ettercap官方文档+笔记
==============================================================================
==============================================================================
@@@@@@@ @@@@@@@ @@@@@@@ @@@@@@@ @@@@@@@ @@@@@@@ @@@@@@@ @@@@@@@
@@ @@@ @@@ @@ @@ @@ @@ @@ @@ @@ @@
@@@@@@ @@@ @@@ @@@@@@ @@@@@@ @@ @@@@@@@ @@@@@@
@@ @@@ @@@ @@ @@ @@ @@ @@ @@ @@
@@@@@@@ @@@ @@@ @@@@@@@ @@ @@@ @@@@@@@ @@ @@ @@
A suite for man in the middle attacks
Copyright 2001-2015 The Ettercap Dev Team
==============================================================================
==============================================================================
Aoccdrnig to rscheearch at an Elingsh uinervtisy, it deosn't mttaer in waht
oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist
and lsat ltteer are in the rghit pclae. The rset can be a toatl mses and
you can sitll raed it wouthit a porbelm. Tihs is bcuseae we do not raed
ervey lteter by it slef but the wrod as a wlohe and the biran fguiers it
out aynawy.
... so please excuse us for every typo in the documentation, man pages or
code, btw fixes and patches are welcome.
==============================================================================
==============================================================================
R E Q U I R E D P R O G R A M S
==============================================================================
C compiler
flex (or other lex-compatible parser generator) for *.l files
bison (or other yacc-compatible parser generator) for *.y files
cmake (build tool)
==============================================================================
R E Q U I R E D L I B R A R I E S
==============================================================================
MANDATORY:
- libpcap >= 0.8.1
- libnet >= 1.1.2.1
- openssl >= 0.9.7
- libpthread
- zlib
- CMake 2.8
- Curl >= 7.26.0 to build SSLStrip plugin
If you don't want to enable SSLStrip plugin you have to disable it. (more information about disabling a plugin in the README.GIT file)
OPTIONAL:
To avoid use of our internal strlcat and strlcpy implementation:
- libbsd
To enable PDF documentation generation (enable via ENABLE_PDF_DOCS=On):
- ghostscript (ps2pdf)
- groff
To enable plugins:
- libltdl (part of libtool)
To have perl regexp in the filters:
- libpcre
For the cursed GUI:
- ncurses >= 5.3
For the GTK+ GUI:
- Glib >= 2.2.2
- Gtk+ >= 2.2.2 or Gtk+3
- Atk >= 1.2.4
- Pango >= 1.2.3
If you are running on debian, or any debian based distro you can install the required dependencies by running:
apt-get install debhelper bison check cmake flex ghostscript libbsd-dev libcurl4-openssl-dev libgtk2.0-dev \
libltdl-dev libluajit-5.1-dev libncurses5-dev libnet1-dev libpcap-dev libpcre3-dev libssl-dev libgtk-3-dev
============================================================================
LICENSE
============================================================================
see LICENSE file for details...
============================================================================
AUTHORS
============================================================================
Alberto Ornaghi (ALoR) <[email protected]>
Marco Valleri (NaGA) <[email protected]>
Emilio Escobar (exfil) <[email protected]>
Eric Milam (J0hnnyBrav0) <[email protected]>
Gianfranco Costamagna (LocutusOfBorg) <[email protected]>
============================================================================
INSTALLATION
============================================================================
The easiest way to compile ettercap is in the form:
mkdir build
cd build
cmake ..
(Use ccmake . to change options such as disabling IPv6 support, add
plugins support, etc).
make install
read INSTALL for further details... and README.PLATFORMS for any issue
regarding your operating system.
============================================================================
HOW TO USE IT
============================================================================
You can choose between 3 User Interfaces: Text mode, Curses, GTK.
Please read the man pages ettercap(8) and ettercap_curses(8) to learn how
to use ettercap.
============================================================================
TECHNICAL PAPER
有些网络教程可能都过时了!!!
It supports active and passive dissection of many protocols (even ciphered ones)
THE HOST LIST
Sending one ARP REQUEST for each ip in the lan (looking at the current ip
and netmask), it is possible to get the ARP REPLIES and then make the
list of the hosts that are responding on the lan. With this method even
windows hosts, reply to the call-for-reply (they don't reply on
broadcast-ping).电脑主机对arp包会回复,对广播的ping(是啥?)不回复,因此arp ping的方法是最简单也是最有效的探测主机是否alive的方法)
Be very careful if the netmask is a class B (255.255.0.0) because ettercap
will send 255*255 = 65025 arp requests (the default delay between two
requests is 1 millisecond, can be configured in etter.conf)默认对整个网络所有主机进行嗅探,因此如果嗅探的是B类地址的网络,要发送65025个arp包,要想加快速度可以调节etter.conf参数
不是发给攻击者的数据包自动由第三层的路由转发,因此是工作在第三层
网桥是链路层的设备,作为网关的路由是第三层设备
禁止网关转发ip包。。。肯定是入侵行为。
禁止了内核转发ip包,因此网关无法执行自身的转发功能。而且UNIFIED SNIFFING模式只监听一个端口,因此从ettercap没有监听的端口收到的数据包不会被ettercap转发,也不会被内核转发。但是用在电脑上,因为不用进行转发,因此ettercap没监听的端口仍能正常工作。
内核使用unoffensive mode(参数-u)会将ip转发的职责留给了内核。
UNIFIED SNIFFING
Ettercap NG uses the unified sniffing method which is the base for all the
attacks. The kernel ip forwarding is always disabled and this task is
accomplished by ettercap itself. (ip转发功能不是靠修改系统的配置来实现的,而是靠ettercap自己来转发)Packet that needs to be forwarded are packets
with destination mac address equal to the attacker's one, but with different ip
address. Those packets are re-sent back to the wire to the real destination.
This way, you can plug in various mitm attacks at a time.(使用系统的ip转发功能不能实现多个mitm吗?话说系统的ip转发到底是怎么工作的。。。) You can even use
external attacker/poisoner, they only have to redirect packets to ettercap's
host and the game is over ;)可以只需arpspoof将双方欺骗,不用开启系统的ip转发功能,而由ettercap来转发!
It does not matter how these packets are hijacked, ettercap will process them. You can even use external programs to hijack packet.可以使用其他实现MIMT的软件,再由ettercap来转发
BRIDGED SNIFFING
Uses two network interfaces and forwards the traffic between them while performing
sniffing and content filtrating( 内容过滤). This sniffing method is very stealthy as there
is no way to to detect that someone is in the middle. You can look at this as a layer
one attack. Don't use it on gateways (网关)or it will transform your gateway into a bridge(网桥).路由无法转发ip报文,只能转发链路层的报文,因此变成了网桥。
HINT: You can use the content filtering engine to drop packets that should not pass.
This way ettercap will work as an inline IPS ;)IPS是入侵防御系统,是新一代的侵入检测系统(IDS)
Sniff为监听端口抓获数据包的过程。Filter是对抓获的数据包处理。
ARP POISONING ATTACK
When you select this method, ettercap will poison the arp cache of the
two hosts, identifying itself as the other host respectively (see the
next section for this).
Once the arp caches are poisoned, the two hosts start the connection, but
their packets will be sent to us, and we will record them and, next,
forward them to the right side of the connection. So the connection is
transparent to the victims, not arguing that they are sniffed. The only
method to discover that there is a man-in-the-middle in your connection, is
to watch at the arp cache and check if there are two hosts with the same
mac address!
That is how we discover if there are others poisoning the arp cache
in our LAN, thus being warned, that our traffic is under control! =)
HOST 1 - - - - - - - - - - - - - - - - - - - -> HOST 2
(poisoned) (poisoned)
| ^
| |
------------> ATTACKER HOST ------------------
( ettercap )
Legenda:
- - - -> the logic connection
-------> the real one
The arp protocol has an intrinsic(固有的,内在的,本质的) insecurity. In order to reduce the
traffic on the cable, it will insert an entry in the arp cache even if it
wasn't requested. In other words, EVERY arp reply that goes on the wire
will be inserted in the arp table.
So, we take advantage of this "feature", sending fake arp replies to the two
hosts we will sniff. In this reply we will tell that the mac address of the
second host is the one hard-coded on OUR ethernet card. This host will now
send packets that should go to the first host, to us, because he carries
our mac address.
The same process is done for the first host, in inverse manner, so we have
a perfect man-in-the-middle connection between the two hosts, legally
receiving their packets!!
Example:
HOST 1: mac: 01:01:01:01:01:01 ATTACKER HOST:
ip: 192.168.0.1 mac: 03:03:03:03:03:03
ip: 192.168.0.3
HOST 2: mac: 02:02:02:02:02:02
ip: 192.168.0.2
we send arp replys to:
HOST 1 telling that 192.168.0.2 is on 03:03:03:03:03:03
HOST 2 telling that 192.168.0.1 is on 03:03:03:03:03:03
now they are poisoned !! they will send their packets to us !
then if receive packets from:
HOST 1 we will forward to 02:02:02:02:02:02
HOST 2 we will forward to 01:01:01:01:01:01
simple, isn't it ?
*** LINUX KERNEL 2.4.x ISSUE ***
In the latest release of the linux kernel we can find in :
/usr/src/linux/net/ipv4/arp.c
/* Unsolicited(未被恳求的,主动提供的) ARP is not accepted by default.
It is possible, that this option should be enabled for some
devices (strip is candidate)
*/
最新版2.4.x的linux内核不会接受未经请求而得到的arp包,因此简单地直接发送数据包很有可能失败
these kernels use a special neighbor system to prevent unsolicited arp
replies (what ettercap sends to the victim).
Good gracious(好家伙), is ettercap unusable with that kernel ? the answer is NO !
let's view why... in the same source code we find:
/*
* Process entry. The idea here is we want to send a reply if it is a
* request for us or if it is a request for someone else that we hold
* a proxy for. We want to add an entry to our cache if it is a reply
* to us or if it is a request for our address.
* (The assumption for this last is that if someone is requesting our
* address, they are probably intending to talk to us, so it saves time
* if we cache their address. Their address is also probably not in
* our cache, since ours is not in their cache.)
*
* Putting this another way, we only care about replies if they are to
* us, in which case we add them to the cache. For requests, we care
* about those for us and those for our proxies. We reply to both,
* and in the case of requests for us we add the requester to the arp
* cache.
*/
so, if the kernel receives a REQUEST it will cache the host...(如果这个最新的内核接受的不是回复而是请求,
what does that mean ? if ettercap sends spoofed REQUESTS instead of
REPLIES the kernel will cache them ? the answer is YES !!
ettercap 0.6.0 and later has this new ARP REQUEST POISONING method.(牛批)
it will alternate request and replies on poisoning because other OS doesn't
have this "feature"...
*** SOLARIS ISSUE ***
(Solaris是Sun Microsystems研发的计算机操作系统,它被认为是UNIX操作系统的衍生版本之一。)
Solaris will not cache a reply if it isn't already in the cache.
The trick is simple, before poisoning, ettercap sends a spoofed ICMP
ECHO_REQUEST to the host, it has to reply on it and it will make an arp
entry for the spoofed host. Then we can begin to poison as always, the
entry is now in the cache...(发送ICMP echo request报文,则目的主机必须发送ICMP echo reply报文回来,因此必须将ICMP echo request中的mac-ip对加入到cache中,从而添加成功,接下来和正常的欺骗一样。看来arp欺骗还是有很多特例哒。。。)
ICMP REDIRECTION
This attack implements ICMP redirection. It sends a spoofed icmp redirect
message to the hosts in the lan pretending to be a best route for internet.
All connections to internet will be redirected to the attacker which, in turn,
will forward them to the real gateway. The resulting attack is an HALF-DUPLEX
mitm. Only the client is redirected, since the gateway will not accept redirect
messages for a directly connected network.
本来ICMP重定向报文是有路由器发送的,让主机知道下次应将报文发送给另外更好的路由器的,因此发送伪装的ICMP报文,可以实现将局域网内的主机把攻击者当成网关,貌似比arp更好?不用持续发送假的arp报文。当然路由器是不会接受ICMP重定向报文的。
DHCP SPOOFING(DHCP伪装)
This attack implements DHCP spoofing. It pretends to be a DHCP server and try
to win the race condition with the real one to force the client to accept
replies from it. This way the attacker is able to manipulate the GW(gateway) parameter and
hijack all the outgoing traffic generated by the clients.(用DHCP报文来伪装成网关,从而劫持数据)
The resulting attack is an HALF-DUPLEX mitm.
(半双工中间人攻击?)
半双工通信是指数据可以沿两个方向传送,但同一时刻一个信道只允许单方向传送,因此又被称为双向交替通信。若要改变传输方向,需由开关进行切换。
PORT STEALING
This technique is useful to sniff in a switched environment(使用交换机的网络) when ARP poisoning
is not effective (for example where static mapped ARPs are used).
It floods the LAN with ARP packets. The destination MAC address of each
"stealing" packet is the same as the attacker's one (other NICs(网卡,即非攻击者主机) won't see these packets), the source MAC address will be one of the MACs of the victims.
This process "steals" the switch's port of each victim. 因为交换机维持一个CAM表,里面是端口号是当前网络MAC地址的映射,根据交换机自学习的过程,攻击者发送这些ARP包给交换机,交换机发现这些包的目的地址是攻击者会发回给攻击者,因此不会发给受害者,而这些包的源地址是受害者,因此交换机会把攻击者当前使用的端口跟源地址配对记录到CAM表中,因此使得受害者的端口不会再接收到任何发给它的数据包!(广播包除外)
Using low delays, packets destined to "stolen" MAC addresses will be received
by the attacker, winning the race condition with the real port owner.
When the attacker receives packets for "stolen" hosts(收到应该发给受害者的数据报,说明窃取交换机端口成功), it stops the flooding process and performs an ARP request for the real destination of the packet. (发送ARP请求,这个是广播包,因此会发给受害者,受害者收到后会告诉攻击者它的mac地址,同时因为停止了flood,受害者发送了新的报文,交换机更新了CAM,受害者夺回了端口,因此当攻击者得到ARP回复时说明它夺回了端口,这样,攻击者可以把夺取时劫持的数据包通过交换机发回给受害者,完成一轮的攻击)
When it receives the ARP reply it's sure that the victim has "taken back" his
port, so ettercap can re-send the packet to the destination as is.
Now we can re-start the flooding process waiting for new packets.
交换机的CAM表不是经常要更新嘛。。。这样真的好嘛
CHARACTERS INJECTION
We have stated that the packets are for us...
And the packets will not be received by destination until we forward them.
But what happens if we change them?
Yes, they reach destination with our modifications.
We can modify, add, delete the content of these packets, by simply
recalculating the checksum and substituting them on the traffic.
But we can do also more: we can insert packets in the connection.
We forge(锻造) our packets with the right sequence and acknowledgement number and
send them to the desired host. When the next packets will pass through us
we simply subtract or add the sequence number with the amount of data we
have injected till the connection is alive, preventing the connection to be
rejected (this until we close ettercap, who maintains sequence numbers
correct, after program exit, the connection must be RESET or all future
traffic would be rejected, blocking the source workstation network).
关闭ettercap之后,数据包的***跟确认号不再维持,发生错误,直接导致连接中断
NOTE: Injector supports escape sequences. you can make multi-line injection(使用转义序列\n来实现多行的插入)
eg: "this on line one \n this on line two \n and so on..."
eg: "this in hex mode: \x65\x6c\x6c\x65"
eg: "this in oct mode: \101\108\108\101"
NOTE: remember to terminate your injection with \r\n if you want to inject
command to the server.(插入命令!?可以执行?牛批)
SSH1 MAN-IN-THE-MIDDLE
When the connection starts (remember that we are the master-of-packets, all
packets go through ettercap) we substitute the server public key with one
generated on the fly and save it in a list so we can remember that this
server has been poisoned before.
Then the client send the packet containing the session key ciphered with
our key, so we are able to decipher it and sniff the real 3DES session key.
Now we encrypt the packet with the correct server public key and forward it
to the SSH daemon(守护程序)
The connection is established normally, but we have the session key !!
Now we can decrypt all the traffic and sit down watching the stream !
The connection will remain active even if we exit from ettercap, because
ettercap doesn't proxy it (like dsniff).(ettercap不是代理服务器,只是拦截并转发,退出之后受害者的数据包照样发给服务器) After the exchange of the keys,
ettercap is only a spectator... ;)旁观者
PACKET FILTERING
Like character injection, we can modify the packets payload and replace
the right sequence and acknowledgement number if needed.
With the integrated filtering engine you can program your own filters
to make the best filter for your aims.
A scripting languages is used to make filters source that must be compiled
with etterfilter(8) in order to be used by ettercap.
https://linux.die.net/man/8/etterfilter
用时再学。。。
PASSIVE SCANNING OF THE LAN
This feature is very useful if you want to know the topology of the lan but
you don't want to send any packet on it. In this way the scan is done entirely
by sniffing packets and extracting useful information from them.
This scan will let you know the hosts in the lan (it watches ARP request),
(同arp ping原理相同,只是被动地嗅探而已)
The Operating System of the hosts (it uses passive os fingerprint... see next
section), the open ports of an host (looking the SYN+ACK packet), the gateway,
the routers or hosts acting as a router (it watches ICMP messages).(有一些报文是专门由路由器发送的,比如说时间超过,改变路由等)
As a passive method it is useless on a switched lan (because it can make a
topology only of the host that are connecting to you), but if you put it on a
gateway and let it run for hours or days, it will make a complete report of
the hosts in the lan.
下面是详细的介绍:
PASSIVE OS FINGERPRINT
注意:虽然被动扫描中收到来自于局域网内的数据包是arp request,但是还是有其他数据包的,如下,使用wireshark捕获一些数据包
还会有MDNS、IGMP、SSDP等报文发现,这些报文下层会有IP、UDP、TCP等数据层!
The main idea is to analyze the passive information coming from a host
when it makes or receives connections with other hosts. This information
is enough to detect the OS and the running services of the host.
In this scenario, we look at SYN and SYN+ACK packet and collect some
interesting info from them:
Window Size: the TCP header field
MSS: the TCP option Maximum Segment Size (can be present or not)
TTL: the IP header field Time To Live (rounded to the next power of 2)
Window Scale: the TCP option indicating the Scale
SACK: the TCP option for the Selective ACK
NOP: if the TCP options contain a NOP
DF: the IP header field Don't Fragment
TIMESTAMP: if the TCP timestamp option is enabled
and obviously the type of the packet (SYN or SYN+ACK)
The database contains different fingerprints for each type of packet
because some OSes have different fingerprints from SYN to SYN+ACK.
Obviously the SYN fingerprint is more reliable, because the SYN+ACK is
influenced by the SYN (if a SYN doesn't contain a SACK the SYN+ACK will not
have the SACK option even if the host support it). So while collecting
information off the lan, if we receive a SYN+ACK we mark the OS of that
host as temporary and when we receive a SYN we confirm that.
Fingerprints ending with an ":A" are less reliable... this is
because some OS identification may change during the gathering process.
The SYN+ACK packets are also used to discover the open ports of a host.
(see next section)
The interesting thing is that firewalls, gateways and NAT are transparent to
passive OS detection. (即可以透过firewall、gateways、NAT传播的数据报都有可能传到本机被嗅探到)So collecting info for the LAN will let you know info
even for remote hosts. Only proxies aren't transparent because they make a
new connection to the target.
Our fingerprint database has to be enlarged, so if you find a host with an
unknown fingerprint and you know for sure the OS of that host, please mail
us <[email protected]> the fingerprint and the OS, we will insert
in the database.
OPEN PORTS
Open ports are identified by looking for SYN+ACK packets.
If a SYN+ACK comes from a port, it is for sure open, except for the
channel command of FTP protocol, for that reason SYN+ACK going to port 20
are not used to indicate a open port.
For the udp ports the question is a little bit difficult because no SYN or
ACK packet are present in the udp protocol, so ettercap assumes that a udp
port < 1024 that sends packets is opened. We know that in this way we cannot
discover open ports > 1024 but they can go undetected as open when a client
sends packet to a server.
GATEWAY AND ROUTERS
The gateway is simply recognized looking at IP packet with a non local ip(应该是非本网ip,使用netmask可以得到网络地址再比较
( checking the netmask ). If a non local IP is found, ettercap look at the
ethernet address (MAC) and store it as the gateway mac address, then it
search for it in the list and mark the corresponding ip as the gateway.
攻击者正常访问互联网,由服务器端发来的数据包经过本地路由器转发时,mac地址变成了路由器的mac地址,因此可以可以得到路由器的mac地址,再用本机的arp就可以得到路由器的ip地址了)
Looking in the ICMP messages we can rely that if a host sends a
TTL-exceeded or a redirect messages it is a router or an host acting as it.
==============================================================================
vim:ts=3:expandtab
参数使用
连接是双向的
ettercap -R /10.0.0.1/
初始扫描的范围是两个target之间的ip?
使用//即为任何mac、任何ip、任何port,但不能不写,不写就是没有target!
这个文档是0.7.5版本的,现在用的是0.8.3
使用方法稍微改了
必须严格按照Mac/Ips/Ipv6/Ports,因为一般都会同时拥有Ipv4与Ipv6地址
不然会报错
还有必须设置用户界面的参数,
T下面的q跟s表示可以跟T结合,如使用-Tq、-Ts、-Tqs
一开始会发送arp request来扫描得到hosts list,之后开始嗅探相应端口的数据包
默认开启Unified Sniffing mode,可以改成Bridge Mode(所有的功能都是基于嗅探的,必须开启其中一个)
The root privs(privileges)根特权
暂时不懂,跟系统底层有关