>> A man-in-the-middle attack involves an attacker locatedbetween two communicating parties.The attacker intercepts, relays, and possibly alters the communication,while the two parties believe they are directly communicating with each other.Let's say we've got five hosts plugged into a switch; A, B, C, D, and E,as well as their default gateway, the left interface of R1.Take note of the labeled IP addresses and simplified MAC addresses.When Host A has remote traffic to send, it knows the traffic goes through the default gateway,so it has to send a broadcast ARP request looking for the MAC address of the gateway.In its unicast ARP reply, the gateway sends its MAC address to Host A, who caches it,and then uses it in subsequent frames as the destination MAC address for remote traffic.You'd imagine that a gateway's MAC address will have a constant presence in a Host's ARP cache,since most traffic sent is for devices on different networks,including corporate servers located on different subnets.So, let's say at this point, Host A's ARP cache knows that the MAC addressof its default gateway, 10.0.0.99, is ABC.We're now going to discuss an attack known as ARP spoofing, or ARP cache poisoning.Enter the man-in-the-middle hacker, represented by Host C. Host C sends out an ARPwhich can either be a request or a reply saying the MAC address of 10.0.0.99 is CCC.Host A looks at this ARP and says, "Hmm, it was ABC.I guess they put a new NIC in that device.I'll update my ARP cache accordingly."Host A now overwrites the correct MAC address it has on file for its default gatewaywith the MAC address of the hacker's machine.Shortly thereafter, the guy sitting in front of Host A wantsto do some online banking, and goes to www.citbank.com.Host A gets the IP address of the Citibank web server from its local DNS server,and puts that IP address as the destination IP address in the outgoing IP header.After determining that the destination is not on the same network,Host A realizes that it needs the MAC address of its gateway, 10.0.0.99.Lo and behold, there is an entry in Host A's ARP cache for the gateway's MAC address,and Host A uses this for the destination MAC address field in the outgoing ethernet frame,which encapsulates the outgoing IP packet.However, instead of the switch sending the traffic to the gateway,the switch now sends the traffic to Host C, because Host C is connectedto the interface associated with the destination MAC addressin the switch's SAT, source address table.The hacker will be using a program like Cain and Abel, Ettercap,or arpspoof to continue this attack.Host C will now strip the IP packet out of the ethernet frame,and change the source IP address to its own IP address.Now, Host C will reframe the packet.The new source MAC address is that of Host C,and the new destination MAC address is the real gateway MAC address.The normal IP routing process gets the packet to the Citibank web server.Let's say that this piece of traffic is the first step of the TCP three-way handshake.Inside the IP packet is a TCP header with the SYN flag turned on.Naturally, the web server will now do step two of the TCP three-way handshakeand send a SYN-ACK back to the source of this traffic,which is Host C. Host C gets the SYN-ACK, and through the program that's runningto perform this attack, changes the destination IP address in the packet to that of Host A.That packet is reframed with a new source MAC address of Host C and a destination MAC addressof Host A. Let's take a step back to analyze what's going on before going further.Host A thinks that Host C is the default gateway.The Citibank web server thinks that Host C is Host A. After getting the SYN-ACKfrom the Citibank web server, Host A sends the final partof the TCP three-way handshake, the ACK.Once again, Host A uses the destination IP address of the web server,but the destination MAC address of Host C, who once again changes the source IP addressand reframes the packet with a source MAC address of Host Cand a destination MAC address of the default gateway.Through normal IP routing, the web server gets the ACK.In the same fashion, Host A's HTTP GET request, a message to the web server saying,"Give me the webpage," gets sent to the web server via the man in the middle.
转载于:https://www.cnblogs.com/sec875/articles/10049535.html
相关资源:BIOS-UEFI安全培训.7z