Вы находитесь на странице: 1из 16

02.09.

2016

ARPspoofingXgu.ru

ARPspoofing
Xgu.ru
:((http://xgu.ru/w/index.php?title=ARPspoofing&action=history))
ARPspoofing(ARPpoisoning),Ethernet,
,ARP,
ARP,
.spoofing.
ARPspoofing,,
ettercapARP,
ARParpwatch,
,VLANPPPoE.
ARP:MAC
.

1ARP
1.1ARP
1.2ARP
1.3ARP
2ARPspoofing
2.1ARPspoofing'
2.2ARPspoofing'cettercap
3
3.1arpwatch
3.1.1arpwatch
3.1.2
3.2,ARPspoofing
3.2.1mac2port
3.3
4
4.1ARP
4.1.1
4.2
4.3ARPspoofing'
4.3.1VLAN
4.3.1.1
4.3.1.2
4.3.2packetfilteringACL
4.3.2.1
4.3.2.2
4.3.3PPPoE
4.3.3.1
http://xgu.ru/wiki/ARPspoofing

1/16

02.09.2016

ARPspoofingXgu.ru

4.3.3.2
5,ARPspoofing
6
7Xgu.ru

ARP
ARP
ARPIPMAC.
Ethernet,ARP:TokenRing,FDDI
.
:
AddressResolutionProtocol(http://en.wikipedia.org/wiki/Address_Resolution_Protocol)
Wikipedia
RFC826(http://tools.ietf.org/html/rfc826)ARP

ARP
:
1.AIPB,
2.AIPB,,
R.
AARP,
MACB,MACR.
.
,,
.(
,ARP
,IP,MAC,
.)

ARP
ARP.
:,.,
ARP(gratuitousARP).
ARPARP,ARP,(
).ARPARP,
.IP:
DHCP,ARPgratuitous
ARP.
ARP:
ARP,,
http://xgu.ru/wiki/ARPspoofing

2/16

02.09.2016

ARPspoofingXgu.ru

.
ARP,,
,MAC,
,,.
:
Gratuitous_ARP(http://wiki.wireshark.org/Gratuitous_ARP)wiki.wireshark.org

ARPspoofing
ARPspoofing'ARPAB
IPMAC.

AB.()
ARPspoofing'C,
,ARP(
):
A:IPBMACC
B:IPAMACC.

ARP(gratuitousARP),
ARP
,MAC
ABMACC.
()
,AB,
ARP(C)MAC.
MACC.C
,..B.()

ARPspoofing'
ARPspoofing',
Linux,Windows.
:
Ettercap(http://ettercap.sourceforge.net/)
Cain&Abel(http://www.oxid.it/cain.html)
dsniff(http://monkey.org/~dugsong/dsniff/)
arpsk(http://sid.rstack.org/arpsk/)
.

ARPspoofing'cettercap
http://xgu.ru/wiki/ARPspoofing

3/16

02.09.2016

ARPspoofingXgu.ru

[ettercap.]
ettercap.
A.
B.
C.
ARPspoofing.
ettercap,ARPspoofing'
.

AhostA192.168.15.20100:04:75:75:46:B1
BhostB192.168.15.25400:0A:01:D4:D1:39
ChostC192.168.15.20000:0A:01:D4:D1:E3
hostChostAhostB.
ettercap:
hostC%#aptgetinstallettercap

hostAhostB:
%#ettercapTMarpLlog/192.168.15.201//192.168.15.254/

:
T()
MarpARPspoofing'
Lloglog.*

IP,ARP
spoofing.
,,ABPOP3,
,.
hostA%#nc192.168.15.254110
USERuser
+OK
PASSpassword
+OK
LIST
+OK
.

hostAhostBC.
.
ettercapq.ARP
ARP,
.
http://xgu.ru/wiki/ARPspoofing

4/16

02.09.2016

ARPspoofingXgu.ru

,,L
ettercap:
%#lslog.*
log.eci
log.ecp

etterlog,ettercap:
%#etterloglog.eci
etterlogNG0.7.3copyright20012004ALoR&NaGA
Logfileversion:NG0.7.3
Timestamp:ThuJun2112:23:112007
Type:LOG_INFO
1698tcpOSfingerprint
7587macvendorfingerprint
2183knownservices
==================================================
IPaddress:192.168.15.201
MACaddress:00:04:75:75:46:B1
...
MANUFACTURER:Sohoware
DISTANCE:0
TYPE:LANhost
FINGERPRINT:
OPERATINGSYSTEM:UNKNOWN
PORT:TCP110|pop3[]
ACCOUNT:user
/password
(192.168.15.201)
==================================================

,.
hostA()ARP
.
hostA%#arpan
?(192.168.15.254)at00:0A:01:D4:D1:39[ether]oneth0
?(192.168.15.200)at00:0A:01:D4:D1:E3[ether]oneth0

.
hostA%#arpan
?(192.168.15.254)at00:0A:01:D4:D1:E3[ether]oneth0
?(192.168.15.200)at00:0A:01:D4:D1:E3[ether]oneth0

.
hostA%#arpan
?(192.168.15.254)at00:0A:01:D4:D1:39[ether]oneth0
?(192.168.15.200)at00:0A:01:D4:D1:E3[ether]oneth0

,eth0hostA(),
,,ARP,
,MAC192.168.15.254..
,MAC.
.
http://xgu.ru/wiki/ARPspoofing

5/16

02.09.2016

ARPspoofingXgu.ru

%#tcpdumpieth0arp
08:34:20.231680arpreply192.168.15.254isat00:0a:01:d4:d1:e3(ouiUnknown)
08:34:21.259637arpreply192.168.15.254isat00:0a:01:d4:d1:e3(ouiUnknown)
08:34:22.287591arpreply192.168.15.254isat00:0a:01:d4:d1:e3(ouiUnknown)
08:34:23.315522arpreply192.168.15.254isat00:0a:01:d4:d1:e3(ouiUnknown)
08:34:32.463255arpreply192.168.15.254isat00:0a:01:d4:d1:39(ouiUnknown)
08:34:33.491040arpreply192.168.15.254isat00:0a:01:d4:d1:39(ouiUnknown)
08:34:34.514988arpreply192.168.15.254isat00:0a:01:d4:d1:39(ouiUnknown)

VoIPsniffing.
,ARP.

arpwatch
arpwatchARP.
,,MACIP,,
syslog.

arpwatch
arpwatchDebian
GNU/Linux.
arpwatch:
%#aptgetinstallarpwatch
0upgraded,1newlyinstalled,0toremoveand0notupgraded.
Needtoget124kBofarchives.
Afterunpacking389kBofadditionaldiskspacewillbeused.
Get:1http://debian.ZLO.ZLO.ZLOetch/mainarpwatch2.1a132[124kB]
Fetched124kBin0s(177kB/s)
Selectingpreviouslydeselectedpackagearpwatch.
(Readingdatabase...22406filesanddirectoriescurrentlyinstalled.)
Unpackingarpwatch(from.../arpwatch_2.1a132_i386.deb)...
Settinguparpwatch(2.1a132)...
StartingEthernet/FDDIstationmonitordaemon:(chownarpwatch/var/lib/arpwatch/arp.dat)arpwatch.

,.(,
,.)
%#psaux|greparpwatch
arpwatch48100.50.434482360?S08:360:00/usr/sbin/arpwatchuarpwatchNp
root48270.00.12852712pts/6R+08:360:00greparpwatch

.arpwatch
.DebianGNU/Linux
/etc/default/arpwatch(FreeBSD/etc/rc.conf).
arpwatch(,
),:
%#vi/etc/default/arpwatch
%#cat/etc/default/arpwatch
http://xgu.ru/wiki/ARPspoofing

6/16

02.09.2016

ARPspoofingXgu.ru

#Globaloptionsforarpwatch(8).
#Debian:don'treportbogons,don'tusePROMISC.
ARGS="Np"
#Debian:runas`arpwatch'user.Emptythistorunasroot.
RUNAS="arpwatch"

,:
%#/etc/init.d/arpwatchrestart

,.
ARP.,
arpwatchsyslog.
ARPsyslog:
#tailf/var/log/daemon.log
Jun2108:37:08s_all@linux2arpwatch:newstation192.168.15.2000:a:1:d4:d1:e3eth0
Jun2108:37:08s_all@linux2arpwatch:newstation192.168.15.2010:4:75:75:46:b1eth0
Jun2108:37:09s_all@linux2arpwatch:newstation192.168.15.2540:a:1:d4:d1:39eth0
Jun2108:37:09s_all@linux2arpwatch:changedethernetaddress192.168.15.2540:a:1:d4:d1:e3(0:a:1:d4:d1:39)eth0
Jun2108:37:11s_all@linux2arpwatch:ethernetmismatch192.168.15.2540:a:1:d4:d1:e3(0:a:1:d4:d1:39)eth0
Jun2108:37:12s_all@linux2arpwatch:ethernetmismatch192.168.15.2540:a:1:d4:d1:e3(0:a:1:d4:d1:39)eth0
Jun2108:37:13s_all@linux2arpwatch:ethernetmismatch192.168.15.2540:a:1:d4:d1:e3(0:a:1:d4:d1:39)eth0

Jun2108:37:09s_all@linux2arpwatch:changedethernetaddress192.168.15.2540:a:1:d4:d1:e3(0:a:1:d4:d1:39)eth0

,192.168.15.254MAC.
,,,arpwatchARPspoofing
,192.168.15.254.

LBNL'sNetworkResearchGroup(http://wwwnrg.ee.lbl.gov/)arpwatch

,ARPspoofing
:MAC
,,,
MAC.
,mac2port(http://xgu.ru/downloads/mac2port).
SNMPMAC.
.
MAC,arpwatch.
:
/usr/local/bin,PATH
(chmod+xmac2port)perl
IPSNMPROcommunity
http://xgu.ru/wiki/ARPspoofing

7/16

02.09.2016

ARPspoofingXgu.ru

SNMP2(
SNMPv3,
SNMPv2).
:
%#./mac2port
0:4:76:a1:ef:bb>1
0:a:1:d4:d1:e3>2
0:15:60:79:8e:c0>0
0:4:75:75:46:b1>3
0:a:1:d4:d1:39>44

arpwatch:

%#cat/var/log/daemon.log|grep'changedethernetaddress'
Jun2108:37:09s_all@linux2/192.168.15.201arpwatch:changedethernetaddress192.168.15.2540:a:1:d4:d1:e3(0:a:1:d4:d1:39)

,(
,MAC):
%#mac=$(cat/var/log/daemon.log|grep'changedethernetaddress'|awk'{print$10}')
%#./mac2port|grep$mac
0:a:1:d4:d1:e3>2

,
.

.,,
swatchsyslogng.
,syslogng.
,:
/usr/local/bin/syslogngarpwatch<sh/>
1.!/bin/sh
PATH=$PATH:/usr/local/bin
whilereadlinedomac="$(echo$line|grep'changedethernetaddress'|awk'{print$10}')"[z
"$mac"]&&continue(echoPOSSIBLYARPSPOOFINGFROM:;mac2port|grep"$mac")|loggertarp
spoofingdone

syslogng.
syslogng.conf:
destinationdp_arpspoofing{
program("/usr/local/bin/syslogngarpwatch");
};
filterf_arpspoofing{
match("arpwatch");
};
log{
http://xgu.ru/wiki/ARPspoofing

8/16

02.09.2016

ARPspoofingXgu.ru

source(s_all);
filter(f_arpspoofing);
destination(dp_arpspoofing);
};

filter(f_arpspoofing);

,,.
arpspoofing':

1.arpwatchsyslog(/dev/log/var/run/log)
2.,syslogSyslogNG,
syslogngarpwatch
3.syslogngarpwatch,,ARPspoofing',
MAC
4.mac2portSNMP
5.MAC

6.mac2portMAC
syslogngarpwatch
7.syslogngarpwatchsyslog
8.syslogng,
SMS(,
,)
9..
http://xgu.ru/wiki/ARPspoofing

9/16

02.09.2016

ARPspoofingXgu.ru

:
Jun2113:55:23s_all@linux3arpspoofing:POSSIBLYARPSPOOFINGFROM:
Jun2113:55:23s_all@linux3arpspoofing:0:a:1:d4:d1:e3>2

mac2port
#!/usr/bin/perl
our$community="public";
our$switch="192.168.15.100";
open(SNMP,"snmpwalkOnOQv2cc$community$switch.1.3.6.1.2.1.17.4.3.1.1|")
ordie"Can'trunsnmpwalk";
while(<SNMP>)
{
chomp;
s@.1.3.6.1.2.1.17.4.3.1.1@@;
my($oid,$mac)=split/=\s*/;
$_=$mac;
s@"@@g;s@\s*$@@;s@@:@g;s@(.)@\l\1@g;s@^0@@;s@:0@:@g;
$mac_table{$_}=$oid;
}
close(SNMP);
open(SNMP,"snmpwalkOnOQv2cc$community$switch.1.3.6.1.2.1.17.4.3.1.2|")
ordie"Can'trunsnmpwalk";
while(<SNMP>)
{
chomp;
s@.1.3.6.1.2.1.17.4.3.1.2@@;
my($oid,$port)=split/=/;
$ports_table{$oid}=$port;
}
close(SNMP);
for$oid(keys%mac_table){
print"$oid>".$ports_table{$mac_table{$oid}}."\n";
}

XArp(http://www.chrismc.de/)arpwatchWindows
remarp(http://www.raccoon.kiev.ua/projects/remarp/)arpwatch,SNMP
ArpStar(http://arpstar.sourceforge.net/)
ARPspoofing'aARP

ARPspoofing'arpwatch

,.
,,

arpwatch().

,ARPspoofing',

http://xgu.ru/wiki/ARPspoofing


,
,.
ARP spoofing'
,
.,
,ARP
.,
,,
.
(,,
MAC,
ARP ,..
MAC,.
10/16

02.09.2016

ARPspoofingXgu.ru

MAC,.

?)
.
,,arpwatch
,.

.
.,:
ARP,,
,.,
DOS:MAC,
,.
ARPspoofing'.
ARP
,,.
,ARPspoofing',
,,,
(PPPoE
.VLAN
.)

ARP
ARP.ARP
,ARP.
MAC.
ARP,
,(1)MACARP(2)MAC
ARP,.
ARP,MAC
.MACIP,ARP.
ARPARP:
%#arpan|grepvincom|awk'{print$2""$4}'|trd'()'

:
%#arpan|grepvincom|awk'{print$2""$4}'|trd'()'>/etc/ethers

/etc/ethers
.
:
<sh/>foriin`seq1255`do
pingc1192.168.15.$i>&/dev/null&

done(192.168.15.0/24,).
http://xgu.ru/wiki/ARPspoofing

11/16

02.09.2016

ARPspoofingXgu.ru

/etc/ethers,:
%#arpf/etc/ethers

ARP,/etc/ethers,
.
%#ifconfigeth1arp

ARP:
,MAC.
,,
ARP.
ARPspoofing'.

(buggzy)Linux/FreeBSD,
ARPspoofing.
.ARP
MAC,.
ARP,IPMAC.
,IP,,,,
.MAC,
,,""MAC,,
.
(""):"ARP_ANTIDOTE:
PossibleMITMattempt!",ARP,,
.,.
,:
arp_antidoteLinux(http://www.securitylab.ru/analytics/216229.php)
arp_antidote2Linux(http://www.securitylab.ru/analytics/216230.php)
ArpPoisonpatchFreeBSD(http://www.securityfocus.com/archive/1/346330)
2.4.

ARPspoofing'
,Windows,,
,.
:,ARPspoofing'
.,.
http://xgu.ru/wiki/ARPspoofing

12/16

02.09.2016

ARPspoofingXgu.ru

:
1.:
...
..
2.,,
,.,
,.,
.
VLAN'/packetfiltering.
PPPoE.
VLAN
:VLAN
CARPspoofingA,
.,,
(,).
VLAN'
,.ARPspoofing
VLAN'.,
VLAN':,
ARPspoofing.,
.

1..,.IP,
IP.
2.,.
.
3.VLAN'.
VLAN'.

1.VLAN'.
2.VLAN',DHCP.
3..,
/.
,
VLAN'VLAN'.
[1]
(http://www.askapache.com/security/bypassingvlan.html)

packetfilteringACL

http://xgu.ru/wiki/ARPspoofing

13/16

02.09.2016

ARPspoofingXgu.ru

DlinkCisco
.:
1.ARP,Senderprotocoladdress
(SPA)IP..
2.ARP,Senderhardware
address(SHA)Senderprotocoladdress(SPA)MACIP
.arp,
,.
ACLARPspoofing'ip
DHCP82(http://xgu.ru/wiki/_82_DHCP),ip
IPMacPortbinding,IP/MAC.
DlinkFAQ(1
(http://www.dlink.ru/up/uploads_media/FAQ_IP_MAC_Port_Binding.pdf) ,2
(http://www.dlink.ru/up/uploads_media/faq_hub_switch_94.php),3
(http://www.dlink.ru/up/uploads_media/faq_hub_switch_90.php))dlink.ru(1
(http://forum.dlink.ru/viewtopic.php?t=65137),2(http://forum.dlink.ru/viewtopic.php?t=49495)),
ProCurvewiki(http://xgu.ru/wiki/ProCurve_Security#Dynamic_ARP_Protection).

1..,.
2.,.

1.""access
2.ip
.
3.Packetfiltering.
PPPoE
:PPPoE

1.
2..

1.PPPoE.
.
2.,.
,.
3..
4.PPPoE(>200)
.,.
5.PPTPdIPsec
http://xgu.ru/wiki/ARPspoofing

14/16

02.09.2016

ARPspoofingXgu.ru

,ARPspoofing
ARPspoofingportsecurity
portsecurityMAC.
,MAC
,
.,:SNMP,
syslog.
ARPspoofing'MAC()port
security.portsecurityIP
MAC,ARPspoofing.

AnintroductiontoARPspoofing,SeanWhalen(http://node99.org/projects/arpspoof/arpspoof.pdf) (.)
ARPspoofing(http://ru.wikipedia.org/wiki/ARPspoofing)
ARPspoofing(http://en.wikipedia.org/wiki/ARP_spoofing)Wikipedia(.)
ARP:Questions&Answers(http://www.geocities.com/SiliconValley/Vista/8672/network/arp.html)
MultipleNetworkInterfacesAndARPFlux
(http://wiki.openvz.org/Multiple_Network_Interfaces_And_ARP_Flux)ARP
wikiOpenVZ
arp_accept?
(http://people.debian.org/~terpstra/message/20061007.135106.8667124b.en.html)
debianrussian
ARPspoofing(http://litl
admin.ru/xaking/atakaarpspoofingperexvatpochtyiparolyavlokalnojseti.html)

:
ARPspoofing(http://local.com.ua/forum/index.php?showtopic=8081&st=15&#entry54923)
local.com.ua
ARPspoofing(http://www.linux.org.ru/viewmessage.jsp?msgid=1985240)
Linux.org.ru

[]

Xgu.ru
Spoofing
MACspoofing
ARPspoofing
IPspoofing
DNSspoofing
BGP
http://xgu.ru/wiki/ARPspoofing

15/16

02.09.2016

ARPspoofingXgu.ru

http://xgu.ru/wiki/ARPspoofing
:||
:10:29,222014.

http://xgu.ru/wiki/ARPspoofing

16/16