Use ARP to detect event hosts in Ethernet

Use ARP to detect event hosts in Ethernet

Release Date: 2004-04-19

Abstract:

Digest:

Http://www.xfocus.net/articles/200404/688.html

Creation time: 2004-04-13

Article attribute: original

Article submission: yztgx (yztgx_at_163.net)

Use ARP to detect event hosts in Ethernet (original)

Author: yztgx

E-mail: yztgx@163.net

Date: 2004-4-13

There are a lot of articles about ARP on the Internet, most of the ARP deception, hereby introducing an alternative usage of ARP: Detect whether the target host is active.

The traditional detection of whether the remote host survives is to detect (ping) through the echo response packets in the ICMP protocol. With more and more understandings and attention to security, many hosts are shielded by the firewall through the firewall to avoid the ICMP package in the network to avoid being explored by the scanner.

Here we introduce the idea of ​​using the ARP protocol to detect the active host in the network, the shortcomings of this method can only detect the active hosts in the Ethernet.

Let's take a look at the ARP protocol. The ARP protocol is the abbreviation of "Address Resolution Protocol", which converts the IP address into a physical address (that is, the MAC address that is often said), which refers to "TCP / IP Details Volume 1". The packet format of the agreement ARP is as follows:

------------------------------------------

Ethernet address (6 bytes)

Ethernet address (6 bytes)

Frame type (ARP = 0806) (2 bytes)

------------------------------------------

Hardware type (Ethernet = 01) (2 bytes)

Protocol type (IPv4 = 0800) (2 bytes)

Hardware address length (1 byte)

Protocol address length (1 byte)

OP Operation Options (ARP Request = 01, ARP Reply = 02) (2 bytes)

Send Ethernet address (6 bytes)

Transmit IP address (4 bytes)

Destination Ethernet address (6 bytes)

Destination IP address (4 bytes)

--------------------------------------------

We send an ARP request to the target host. If the target host is active, it returns its MAC address. If the other party returns the MAC address, it indicates that the other party is active, so that the detection is achieved. The ARP request package is as follows:

------------------------------------------

Ethernet address address | ffffffffffffff (broadcast address)

Ethernet Address | Local MAC Address

Frame type | 0806

------------------------------------------

Hardware Type | 01

Protocol Type | 0800

Hardware address length | 06

Protocol address length | 04

OP Operations Options | 01

Send Ethernet Address | Local MAC Address

Send IP Address | Target Host IP Address

Destination Ethernet address | 000000000000

Destination IP Address | Target Host IP Address

-------------------------------------------- Note: Here the Ethernet The address is ffffffffffffff, which is a broadcast address. All hosts on Ethernet can receive this package. After receiving this packet, the operating system determines that the destination IP address is this host, if not, discard (not processed), otherwise Send back an ARP answer package, the contents of the package are as follows:

------------------------------------------

Ethernet address | detect host's MAC address

Ethernet Address | Local MAC Address (herein, refer to the detected host)

Frame type | 0806

------------------------------------------

Hardware Type | 01

Protocol Type | 0800

Hardware address length | 06

Protocol address length | 04

OP Operation Options | 02

Send Ethernet Address | Local MAC Address (herein, referring to the detected host)

Transmit IP Address | Native IP Address (herein, refer to the detected host)

Destination Ethernet address | Detecting host's MAC address

Destination IP Address | Detecting the IP Address of the Host

--------------------------------------------

We can use PCAP to construct this packet (specific process reference PCAP related documentation, here we use Sendarp () to implement), sendARP () is a function of providing a MAC address for obtaining a target host in the Microsoft Platform SDK, Sendarpsendarp The function prototype is as follows:

DWORD Sendarp

Ipaddr destip, // target IP address

Ipaddr srcip, // source IP address

Pulong Pmacaddr, // Return to MAC Address Pointer

Pulong phyaddrlen // Returns the length of the MAC address

);

The following example is taken to MSND, and a little change can be an Ethernet active host probe tool.

//

// link with ws2_32.lib and iphlpapi.lib

//

#include

#include

#include

#include

INT __CDECL Main ()

{

HRESULT HR;

Ipaddr ipaddr;

Ulong pulmac [2];

Ulong ullen;

ipaddr = inet_addr ("192.168.0.1");

MEMSET (Pulmac, 0xFF, Sizeof (Pulmac));

Ullen = 6;

HR = Sendarp (iPaddr, 0, Pulmac, & Ullen);

Printf ("RETURN% 08X, Length% 8D / N", HR, ULLEN);

SIZE_T I, J;

Char * szmac = new char [ullen * 3];

PBYTE PBHEXMAC = (Pbyte) Pulmac;

//

// Convert the binary mac address Into Human-Readable

//

For (i = 0, j = 0; i

J = Sprintf (SZMAC J, "% 02x:", PBHEXMAC [I]);

Sprintf (SZMAC J, "% 02x", PBHEXMAC [I]);

Printf ("Mac Address% S / N", SZMAC);

Delete [] SZMAC;

Return 0;

}

Personal research, it may be understood that it is not very comprehensive, there is a problem, you can send mail yztgx@163.net exchange