大家好,又见面了,我是你们的朋友全栈君。
- Ettercap
- It has two main sniffing options:
- UNIFIED
- this method sniffs all the packets that pass on the cable. You can choose to put the interface in promisc mode or not
- Furthermore, the packet not directed to the host running Ettercap will be forwarded automatically using layer 3 routing.
- This is an invasive behavior on gateways. It is recommended using Ettercap on the gateways only with the UNOFFENSIVE MODE
- ENABLED.
- BRIDGED
- it uses two network interfaces and forwards the traffic from one to the other while performing sniffing and content
- filtering. This sniffing method is completely stealthy since there is no way to find that someone is physically in the middle
- on the cable.
- MITM Attacks
- Arp Poisoning, ARP requests/replies are sent to the victims to poison their ARP cache. Once the cache has been
- poisoned the victims will send all packets to the attacker which, in turn, they can be modified and forwarded to the real
- destination.
- Arp Poisoning Plugins
- chk_poison– It performs a check to see if the arp poisoning module of ettercap was successful. It sends spoofed ICMP echo
- packets to all the victims of the poisoning pretending to be each of the other targets. If we can catch an ICMP reply with
- our MAC address as destination it means that the poisoning between those two targets is successful. It checks both ways of
- each communication.
- repoison_arp – It solicits poisoning packets after broadcast ARP requests (or replies) from a posioned host. For example: we
- are poisoning Group1 impersonating Host2. If Host2 makes a broadcast ARP request for Host3, it is possible that Group1 caches
- the right MAC address for Host2 contained in the ARP packet. This plugin re-poisons Group1 cache immediately after a legal
- broadcast ARP request (or reply).
- reply_arp– Simple arp responder. When it intercepts an arp request for a host in the targets’ lists, it replies with
- attacker’s MAC address.
- Port Stealing
- This technique is useful to sniff in a switched environment when ARP poisoning is not effective (for example where
- static mapped ARPs are used). It floods the LAN with ARP packets. For a switch to know which port connects to which MAC
- addresses, the switch creates and manages a CAM table (a simple mapping between port and MAC address(es)). If no Port
- Security, this table is dynamic and changes over time (to allow for hosts to appear, disappear and move between ports). The
- switch learns the CAM table mappings by monitoring the source and destination MAC addresses in packets that it directs.
- If you don’t specify the “tree” option, the destination MAC address of each “stealing” packet is the same as the attacker’s
- one (other NICs won’t see these packets), and the source MAC address will be one of the MACs in the host list. The switch
- will record the source address of the packet against the port it came from in the CAM table; i.e. attacker’s port is mapped
- to both the attackers MAC address and also the victim’s MAC address. The switch will now direct the next packet targeted at
- the victim’s MAC address to the attacker’s port (based on the CAM table entry) – the port is ‘stolen’. When the attacker
- receives packets for “stolen” hosts, it needs to get the CAM table back to the original state, i.e. with the victim’s port
- mapped to the victim’s MAC address. This is achieved by issuing a broadcast ARP request for the victim’s IP address.
- Broadcast means the request will go to all ports (including the victim). When the victim responds, the switch will record the
- new CAM table mapping (back to where it was originally). Now to get the next packet, the attacker needs to repeat the entire
- process.
- If you use the “tree” option, the destination MAC address of each stealing packet will be a bogus one, so these packets will
- be propagated to other switches (not only the directly connected one). This way you will be able to steal ports on other
- switches in the tree (if any).
- Dhcp Spoofing
- The Dynamic Host Configuration Protocol (DHCP) automates the assignment of IP addresses, subnet masks, default
- gateway, and other IP parameters. When a DHCP-configured client connects to a network, the DHCP client sends a broadcast
- query requesting necessary information from a DHCP server. Upon receipt of a valid request the server will assign the
- computer an IP address, the subnet mask and the default gateway. In this attack, Ettercap pretends to be a DHCP server and
- tries to win the race condition with the real one to force the client to accept the attacker’s reply. This way Ettercap is
- able to manipulate the GW parameter and hijack all the outgoing traffic generated by the clients. The resulting attack is a
- HALF-DUPLEX mitm. Only the client is redirected, since the gateway will not accept redirect messages for a directly connected
- network. You can use a filter to modify packets, but the length must be the same since the tcp sequences cannot be updated in
- both ways.
- You have to pass the IP pool, the netmask, and the IP of the dns server (can use your own DNS server for spoofing or use the
- default). Since Ettercap tries to win the race with the real server, it does not check if the IP is already assigned. You
- have to specify an IP pool of Free addresses to be used. If the client sends a DHCP request (suggesting an IP address)
- Ettercap will ACK on that IP and modify only the GW option. If the client makes a DHCP discovery, Ettercap will use the first
- unused IP address of the list you have specified. You can leave the IP pool empty so that Ettercap will only change the
- router information of DHCP Request/ACK.
- HTTPS sniffing
- Hypertext Transfer Protocol over Secure Socket Layer is used to secure HTTP connection. While performing the SSL MITM
- attack, Ettercap substitutes the real SSL certificate with its own. The fake certificate is created on the fly and all the
- fields are filled according to the real cert presented by the server. Before we can sniff HTTPS we need to configure
- Ettercap. nano /usr/local/etc/etter.conf and uncomment the two commands so that iptables redir is used. If you start the
- attack and you notice that the victim can’t connect to any website type this command to re-enable IP forwarding echo “1” >
- /proc/sys/net/ipv4/ip_forward.
- Filters
- Filters in Ettercap are a way of modifying the network traffic. You can search packets, drop them, inject them, find+replace
- in them, and log them.
- [u]Basic Script Functions:[/u]
- [i]search(where, what)[/i] – searches for string in a buffer.
- [i]replace(what, with)[/i] – replaces a string with a string you specify.
- [i]inject(what)[/i] – injects the content of a file after the packet that is being processed.
- [i]log(what, where)[/i] – dumps a specific buffer into a file.
- [i]msg(message)[/i] – Displays a message to the user in Ettercap’s “User Messages window”.
- [i]drop()[/i] – Marks a packet to be dropped, and it will not be forwarded to the real destination.
- [i]kill()[/i] – Kills the connection between the packet’s source and destination.
- [i]exec(command)[/i] – Executes a shell command.
- [i]exit()[/i] – Tells Ettercap to stops filtering packets.
- Plugins
- DNS Spoofing If the attacker is able to sniff the ID of the DNS request, he/she can reply before the real DNS
- server. This plugin intercepts DNS query and reply with a spoofed answer. You can chose which address the plugin will reply
- to by modifying the etter.dns file (located in /usr/local/share/ettercap/). The plugin intercepts A, PTR and MX request. If
- it is an A request, the name is searched in the file and the IP address is returned (you can use wildcards in the name). If
- it is a PTR request, the IP is searched in the file and the name is returned (except for those whose name containing a
- wildcard). In the case of MX request a special reply is crafted. The host is resolved with a fake host ‘mail.host’ and the
- additional record contains the ip address of ‘mail.host.’
- isolate the isolate plugin will isolate an host form the LAN. It will poison the victim’s arp cache with its
- own mac address associated with all the host it tries to contact. This way the host will not be able to contact other hosts
- because the packet will never reach the wire.
- You can specify all the hosts or only a group. The targets specification work this way: the target1 is the victim and must be
- a single host, the target2 can be a range of addresses and represent the hosts that will be blocked to the victim.
- dos_attack & find_ip this plugin runs a DoS attack against a victim IP address. It first “scans” the victim to
- find open ports, and then starts to flood these ports with SYN packets, using a “phantom” address as source IP. Then it uses
- fake ARP replies to intercept packets for the phantom host. When it receives SYN-ACK from the victim, it replies with an ACK
- packet creating an ESTABLISHED connection. You have to use a free IP address in your subnet to create the “fake” host (you
- can use find_ip for this purpose). Find_ip finds the first unused IP address in the range specified by the user in the target
- list. Find_ip can also be useful to obtain an IP address in an unknown LAN where there is no dhcp server. You have to build
- host list to use this plugin.
- gw_discover this plugin tries to discover the gateway of the LAN by sending TCP SYN packets to a remote host. If
- ettercap receives the SYN+ACK packet, the host which owns the source mac address of the reply is the gateway. This operation
- is repeated for each host in the host list, so you need to have a valid host list before launching this plugin.
- This is a good plugin if the gateway has been hidden in one way or another, or if you are looking for the router to attack.
- search_promisc this plugin tries to find if anyone is sniffing in promisc mode.
- arp_cop & scan_poisoner Arp_cop reports suspicious ARP activity by passively monitoring ARP
- requests/replies. Scan_poisoner checks if someone is poisoning between some host in the list and your computer.
- Passive OS Fingerprinting the passive OS fingerprinting technique is based on analyzing the information
- sent by a remote host while performing usual communication tasks. The process of passive fingerprinting does not generate any
- additional or unusual traffic, and thus cannot be detected. Captured packets contain enough information to identify the
- remote OS because of differences between TCP/IP stacks. Ettercap creates p0f profiles. Goto View –> Profiles
转载于:https://blog.51cto.com/missuniverse110/409972
发布者:全栈程序员-用户IM,转载请注明出处:https://javaforall.cn/154157.html原文链接:https://javaforall.cn
【正版授权,激活自己账号】: Jetbrains全家桶Ide使用,1年售后保障,每天仅需1毛
【官方授权 正版激活】: 官方授权 正版激活 支持Jetbrains家族下所有IDE 使用个人JB账号...