An lysis n D ense of ARP Virus Atta k Te hnology[Win11 Solutions]
27 2021-08-23 03:20
1. Analysis of the principle of ARP Spoofing attack
In the local area network, the ARP protocol how to retrieve files and folders from hard drive is used to complete the conversion of the IP address to the second layer physical address (ie, the how to retrieve files and photos from hard drive MAC address).ARP protocol is of great significance to network security.Realize ARP spoofing ,y forging how to retrieve files from a bad hard drive IP address and MAC address, which can generate a large amount of ARP traffic in the network to ,lock how to retrieve files from a broken usb drive the network or realize "man in the middle" for ARP redirection and sniffing attacks.
Use forged how to retrieve files from a broken usb stick source MAC address to send ARP response packet, attack on ARP cache mechanism.
Each host uses an how to retrieve files from a dead hard drive ARP cache to store the mapping record between the latest IP address and the MAC hardware address.The how to retrieve files from a failed hard drive survival time of each record (entry) in the MS Windows cache is generally 60 seconds, and the starting how to retrieve files from a hard disk drive time is counted from when it was created.
By default, ARP reads IP-MAC entries from the cache, how to retrieve files from a mac hard drive and the IP-MAC entries in the cache change dynamically according to the ARP response packet.Therefore, how to retrieve files from an old hard drive as long as there is an ARP response packet sent to the machine on the network, the IP-MAC entry how to retrieve files from broken external hard drive in the ARP cache will be updated.
The attacker can change the IP-MAC entry in the ARP cache of the how to retrieve files from broken laptop hard drive target host by continuously sending out fake ARP response packets, causing network interruption or how to retrieve files from corrupted external hard disk man-in-the-middle attack.
The ARP protocol does not only receive ARP responses after sending ARP how to retrieve files from corrupted external hard drive requests.When the computer receives the ARP response packet, it will update the local ARP cache and how to retrieve files from corrupted internal hard drive store the IP and MAC addresses in the response in the ARP cache.Therefore, B sends a forged ARP response how to retrieve files from corrupted laptop hard drive to A, and the data in this response is that the sender's IP address is 19,.,.10.3 (C's IP address), how to retrieve files from corrupted usb flash drive the MAC address is DD-DD-DD-DD-DD-DD (C's MAC address should have been CC-CC-CC-CC-CC-CC, it was how to retrieve files from crashed external hard drive forged here).When A receives B's forged ARP response, it will update the local ARP cache (A doesn't how to retrieve files from dead external hard drive know that it has been forged).
When the attack source sends a large number of false ARP information how to retrieve files from dead goflex hard drive to the LAN, it will cause the breakdown of the ARP cache of the machines in the LAN.
A dynamic how to retrieve files from dead usb flash drive MAC cache is also maintained on the Switch. This is generally the case. First, there is a corresponding how to retrieve files from external hard drive mac list inside the switch, and the port of the switch corresponds to the MAC address table Port n how to retrieve files from formatted external hard drive <-> Mac records the MAC addresses under each port. This table is empty at first, and the switch learns how to retrieve files from hard drive using cmd from data frames.Because the MAC-PORT cache table is dynamically updated, the port table of the how to retrieve files from my external hard drive entire Switch is changed. The Flood that spoofs the MAC address of the Switch continuously sends a large how to retrieve files from old laptop hard drive number of packets with fake MAC addresses. The Switch will update the MAC-PORT cache. In this way, how to retrieve files from samsung tablet hard drive the previous normal MAC and Port correspondence relationship is destroyed, then the Switch will how to retrieve files from seagate external hard drive flood and send to each port, making the Switch basically a HUB, sending data packets to all ports, and how to retrieve files from toshiba external hard drive sniffing The purpose of the attack can also be achieved.It will also cause the collapse of the Switch how to retrieve files from usb that is broken MAC-PORT cache, as shown in the following log in the switch:
2. ARP virus analysis
When a how to retrieve files from wd external hard drive host in the LAN runs a Trojan horse program for ARP spoofing, it will deceive all hosts and routers in how to retrieve files from windows 10 hard drive the LAN, so that all Internet traffic must pass through the virus host.Other users used to access how to retrieve files off a damaged hard drive the Internet directly through the router and now they are switched to the Internet through the virus how to retrieve files off of bad hard drive host. When switching, the user will be disconnected once.After switching to the virus host to surf how to retrieve files on a dead hard drive the Internet, if the user has logged in to the legend server, the virus host will often fake the false how to retrieve hidden files from external hard disk appearance of disconnection, then the user has to log in to the legend server again, so that the how to retrieve hidden files from external hard drive virus host can steal the account.
Because the ARP spoofing Trojan program will send out a large how to retrieve hidden files from usb pen drive number of data packets when it occurs, causing LAN communication congestion and the limitation of its how to retrieve hidden files in external hard drive own processing capacity, users will feel that the Internet speed is getting slower and slower.When the how to retrieve hidden files in usb using cmd ARP spoofing Trojan program stops running, the user will resume accessing the Internet from the how to retrieve lost files from external hard drive router, and the user will be disconnected again during the switching process.
In the "System History" how to retrieve lost files in usb using cmd of the router, you can see a lot of the following information:
MAC Chged 10.128.103.124
MAC Old how to retrieve lost files on a hard drive 00:01:6c:36:d1:7f
MAC New 00:05:5d:60:c7:18
This message represents that the user's MAC address how to retrieve lost files on external hard drive has changed. When the ARP spoofing Trojan starts to run, the MAC addresses of all hosts on the LAN how to retrieve mac files from pc hard drive are updated to the MAC addresses of the virus hosts (that is, the MAC New addresses of all information how to retrieve metadata for files on a usb are consistent with the MAC addresses of the virus hosts. ), at the same time in the router's how to retrieve microsoft cloud files to hard drive "user statistics", you can see that the MAC address information of all users is the same.
If you see how to retrieve missing files from external hard drive that a large number of MAC Old addresses are consistent in the router's ",tem history", it means how to retrieve missing files on external hard drive that ARP spoofing has occurred in the LAN (when the ARP spoofing Trojan program stops running, the host how to retrieve outlook files from a hard drive restores its real MAC address on the router).
BKDR_NPFECT.Measured analysis of ARP spoofing caused how to retrieve shortcut files in usb using cmd by A virus
Part1. Virus phenomenon
The poisoned machine sends a fake APR response packet in how to retrieve unhide files in usb using cmd the local area network for APR spoofing, causing other clients to be unable to obtain the gateway and how to revert a usb from a recovery drive the real MAC address of the network card of other clients, resulting in failure to access the Internet how to run data recovery on a hard drive and normal LAN communication.
Part2. Virus principle analysis:
Components of the virus
The how to run dell usb recovery tool in xp virus sample studied in this article consists of three components:
,.,(108,386 bytes)…. "Virus how to run recovery from usb insydeh20 setup utility component releaser"
,.,(119,808 bytes)…. "A driver that sends ARP spoofing packets"
,., (39,952 how to run windows 7 recovery disc from usb bytes)…"The controller who commands the driver to send ARP spoofing packets"
Basic principles of virus how to run windows 8 1 recovery from usb operation:
1.LOADHW.Two components npf will be released when the ]
[ is executed.sys and how to run windows xp recovery console from usb msitinit.dll .
LOADHW.EXE terminates after releasing the components.
Note: The virus fakes as the how to set up a usb for password recovery driver of winPcap and provides the function of winPcap. If the customer originally installed winPcap,
how to slave a hard drive to recover dat a npf.sys will be overwritten by virus files.
2.Then msitinit.dll will npf.sys is registered (and how to start windows 10 with recovery usb drive monitored) as a kernel-level driver device: "NetGroup Packet Filter Driver"
msitinit.The dll is how to transfer recovery partition to another hard drive also responsible for sending instructions to operate the driver npf.sys (such as sending APR spoofing how to transfer recovery partition to new hard drive packets, capturing packets, filtering packets, etc.)
The following service-related values extracted how to unlock mac hard drive in recovery mode from the virus code:
how to use a recovery drive usb windows 10 ServiceType=SERVICE_KERNEL_DRIVER
DisplayName="NetGroup Packet how to use a recovery usb drive windows 10 Filter Driver"
3. npf.sys is responsible for monitoring msitinit.dll. And LOADHW.EXE is registered how to use a recovery usb for windows 10 as a self-starting program:
%windows%\SYSTEM3 how to use a recovery usb on windows 10 2\LOADHW.EXE
,.,8.,.,.,.,., how to use a usb recovery drive windows 10 .,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.