cain内网嗅探
今天用cain做个arp攻击的测试,环境说明:
攻击机:win10 虚拟机,网络如下:
靶机:kali虚拟机,网络如下:
win10上先用cain做个内网扫描:
网关尾号2,靶机尾号130,在这两者之间做个中间人,监听双方往来的流量:
在靶机上执行arp -a,发现攻击机的MAC和网关的MAC一样了,说明arp欺骗成功:
靶机浏览网页情况全盘掌握:
随便找个网页输入账号也能看到:
总结说明:
1、安装cain时,会要求安装wincap4.1.3,顺着提示操作,又会弹出不兼容的错误,我是单独装的wincap4.1.3
2、需要勾选DNS后缀(否则网卡地址显示0.0.0.0,而不是本机的内网地址),如下标红:
3、最初我实在真实的物理路由器下测试,不论是windows下用cain,还是kali下用arpspoof/driftnet,确实能够欺骗目标主机,但同时也会让目标主机断网,无法正常浏览网页,猜测可能是路由器有拦截;
4、内网抓包验证arp协议:
- 先从arp缓存表删除网关的mac地址,同时访问百度,这时就会先发送arp广播包,询问网关的mac地址,再建立三次握手链接请求web数据;
- 具体过程:
(1)先查看本机arp缓存:
root@kali:/home/kalix# arp -a
? (192.168.40.2) at 00:50:56:f7:09:97 [ether] on eth0
? (192.168.40.254) at 00:50:56:fb:3b:3a [ether] on eth0
(2)删除网关的mac地址,同时访问百度:
root@kali:/home/kalix# tcpdump -nn -i eth0 port 80 or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:47:43.334886 ARP, Request who-has 192.168.40.2 tell 192.168.40.130, length 28
21:47:43.335056 ARP, Reply 192.168.40.2 is-at 00:50:56:f7:09:97, length 46
21:47:43.379699 IP 192.168.40.130.60790 > 14.215.177.38.80: Flags [S], seq 657379436, win 64240, options [mss 1460,sackOK,TS val 4141369154 ecr 0,nop,wscale 7], length 0
21:47:43.414515 IP 14.215.177.38.80 > 192.168.40.130.60790: Flags [S.], seq 150080013, ack 657379437, win 64240, options [mss 1460], length 0
21:47:43.414626 IP 192.168.40.130.60790 > 14.215.177.38.80: Flags [.], ack 1, win 64240, length 0
21:47:43.414828 IP 192.168.40.130.60790 > 14.215.177.38.80: Flags [P.], seq 1:78, ack 1, win 64240, length 77: HTTP: GET / HTTP/1.1
21:47:43.414964 IP 14.215.177.38.80 > 192.168.40.130.60790: Flags [.], ack 78, win 64240, length 0
21:47:43.451072 IP 14.215.177.38.80 > 192.168.40.130.60790: Flags [P.], seq 1:2782, ack 78, win 64240, length 2781: HTTP: HTTP/1.1 200 OK
21:47:43.451090 IP 192.168.40.130.60790 > 14.215.177.38.80: Flags [.], ack 2782, win 62780, length 0
21:47:43.451754 IP 192.168.40.130.60790 > 14.215.177.38.80: Flags [F.], seq 78, ack 2782, win 62780, length 0
21:47:43.451915 IP 14.215.177.38.80 > 192.168.40.130.60790: Flags [.], ack 79, win 64239, length 0
21:47:43.486490 IP 14.215.177.38.80 > 192.168.40.130.60790: Flags [FP.], seq 2782, ack 79, win 64239, length 0
21:47:43.486530 IP 192.168.40.130.60790 > 14.215.177.38.80: Flags [.], ack 2783, win 62780, length 0