cain内网嗅探

今天用cain做个arp攻击的测试,环境说明:

攻击机:win10 虚拟机,网络如下:

 靶机:kali虚拟机,网络如下:

 

win10上先用cain做个内网扫描:

 网关尾号2,靶机尾号130,在这两者之间做个中间人,监听双方往来的流量:

在靶机上执行arp -a,发现攻击机的MAC和网关的MAC一样了,说明arp欺骗成功:

 靶机浏览网页情况全盘掌握:

随便找个网页输入账号也能看到:

 

 

总结说明:

1、安装cain时,会要求安装wincap4.1.3,顺着提示操作,又会弹出不兼容的错误,我是单独装的wincap4.1.3

2、需要勾选DNS后缀(否则网卡地址显示0.0.0.0,而不是本机的内网地址),如下标红:

     

3、最初我实在真实的物理路由器下测试,不论是windows下用cain,还是kali下用arpspoof/driftnet,确实能够欺骗目标主机,但同时也会让目标主机断网,无法正常浏览网页,猜测可能是路由器有拦截;

4、内网抓包验证arp协议:

  • 先从arp缓存表删除网关的mac地址,同时访问百度,这时就会先发送arp广播包,询问网关的mac地址,再建立三次握手链接请求web数据;
  • 具体过程:

  (1)先查看本机arp缓存:

  root@kali:/home/kalix# arp -a
  ? (192.168.40.2) at 00:50:56:f7:09:97 [ether] on eth0
  ? (192.168.40.254) at 00:50:56:fb:3b:3a [ether] on eth0

    (2)删除网关的mac地址,同时访问百度: 

  root@kali:/home/kalix# tcpdump -nn -i eth0 port 80 or arp
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
  21:47:43.334886 ARP, Request who-has 192.168.40.2 tell 192.168.40.130, length 28
  21:47:43.335056 ARP, Reply 192.168.40.2 is-at 00:50:56:f7:09:97, length 46
  21:47:43.379699 IP 192.168.40.130.60790 > 14.215.177.38.80: Flags [S], seq 657379436, win 64240, options [mss 1460,sackOK,TS val 4141369154 ecr 0,nop,wscale 7], length 0
  21:47:43.414515 IP 14.215.177.38.80 > 192.168.40.130.60790: Flags [S.], seq 150080013, ack 657379437, win 64240, options [mss 1460], length 0
  21:47:43.414626 IP 192.168.40.130.60790 > 14.215.177.38.80: Flags [.], ack 1, win 64240, length 0
  21:47:43.414828 IP 192.168.40.130.60790 > 14.215.177.38.80: Flags [P.], seq 1:78, ack 1, win 64240, length 77: HTTP: GET / HTTP/1.1
  21:47:43.414964 IP 14.215.177.38.80 > 192.168.40.130.60790: Flags [.], ack 78, win 64240, length 0
  21:47:43.451072 IP 14.215.177.38.80 > 192.168.40.130.60790: Flags [P.], seq 1:2782, ack 78, win 64240, length 2781: HTTP: HTTP/1.1 200 OK
  21:47:43.451090 IP 192.168.40.130.60790 > 14.215.177.38.80: Flags [.], ack 2782, win 62780, length 0
  21:47:43.451754 IP 192.168.40.130.60790 > 14.215.177.38.80: Flags [F.], seq 78, ack 2782, win 62780, length 0
  21:47:43.451915 IP 14.215.177.38.80 > 192.168.40.130.60790: Flags [.], ack 79, win 64239, length 0
  21:47:43.486490 IP 14.215.177.38.80 > 192.168.40.130.60790: Flags [FP.], seq 2782, ack 79, win 64239, length 0
  21:47:43.486530 IP 192.168.40.130.60790 > 14.215.177.38.80: Flags [.], ack 2783, win 62780, length 0

posted @ 2020-09-19 12:43  第七子007  阅读(1372)  评论(0编辑  收藏  举报