Flashsky published in 2002-6-19 10:48:41: R & D center
1 ARP spoofing in an internal network based on IP communication, we can use ARP spoofing means, the fundamental principle of ARP spoofing attack is because the computer maintains an ARP cache, and this ARP cache is constantly emitting ARPs with your computer. The ARP cache has been requested and received by the ARP response. The purpose of the ARP cache is to map the IP address of the machine and the MAC address. You can use the ARP command to view your own ARP cache. Suppose the machine A: IP address is 10.0.0.1, the MAC address is 20-53-52-43-00-01, the machine B: IP address is 10.0.0.2, the MAC address is 20-53-52-43-00-02 , Machine C: IP address is 10.0.0.3, and the MAC address is 20-53-52-43-00-03. Now the machine B issues an ARP Reply to the machine A (the protocol is not specified must wait for the ARP Request to send ArpReply, nor does it specify that ARP Request can receive arpreply, where the destination IP address is 10.0.0.1, the destination Mac The address is 20-53-52-43-00-01, and the source IP address is 10.0.0.3, the source MAC address is 20-53-52-43-00-02, ok, now the machine A updated his ARP Cache and believe that the MAC address of the IP address is 10.0.0.3 is 20-53-52-43-00-02. When the machine A issued a FTP command - ftp10.0.0.3, the packet was sent to Switch, Switch to view the destination address in the packet, found that the MAC is 20-53-52-43-00-02, so, He issued the data to the machine B. You can deceive them both to both sides, complete the intermediary spoofing attack. Of course, in the actual operation you need to take some other things, such as some operating systems, in the active sending ARP request package to update the corresponding ARP portal, and the like. 2. The switch MAC address table overflows Switch can determine the MAC address in the packet. He should send the packet to that port is based on the address table maintained by his own. For dynamic address tables, and the size of the address table is capable, you can "overflow" the address table for Switch maintenance by sending a large number of erroneous address information, so that he becomes broadcast mode to achieve the SNIFF machine A and The purpose of communication between machine C. 3. MAC address forged forgery MAC addresses is also a common way, but this is based on Switch in your network, which is dynamically updated its address table, which is similar to ARP spoof, but now you want Switch to believe in you, not To be machine A to believe you. Because Switch is dynamically updated with its address table, what you have to do is telling Switch you are machine C. Substance, you only need to send a fake packet to Switch, where the source MAC address corresponds to the MAC address of the machine C, and now Switch will correct the machine C and your port. But at the same time, you need DOS to drop the host C. 4. ICMP Router Discovery Protocol spoof This is mainly caused by the defects of ICMP Router Discovery Protocol (IRDP), in Windows 95, 98, 2000 and Sunos, Solaris2.6 and other systems, the Sunos system is only in a certain Use this protocol in some specific cases, and Windows95, Windows95B, Windows98, Windows98Se, and Windows2000 are default IRDP protocols.
