Using the ARP to detect the active host in Ethernet yztgx : Detect whether the target host is active. The traditional detection of whether the remote host survives is to detect (ping) through the echo response packet in the ICMP protocol. With more and more understandings and attention to security, many hosts are shielded by the firewall through the firewall to avoid the ICMP package in the network to avoid being explored by the scanner. Here we introduce the idea of using the ARP protocol to detect the active hosts in the network, the shortcomings of this method can only detect the active hosts in the Ethernet. first, look at the ARP protocol. The ARP protocol is the abbreviation of "Address Resolution Protocol", which converts the IP address into a physical address (that is, the MAC address that is often said), which refers to "TCP / IP Details Volume 1". The packet format of the agreement ARP is as follows: ----------------------------------------- - Ethernet purpose address (6 bytes) Ethernet address (6 bytes) Frame type (ARP = 0806) (2 bytes) -------- ---------------------------------- Ethernet = 01) (2 bytes) protocol type (IPv4 = 0800) (2 bytes) hardware address length (1 byte) protocol address length (1 byte) OP operation item (ARP request = 01, ARP reply = 02) (2 bytes) Transmit Ethernet address (6 bytes) Transmit IP address (4 bytes) Destination Ethernet address (6 bytes) (4 bytes) ------------------------------------------ - We send an ARP request to the target host. If the target host is active, it returns its MAC address. If the other party returns the MAC address, it indicates that the other party is active, so that the destination is achieved.
The content of the ARP request package is as follows: ------------------------------------------ Ethernet address | ffffffffffffff (broadcast address) Ethernet address | Local MAC address Frame type | 0806 -------------------- ---------------------- 0 协 类 | 0800 Hardware address length | 06 protocol address length | 04 OP Operation Options | 01 Send Ethernet Address | Local MAC Address Transmit IP Address | Target Host IP Address Destination Ethernet Address | 000000000000 目 地址 地址 地址 | Target Host IP Address --- ----------------------------------------- For ffffffffffffff, this is a broadcast address, all hosts on Ethernet can receive this package. After receiving this packet, the operating system determines that the destination IP address is this host. If not, discard (not processed), otherwise send Go back to an ARP answer package, the contents of the package are as follows: ------------------------------------- ----- Ethernet purpose address | Detecting host MAC address | Ethernet address | Local MAC address (here the detected host) 0806 ------- ----------------------------------- Hardware Type | 01 Agreement Type | 0800 Hardware Address Length | 06 Agreement Address Length | 04OP Operation Options | 02 Transmit Ethernet Address | Local MAC Address (Here, Refers to Detected Hosts) Transmit IP Address | Native IP Address (here Local referring to the host) ------------------------- We can use PCAP to construct this packet (specific process reference to PCAP related documentation, here we Using Sendarp () is implemented, sendARP () is a function of providing a MAC address for obtaining a target host in the Microsoft Platform SDK. The SENDARPSENDARP function prototype is as follows: DWord Sendarp ( iPaddr SRCIP, // Source IP Address pulong pmacaddr, // Returns MAC AddER An Ethernet Active Host Detection Tool # MEMSET (Pulmac, 0xFF, SIZEOF (PULMAC)); ULLEN = 6; HR = Sendarp (iPadDR, 0, Pulmac, & Ullen); Printf ("Return% 08X, Length% 8D / N) "HR, ULLEN); SIZE_T I, J;