中间人攻击 Ettercap - 统一的中间人攻击工具 - 转发MAC与本机相同,但IP与本机不同的数据包 - 支持SSH1、SSL中间人攻击 模块划分 - Snifer - MITM - Filter - Log - Plugin |
中间人攻击 Snifer - 负责数据包转发 - Unified 单网卡情况下独立完成三层包转发 始终禁用内核IP_Forward功能 - Bridge 双网卡网卡的一层MITM模式 可作为IPS过滤数据包 不可在网卡上使用(透明网桥) MITM - 把流量重定向想到ettercap主机上 - 可以使用其他工具实现MITM,ettercap之作嗅探和过滤使用 |
中间人攻击 实现MITM的方法 - ARP - ICMP ICMP路由重定向,半双工 - DHCP 修改网关地址,半双工 - Switch Port Stealing flood目标地址是本机,源地址是受害者的包 适用于ARP静态绑定的环境 - NDP IPv6协议欺骗技术 |
中间人攻击 2.4以上内核对ARP地址欺骗的约束 - 收到非请求的ARP响应包,不更新本地ARP缓存 - Ettercap适用ARP request包进行攻击 Solaris不根据ARP包更新本地ARP缓存 - Ettercap使用先发ICMP包来更新ARP缓存 |
中间人攻击 用户操作界面 - -T 文本界面 - -G 图形界面 - -C 基于文本的图形界面 - -D 后台模式 指定目标 - IPv4 : MAC/IPs/Ports - IPv6 : MAC/IPs/IPv6/Ports - /10.0.0.1-5;10.0.1.33/20-25,80,110 |
oot@k:~# ettercap -T
ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team
Listening on:
eth0 -> 00:0C:29:DB:CD:FC
fe80::20c:29ff:fedb:cdfc/64
SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Ettercap might not work correctly. /proc/sys/net/ipv6/conf/eth0/use_tempaddr is not set to 0.
Privileges dropped to EUID 65534 EGID 65534...
33 plugins
42 protocol dissectors
57 ports monitored
20388 mac vendor fingerprint
1766 tcp OS fingerprint
2182 known services
Lua: no scripts were specified, not starting up!
Randomizing -1 hosts for scanning...
Scanning the whole netmask for -1 hosts...
Fri May 13 22:57:16 2016 [550658]
fe80::20c:29ff:fedb:cdfc:0 --> ff02::2:0 | FR (0)
0 hosts added to the hosts list...
Starting Unified sniffing...
Text only Interface activated...
Hit 'h' for inline help
Fri May 13 22:57:20 2016 [551628]
fe80::20c:29ff:fedb:cdfc:0 --> ff02::2:0 | FR (0)
root@k:~# ettercap -G
root@k:~# ettercap -C
root@k:~# ettercap -D
root@k:~# ettercap 00:11:11:11:11:11 /1.1.1.1-10;11/25,80,21 /1.1.1.2/
中间人攻击 ┃ 权限 ┃ - 需要root权限打开链路层Socket连接,然后使用nobody账号运行 - 日志写入目录需要nobody有写入权 - 修改etter.conf : EC_UID=65534 基于伪造证书的SSL MITIM - Bridge模式不支持SSL MITM - openssl genrsa -out etter.ssl.crt 1024 - openssl req -new-keyetter.ssl.crt -out tmp.csr - openssl x509 -req -days 1825 -in tmp.csr -signkey etter.ssl.crt -out tmp.new ┃ - cat tmp.new>>etrer.ssl.crt - rm -f tmp.newtmp.csr |
root@k:~# vi /etc/ettercap/etter.conf //主配置文件
############################################################################
# #
# ettercap -- etter.conf -- configuration file #
# #
# Copyright (C) ALoR & NaGA #
# #
# This program is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
# #
############################################################################
[privs]
ec_uid = 65534 # nobody is the default
ec_gid = 65534 # nobody is the default
[mitm]
arp_storm_delay = 10 # milliseconds
arp_poison_smart = 0 # boolean
arp_poison_warm_up = 1 # seconds
arp_poison_delay = 10 # seconds
arp_poison_icmp = 1 # boolean
arp_poison_reply = 1 # boolean
arp_poison_request = 0 # boolean
arp_poison_equal_mac = 1 # boolean
dhcp_lease_time = 1800 # seconds
port_steal_delay = 10 # seconds
port_steal_send_delay = 2000 # microseconds
ndp_poison_warm_up = 1 # seconds
ndp_poison_delay = 5 # seconds
ndp_poison_send_delay = 1500 # microseconds
ndp_poison_icmp = 1 # boolean
ndp_poison_equal_mac = 1 # boolean