcurrentOperationC ...
- 理解JVM之垃圾回收
1.垃圾收集算法 1) 标记-清楚算法:该算法是最基础的收集算法,其分为标记与清除两个阶段.首先标记出所有需要回收的对象,在标记完成后统一回收所有被标记的对象,该算法主要有两个不足:一个是效率问题,标 ...
- vue组件间的传值方式及方法调用汇总
1.传值 a.父组件传子组件 方法一: 父页面: <myReportContent v-if="contentState==1" :paramsProps='paramsPr ...
- rsync & inotify-tools 实时同步
1.根据之前一篇关于rsync的随笔部署好rsync服务后,可以开始inotify的部署 2.inotify的部署使用 ①.检查系统是否支持inotify [root@iZ25w1kdi5zZ ~]# ...
- SQL ISNULL 参数
SQL Server 中有两个参数,语法: ISNULL(check_expression, replacement_value) check_expression 与 replacement ...
- Paper Reading:推荐系统评价指标综述
论文:推荐系统评价指标综述 发表时间:2012 发表作者:朱郁筱,吕琳媛 论文链接:论文链接 本文对现有的推荐系统评价指标进行了系统的回顾,总结了推荐系统评价指标的最新研究进展,从准确度. 多样性.新 ...
- Paper Reading:HyperNet
论文:HyperNet: Towards Accurate Region Proposal Generation and Joint Object Detection 发表时间:2016 发表作者:( ...
- python3 基础二——基本的数据类型三
一.字符串str 1.创建字符串,为变量分配一个值 word='字符串' sentence="字符串\n" #python中单引号和双引号使用完全相同 paragraph=&quo ...
- jQuery——jQuery对象与DOM对象
1.jQuery对象与DOM对象的区别 通过jQuery方法包装后的对象,是一个类数组对象.它与DOM对象完全不同,唯一相似的是它们都能操作DOM. 通过jQuery处理DOM的操作,可以让开发者更专 ...
- JS 禁用按钮10秒方法
方式一:禁用10秒,10秒钟后可用 /** * 按钮禁用10秒 * @param submitButtonName 按钮ID名 */ function disabledSubmitButton(sub ...