Shulou(Shulou.com)06/01 Report--

Foreword:

Whether it is arp spoofing or mac flooding, the purpose is similar, all for the purpose of stealing information.

Arp spoofing and mac flooding actually take advantage of arp's shortcomings.

The use of arp spoofing can make the two sides of the communication communicate normally, but all the data are deceived to take a copy, and there is no feeling between the two sides of the communication.

Using mac address flooding, the space of the mac address table of the switch can be "broken", forcing the switch to carry out arp broadcasting to replace the mac address of the deceived, so that all the data flow to the deceiver, and then the deceived will be offline.

The defect of the second layer:

Lack of authentication, do not know whether the source address is legal

With radio, anyone can intercept

Have to deal with, this is a hard wound!

Layer 2 security is a deficiency of the whole tcp/ip protocol set.

Flooding steps:

Mac address spoofing makes use of the characteristics that the interface of the switch learns the mac address table from the source message and continuously writes it into the mac table. It sends a large number of broadcast messages with different source mac addresses through macof, so that the space of the mac table is exhausted. When the normal message is exhausted, the switch broadcasts when the normal message is used up. Because the mac table does not have a corresponding mac address? If all these mac existed before, where did the mac go? The answer is that the new mac address table has been "squeezed out". The mac address table is currently full of useless and junk mac address entries, so after the new normal communication message arrives at the switch, it is found that the mac address table does not have a corresponding mac address to the destination mac address, so the switch is flooded. The content of the flooding is "who is so-and-so? give me your mac." Xxx, which has been waiting for a long time, has opened the packet grabbing software as soon as it sees that there is a target to reply to its own mac address. If the target is the target that xxx wants, xxx will change its mac address to be the same as the mac of the target host, and constantly deceive the switch that I am the target host. In this case, all messages to the target host are sent to xxx.

Therefore, mac address flooding should be divided into three steps:

Step 1: flood the mac table of the switch so that the switch has to flood during legitimate communication

Step 2: open the package crawling tool to grab the legitimate computer reply to its own mac address

Step 3: change your mac address into the crawled mac address

Flooding tools for mac addresses:

Macof-I eth0 # sends broadcast messages to the switch with different source addresses.

What happened to the exchange opportunity? Catton will be run at one o'clock, and broadcast will be sent if a legitimate user requests to forward data, so it falls right into the trap of × ×, and if the situation is serious, it will crash directly. Generally speaking, the purpose of using mac flooding is to intercept data. Generally, we will not broadcast the switchboard all the time. If we find that the switch is running very stuttered, we will use the following command:

Show mac-address-table count counts how many records are recorded in the mac address table and how much space is available, as shown below:

If this occurs, dial all the lines connected to the pc, and then use the following command to clear the dynamically learned address:

Clear mac-address-tables dynamic

After flooding × × ×, after intercepting the mac address of the target host, it will give up the mac address of its own host, generate a mac address of the target host again, and then keep sending broadcasts saying that the mac address originally recorded by the switch is not on the corresponding port of the × × host, but at this time × × tells the switch that it is the target host, and the switch does not have the ability to judge who is true by default? Who's fake? Naively think that the latest is correct, so it is what you say. In the future, as long as it is a message to the target host, it will be given to × ×, and the real mac address owner will not receive the message.

If × × cheats, it will cheat all the time to ensure that the switch always thinks that × × is the target host. If the target host is downloading or uploading something, the mac of the target host will always change back and forth after × × and the real target host, whether it is × × or the real target host may not be so complete.

To cheat × × × on the basis of flooding × × ×, first change the switch into hub, then capture all the data packets, finally obtain the mac address of the target host according to the contents of the captured data packet, and then change your mac address to the same address of the target MAC, so that the mac table of the switch will be updated and all the data to the target host will come to me.

Add an mac address and use:

Macchanger-mac=00:00:00:00:00:00 eth0

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.