菜鸟分析网络执法官

发布时间：2006-10-16 14:24:39　来源：友佳学院网友评论 0 条

点击进入《友佳学院》ARP攻击与防范专区(www.jztop.com)

要了解网络执法官的原理.

就要先了解局域网的通信的原理.

前面我们看到了.在以太网上传输的都是具有以太网头的数据包.

也就是局域网上连个机器相互通讯就要知道对方的MAC地址.

看看具体的过成

比如一台netbug的机器要和一台o3的机器通讯.

首先.netbug要知道o3的IP地址.(这就要用到dns协议,暂时我们略过)

netbug知道了o3的IP后,就可以组装IP协议层以上的包了.

但前面已经说了.要在以太网上传输数据,就必须有一个的MAC,

要找MAC,netbug首先在自己的arp缓存里找是否有这个条目.

大家可以在cmd环境下.

C:>arp -a

Interface: 192.168.0.225 --- 0x2

Internet Address Physical Address Type

192.168.0.4 00-80-ad-77-e2-9a dynamic

192.168.0.9 00-e0-4c-39-15-f2 dynamic

192.168.0.10 00-e0-4c-39-19-a5 dynamic

192.168.0.12 00-10-b5-4d-4b-b7 dynamic

看到没有?

如果IP所对应的MAC在这里没有.那netbug就会用到我们以前所讲的arp协议.

发送一个广播.如果在局域网上发现中间的IP和自己的IP符合,就发回ARP回应.

ff ff ff ff ff ff 00 e0 4c 82 8f ba 08 06 00 01

08 00 06 04 00 01 00 e0 4c 82 8f ba c0 a8 00 27

00 00 00 00 00 00 c0 a8 00 01 20 20 20 20 20 20

20 20 20 20 20 20 20 20 20 20 20 20

00 01:ethern

08 00:IP

06:hardware address length

04:Protocol address length

00 01:Opertion type

00 e0 4c 82 8f ba :sender hardware address

c0 a8 00 27: sender IP address 192.168.0.39

00 00 00 00 00 00:receiver hardware address 00 00 00 00 00 00 broadcast

c0 a8 00 01:receiver ip address 192.168.0.1

20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20:the data fixed.

如果没有回应,那netbug就会把网关的MAC做为对方的MAC

然后封装ethern网包.发送出去.

OK,原理就说到这里,大家看出什么漏洞了吗?

对,如果我门在arp缓存里修改网关的mac那.netbug就上去网了.

那如何远程去修改对方的arp缓存呢?

有办法.

就是arp的一个属性.免费arp.

1.一个主机可以通过她来确定另一个主机是否设置了相同的IP地址.

2.如果发送免费ARP的主机正好改变了硬件地址.那这个分组就可以更新其它主机缓存中的硬件地址.

C:>arp /?

Displays and modifies the IP-to-Physical address translation tables used by

address resolution protocol (ARP).

ARP -s inet_addr eth_addr [if_addr] <===添加arp条目

ARP -d inet_addr [if_addr] <====删除arp条目

ARP -a [inet_addr] [-N if_addr] <====显示arp条目

-a Displays current ARP entries by interrogating the current

protocol data. If inet_addr is specified, the IP and Physical

addresses for only the specified computer are displayed. If

more than one network interface uses ARP, entries for each ARP

table are displayed.

-g Same as -a.

inet_addr Specifies an internet address.

-N if_addr Displays the ARP entries for the network interface specified

by if_addr.

-d Deletes the host specified by inet_addr. inet_addr may be

wildcarded with * to delete all hosts.

-s Adds the host and associates the Internet address inet_addr

with the Physical address eth_addr. The Physical address is

given as 6 hexadecimal bytes separated by hyphens. The entry

is permanent.

eth_addr Specifies a physical address.

if_addr If present, this specifies the Internet address of the

interface whose address translation table should be modified.

If not present, the first applicable interface will be used.

Example:

> arp -s 157.55.85.212 00-aa-00-62-c6-09 .... Adds a static entry.

> arp -a .... Displays the arp table.

C:>

网络执法官就是用的这个特性.

使对方缓存中的网关地址错误.

没有网关,当然上不去网了.

如果发现相同IP具有不同的MAC,当然报错了.

公司网络上不好使用网络执法官.

等过几天,

我抓几个包详细分析一下.

让我们模拟一次arp攻击:

C:>arp -a

Interface: 192.168.0.225 --- 0x2

Internet Address Physical Address Type

192.168.0.1 00-50-ba-2b-ad-7b dynamic

192.168.0.4 00-80-ad-77-e2-9a dynamic

192.168.0.9 00-e0-4c-39-15-f2 dynamic

192.168.0.10 00-e0-4c-39-19-a5 dynamic

192.168.0.12 00-10-b5-4d-4b-b7 dynamic

192.168.0.53 00-e0-4c-39-1d-80 dynamic

C:>arp -d 192.168.0.4

C:>arp -s 192.168.0.4 00-e0-4c-39-15-f2

C:>arp -a

Interface: 192.168.0.225 --- 0x2

Internet Address Physical Address Type

192.168.0.1 00-50-ba-2b-ad-7b dynamic

192.168.0.4 00-e0-4c-39-15-f2 static

192.168.0.9 00-e0-4c-39-15-f2 dynamic

192.168.0.10 00-e0-4c-39-19-a5 dynamic

192.168.0.12 00-10-b5-4d-4b-b7 dynamic

192.168.0.51 00-c0-9f-16-da-8d dynamic

192.168.0.53 00-e0-4c-39-1d-80 dynamic

C:>tracert 210.26.50.242

Tracing route to 210.26.50.242 over a maximum of 30 ho

1 * * * Request timed out.

2 * * * Request timed out.

3 * ^C

C:>arp -d 192.168.0.4

C:>arp -a

C:>tracert 210.26.50.242

Tracing route to XRL [210.26.50.242]

over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms PROXY [192.168.0.4]

2 1 ms <1 ms <1 ms 218.4.142.137

3 1 ms <1 ms <1 ms ^C

C:>

今天抓了个网络执法官的包。

00 80 ad 02 a8 31 dest address

00 80 ad 6d 38 92 sour address

08 06 arp packet

00 01 ethern net packet

08 00 IP address

06 hardware address length

04 ip address length

00 02 arp reply

00 80 ad 6d 38 92 source address MAC

c0 a8 00 04 source IP address 192.168.0.4

00 80 ad 02 a8 31 dest address MAC

c0 a8 00 e1 dest IP address 192.168.0.225

23 45 73 72 01 94 07

192.168.0.4是我的网关IP地址。

如此操作以后。

D:Documents and Settingscoolrit>arp -a

Interface: 192.168.0.225 --- 0x2

Internet Address Physical Address Type

192.168.0.4 00-80-ad-77-e2-9a dynamic

192.168.0.37 00-e0-4c-82-7d-74 dynamic

D:Documents and Settingscoolrit>arp -a

Interface: 192.168.0.225 --- 0x2

Internet Address Physical Address Type

192.168.0.4 00-80-ad-6d-38-92 dynamic

192.168.0.37 00-e0-4c-82-7d-74 dynamic

但也许有人有疑问。

如何让windows自己跳出消息说。有IP冲突呢？

我们来看这样一个包：

00 80 ad 02 a8 31 00 80 ad 02 a8 32 08 06

00 01

08 00

06 04

00 02

00 80 ad 02 a8 32

c0 a8 00 e1

00 80 ad 02 a8 31

c0 a8 00 e1

看到没有。

两个IP地址都是一样的。

OK。

现在把这个包replay一下。