Teach you how to convert ARP packets

Teach you how to use ARP packets-Linux Enterprise applications-Linux server applications. For more information, see the following. Article 1 teach you how to convert ARP packets
Directory:
I. Basic knowledge about ARP
1. How ARP works
2. ARP packet format
Author:
Csdn vc/MFC Network Programming PiggyXP pai_^

I. Basic knowledge about ARP
1. How ARP works
I didn't want to repeat all the basic knowledge about ARP here, but to maintain the integrity of the article and take care of beginners, I will continue ?? Are you busy? Is it benzene ?? Private token? Br/>
We all know that Ethernet devices, such as NICs, all have their own unique MAC addresses. They transmit Ethernet packets using MAC addresses, but they cannot recognize the IP addresses in our IP packets, therefore, we need a protocol for IP communication over Ethernet to establish the correspondence between the IP address and the MAC address, so that IP packets can be sent to a specific place. This is ARP (Address Resolution Protocol, Address Resolution Protocol ).

In the command line window, enter
Arp? A
Let's take a look at the effect.
210.118.45.100 00-0b-5f-e6-c5-d7 dynamic
It is the correspondence between IP addresses and MAC addresses stored in our computer. dynamic indicates that it is an entry temporarily stored in the ARP cache, after a period of time, it will time out and be deleted (the xp/2003 system is 2 minutes ).

In this way, when our computer needs to communicate with a machine such as 210.118.45.1, it will first check the arp cache to check whether there are corresponding arp entries. If not, it sends an ARP request packet to the Ethernet network and broadcasts it to ask about the corresponding MAC address of 210.118.45.1. Of course, every computer in the network will receive this request packet, but they find that 210.118.45.1 is not their own, then, 210.118.45.1 will reply an ARP response packet to our computer, telling us that its MAC address is xx-xx, therefore, the ARP cache on our computer will be refreshed accordingly. There is one more entry:
210.118.45.1 xx-xx dynamic

Why is there such an ARP cache? If there is no cache, we need to send a broadcast query address for each IP packet. Isn't it a waste of bandwidth and resources?
Moreover, our network devices cannot identify the authenticity of ARP packets. If we send packets in ARP format, the computer will respond accordingly as long as the information is valid.

Imagine if we refresh the list in our ARP cache based on the corresponding content of the ARP response package, isn't it possible for us to play some ARP packet tricks in a network without security protection? In the subsequent articles, I will teach you how to fill in and send ARP packets, but don't worry. Let's continue to learn some basic knowledge. ^_^

2. ARP packet format

Now that we want to make our own ARP package, we must first learn the format of the ARP package.

From the bottom layer of the network, an ARP packet is divided into two parts: the first is the physical frame header, and the other is the ARP frame.
First, the physical frame Header will exist in front of any protocol data packet, which is called the DLC Header because the frame Header is constructed at the data link layer, in addition, the main content is the physical address of the receiving and receiving sides for hardware device identification.
DLC Header
Field Length (Byte) default value remarks
The receiver is ff-ff when MAC6 is broadcast.
Sender MAC6
Ethertype20x08060x0806 is the type value of the ARP frame.
Physical Frame Header Format

It is the format of the Physical Frame header that needs to be filled. We can see that what needs to be filled is the physical address of the sender and receiver. Is it very simple?
Next, let's take a look at the format of ARP frames.
ARP Frame
Field Length (Byte) default value remarks
20x1 Ethernet value of hardware type
Upper-layer protocol type: 20x0800 upper-Layer Protocol: IP protocol
MAC address length: 10x6 Ethernet MAC address length: 6
IP address length: 10x4 IP address length: 4
Operation Code 2 0x1 indicates the ARP request packet, and 0x2 indicates the response packet
Sender MAC6
Sender IP4
Recipient MAC6
Receiver IP4
Fill data 18 because the minimum length of the physical frame is 64 bytes, the previous 42 bytes plus 4 CRC verification bytes, the difference is 18 bytes
ARP frame format

We can see that what we need to fill in is also MAC, IP, plus a 1 or 2 operation code.
3. ARP package Filling
1) Fill in the request package:
For example, the MAC address of our computer is aa-aa, And the IP address is 192.168.0.1.
How can we query the MAC address of 192.168.0.99?

First, fill in the DLC Header. Through the previous learning, we know that if you want to know the MAC address of a computer, broadcast is sent to the whole network, therefore, the receiver MAC fills in our DLC Header, and the bold value is the value we need to manually enter (of course, the program I programmed is intelligent, it will automatically fill in some fields based on the type of ARP packet you selected. When you use it, you will know ^_^ ). It must be ffffffffff. the sender's MAC is of course his own,

DLC Header
Field Length (Byte) filling value
Recipient MAC6ffffffffffff
Sender MAC6aaaaaaaaaaaa
Ethertype20x0806
Content of the DLC Header in the ARP request packet

Next is the ARP frame. The request package's operation code is of course 1, and the sender's MAC and IP address are of course our own. Then pay attention to it, enter the IP address of the receiver to be queried, that is, 192.168.0.99, and enter any value for the MAC address of the receiver ,,

ARP Frame
Field Length (Byte) filling value
Hardware type 21
Upper-layer protocol type 20800
MAC address Length 16
IP address length 14
Operation Code 21
Sender MAC6aaaaaaaaaaaa
Sender IP4192.168.0.1
Any value of MAC6 in the recipient: xxxxxxxxxxxx
Receiver IP4192.168.0.99
Fill data 180
Content of ARP frames in arp request packets

If we construct such a packet and send it out, if 192.168.0.99 exists and is active, we will immediately receive a response packet sent from 192.168.0.99, we can check whether an entry similar to this is added to our ARP cache list:
192.168.0.99 bb-bb
Is it amazing?
Let's take a look at the construction of ARP response packets.

2) Fill in the response package
With the above detailed explanation, you will surely be able to say the filling method of the response package by yourself, so I will not elaborate on it, just list two tables.

For example, send an ARP response packet to 192.168.0.99 (bb-bb for MAC, tell it that our MAC address is aa-aa, so fill in each field.

DLC Header
Field Length (Byte) filling value
Recipient mac6bbbbbbbbbbbbbb
Sender MAC6aaaaaaaaaaaa
Ethertype20x0806
Content of DLC Header in ARP response packet

ARP Frame
Field Length (Byte) filling value
Hardware type 21
Upper-layer protocol type 20800
MAC address Length 16
IP address length 14
Operation Code 22
Sender MAC6aaaaaaaaaaaa
Sender IP4192.168.0.1
Recipient mac6bbbbbbbbbbbbbb
Receiver IP4192.168.0.99
Fill data 180
Content of ARP frames in ARP response packets

In this way, the IP address ing about 192.168.0.1 will be added to the ARP cache of 192.168.0.99.
Now, it's time for programming to implement it. ^_^

Ii. Programming Implementation of ARP packet sending
1. fill data packets
The above tables about the various fields of the ARP packet correspond to the struct in the program, corresponding to the above table, so we need three such struct
// DLC Header
Typedef struct tagDLCHeader
{
Unsigned char DesMAC [6];/* destination HW addrress */
Unsigned char SrcMAC [6];/* source HW addresss */
Unsigned short Ethertype;/* ethernet type */
} DLCHEADER, * PDLCHEADER;
// ARP Frame
Typedef struct tagARPFrame
{
Unsigned short HW_Type;/* hardware address */
Unsigned short Prot_Type;/* protocol address */
Unsigned char HW_Addr_Len;/* length of hardware address */
Unsigned char Prot_Addr_Len;/* length of protocol address */
Unsigned short Opcode;/* ARP/RARP */

Unsigned char Send_HW_Addr [6];/* sender hardware address */
Unsigned long Send_Prot_Addr;/* sender protocol address */
Unsigned char Targ_HW_Addr [6];/* target hardware address */
Unsigned long Targ_Prot_Addr;/* target protocol address */
Unsigned char padding [18];
} ARPFRAME, * PARPFRAME;
// ARP Packet = DLC header + ARP Frame
Typedef struct tagARPPacket
{
DLCHEADER dlcHeader;
ARPFRAME arpFrame;
} ARPPACKET, * PARPPACKET;

These structs must be able to understand. In the program, it is enough to sit on the right signs.
1. fill data packets

In the following example, I first define a function for converting characters, as shown below:

/*************************************** *************************************
* Name & Params ::
* FormatStrToMAC
*(
* Const LPSTR lpHWAddrStr: MAC address string entered by the user
* Unsigned char * HWAddr: The returned MAC address string (assigned to the packet structure)
*)
* Purpose:
* Convert the MAC address character entered by the user into the format required by the data packet structure.
**************************************** ************************************/
Void formatStrToMAC (const LPSTR lpHWAddrStr, unsigned char * HWAddr)
{
Unsigned int I, index = 0, value, temp;
Unsigned char c;

_ Strlwr (lpHWAddrStr); // converts it to lowercase.

For (I = 0; I <strlen (lpHWAddrStr); I ++)
{
C = * (lpHWAddrStr + I );
If (c> = '0' & c <= '9') | (c> = 'A' & c <= 'F '))
{
If (c> = '0' & c <= '9') temp = c-'0'; // number
If (c> = 'A' & c <= 'F') temp = c-'A' + 0xa; // letter
If (index % 2) = 1)
{
Value = value * 0x10 + temp;
HWAddr [index/2] = value;
}
Else value = temp;
Index ++;
}
If (index = 12) break;
}
}

// Start filling Fields
ARPPACKET ARPPacket; // defines the ARPPACKET struct variable.

Memset (& ARPPacket, 0, sizeof (ARPPACKET); // data packet Initialization

FormatStrToMAC ("DLC source MAC string", ARPPacket. dlcHeader. SrcMAC); // DLC frame Header
FormatStrToMAC ("DLC target MAC string", ARPPacket. dlcHeader. DesMAC );

FormatStrToMAC ("ARP source MAC string", ARPPacket. arpFrame. Send_HW_Addr); // source MAC
ARPPacket. arpFrame. Send_Prot_Addr = inet_addr (srcIP); // source IP address
FormatStrToMAC ("ARP target MAC string", ARPPacket. arpFrame. Targ_HW_Addr); // target MAC
ARPPacket. arpFrame. Targ_Prot_Addr = inet_addr (desIP); // target IP Address

ARPPacket. arpFrame. Opcode = htons (unsigned short) arpType); // arp packet type

// Automatically filled constant
ARPPacket. dlcHeader. Ethertype = htons (unsigned short) 0x0806); // Ethernet Type of the DLC Header
ARPPacket. arpFrame. HW_Type = htons (unsigned short) 1); // hardware type
ARPPacket. arpFrame. Prot_Type = htons (unsigned short) 0x0800); // upper-layer protocol type
ARPPacket. arpFrame. HW_Addr_Len = (unsigned char) 6; // MAC address Length
ARPPacket. arpFrame. Prot_Addr_Len = (unsigned char) 4; // ip address Length

That's all! Pai_^
After filling, what we need to do is to send our ARPPACKET struct.

2. send ARP packets:

We need to use the winpcap api to send ARP packets. The specific steps and functions are as follows. To make it easy to understand, I have removed all error handling points. For details, see the code.
/*************************************** *******************************
* Name & Params ::
* SendARPPacket ()
* Purpose:
* Send ARP packets
* Remarks:
* The winpcap api function is used.
**************************************** *******************************/
Void SendARPPacket ()
{
Char * AdapterDeviceName = GetCurAdapterName (); // obtain the NIC name first

LpAdapter = PacketOpenAdapter (AdapterDeviceName); // enable the NIC according to the NIC name

LpPacket = PacketAllocatePacket (); // allocate memory to the PACKET structure pointer

PacketInitPacket (lpPacket, & ARPPacket, sizeof (ARPPacket); // initialize the PACKET structure pointer
// The ARPPacket is the previously filled ARP packet.

PacketSetNumWrites (lpAdapter, 1); // send only one packet at a time

PacketSendPacket (lpAdapter, lpPacket, true) // Send !!!!! Pai_^

PacketFreePacket (lpPacket); // release resources
PacketCloseAdapter (lpAdapter );
}

Now, the most important part of the ARP package is over. Now you can send your ARP package as you like.

As a "Popular Science article", I will talk about additional steps and instructions related to the entire project.

3. Additional steps and instructions
1. How to Use the winpcap driver in VC
Although the winpcap Development Kit is easy to use, it takes a lot of effort to prepare for it. Pai_^
The first step is to install its driver. You can download it from its home page and it will be updated quickly.
Http://winpcap.polito.it/install/default.htm
Download WinPcap auto-installer (driver + DLLs) and install it directly, or you can install it in the provided code package.
If you want to use winpcap for development in the future, you need to download the Developer's pack and decompress it.

Then, we need to set the add-on directory of our project to the Inclulde directory for downloading Developer's pack Development Kit, and set the additional dependency library of the connector to the lib directory of Developer's pack.
Of course, because our work is relatively simple, we only use winpcap to send data packets.
In the include folder of the winpcap Development Kit, copy Packet32.h to our project and include it.
However, you must note that Packet32.h also contains a devictl. h, which must be copied together.
In the row library Packet. lib, You need to copy three files in total. If you want to add the files to the database, you don't need to talk about it. Set it in the project.
Or add # pragma comment (lib, "Packet. lib") where it is needed.

The entire project can be divided into four parts: Fill the data packet, send the data packet, enumerate the system Nic list and
Related information and enumeration system ARP cache list. Next I will explain how to obtain the system Nic and ARP columns.
Table, both use the IP Helper api, So contain And the library file Iphlpapi. lib,
In fact, they are all very simple. Just a few lines is okay.
2. Enumeration of system NICs and information
It is best to first define a struct about the NIC information so that the structure is clear.
// Nic Information
Typedef struct tagAdapterInfo
{
Char szDeviceName [128]; // name
Char szIPAddrStr [16]; // IP
Char szHWAddrStr [18]; // MAC
DWORD dwIndex; // number
} INFO_ADAPTER, * PINFO_ADAPTER;

/*************************************** ******************************
* Name & Params ::
* AddAdapInfoToList
*(
* CListCtrl & list: the list handle passed in by CARPPlayerDlg.
*)
* Purpose:
* Obtain the system Nic information and add it to the list control.
* Remarks:
* Obtain the nic ip address and MAC address. Use the IpHelper api GetAdaptersInfo.
**************************************** **************************/
Void AddAdapInfoToList (CListCtrl & list)
{
Char tempChar;
ULONG uListSize = 1;
PIP_ADAPTER_INFO pAdapter; // defines the PIP_ADAPTER_INFO structure to store network card information.
Int nAdapterIndex = 0;

DWORD dwRet = GetAdaptersInfo (PIP_ADAPTER_INFO) & tempChar, & uListSize); // key functions

If (dwRet = ERROR_BUFFER_OVERFLOW)
{
PIP_ADAPTER_INFO pAdapterListBuffer = (PIP_ADAPTER_INFO) new (char [uListSize]);
DwRet = GetAdaptersInfo (pAdapterListBuffer, & uListSize );
If (dwRet = ERROR_SUCCESS)
{
PAdapter = pAdapterListBuffer;
While (pAdapter) // enumerate the NIC and add related entries to the List
{
// Nic name
CString strTemp = pAdapter-> AdapterName;
StrTemp = "\ Device \ NPF _" + strTemp; // prefix
List. InsertItem (nAdapterIndex, strTemp );
Strcpy (AdapterList [nAdapterIndex]. szDeviceName, strTemp );
// IP
Strcpy (AdapterList [nAdapterIndex]. szIPAddrStr,
PAdapter-> IpAddressList. IpAddress. String );
List. SetItemText (nAdapterIndex, 1, AdapterList [nAdapterIndex]. szIPAddrStr );
// MAC
FormatMACToStr (AdapterList [nAdapterIndex]. szHWAddrStr, pAdapter-> Address );
List. SetItemText (nAdapterIndex, 2, AdapterLis [nAdapterIndex]. szHWAddrStr );
// Nic ID
AdapterList [nAdapterIndex]. dwIndex = pAdapter-> Index;

PAdapter = pAdapter-> Next;
NAdapterIndex ++;
}
Delete pAdapterListBuffer;
}
}
}

2) obtain the ARP entry list
// ARP entry information
Typedef struct tagARPInfo
{
Char szIPAddrStr [16]; // IP
Char szHWAddrStr [18]; // MAC
DWORD dwType; // type
} INFO_ARP, * PINFO_ARP;


/*************************************** *******************************
* Name & Params ::
* AddARPInfoToList
*(
* CListCtrl & list: the list handle passed in by CARPPlayerDlg.
* Const short nAdapterIndex: ID of the selected Nic
*)
* Purpose:
* Read the system's ARP cache list and add it to the dialog box.
* Remarks:
* The iPhone per api GetIpNetTable is used.
* WinSock APIs must be included.
**************************************** *************************/
Void AddARPInfoToList (CListCtrl & list, const short nAdapterIndex)
{
Char tempChar;
DWORD dwListSize = 1;
DWORD dwRet;
In_addr inaddr;
List. DeleteAllItems ();

DwRet = GetIpNetTable (PMIB_IPNETTABLE) & tempChar, & dwListSize, TRUE); // key functions
If (dwRet = ERROR_INSUFFICIENT_BUFFER)
{
PMIB_IPNETTABLE pIpNetTable = (PMIB_IPNETTABLE) new (char [dwListSize]);
DwRet = GetIpNetTable (pIpNetTable, & dwListSize, TRUE );
If (dwRet = ERROR_SUCCESS)
{
For (int I = 0; I <(int) pIpNetTable-> dwNumEntries; I ++)
{
// IP
Inaddr. S_un.S_addr = pIpNetTable-> table . DwAddr;
Strcpy (ARPList. SzIPAddrStr, inet_ntoa (inaddr ));
// MAC
FormatMACToStr (ARPList. SzHWAddrStr, pIpNetTable-> table. BPhysAddr );
// Type
ARPList. DwType = pIpNetTable-> table. DwType;

If (AdapterList [nAdapterIndex]. dwIndex! = PIpNetTable-> table. DwIndex) continue;

List. InsertItem (I, ARPList. SzIPAddrStr );
List. SetItemText (I, 1, ARPList. SzHWAddrStr );
Switch (ARPList. DwType) {// convert to character display based on the value of type
Case 3:
List. SetItemText (I, 2, "Dynamic ");
Break;
Case 4:
List. SetItemText (I, 2, "Static ");
Break;
Case 1:
List. SetItemText (I, 2, "Invalid ");
Default:
List. SetItemText (I, 2, "Other ");
}
}
}
Delete pIpNetTable;
}
}
In this way, we have basically achieved success. We will not talk about other things here. You can download my code and check it out.
Next we will use ARP packets to play some tricks ^_^.
4. Games with ARP packets
Since we can fill in data packets by ourselves, it is easy to play some ARP "games" spoofing. Of course, it is in a network without security protection, for example, only the hub or switch connects you, but there is no route segment ...... Pai_^
Next I will introduce some tips about ARP.
1. Tips
1) You can try to send a request packet broadcast, and fill in your information in the ARP frame as follows:
(To save space, I only need to specify the filling fields)
The sender MAC6 randomly fills in an incorrect
The sender IP4 fills in your IP address
What are the results? Is there an IP address conflict prompt? Well, in the same way, if the sender's IP address is filled with another user's IP address, then it will be sent once every 1 second ........... -_-B
2) For example, if you all rely on a gateway 192.168.0.1 to access the Internet, if you want to make 192.168.0.77 fail to access the Internet, you can disguise it as a gateway to send an incorrect ARP response packet to 192.168.0.77, like this
The sender MAC6 randomly fills in an incorrect
Sender IP4 gateway IP address 192.168.0.1
The recipient will fill in the relevant information of 192.168.0.77. After sending the message, will it still be able to access the Internet?
This will take him over for a while. As long as its system does not get the correct ARP ing table to the gateway, it will never get online.
There are still many similar tricks, but it doesn't mean anything to stay here. Let's look at it a little more advanced.
2. ARP Spoofing
In Ethernet, network devices are computers identified by MAC information. For example, if computer A knows that the MAC address is 22, if I send an ARP response packet to A and tell it that my MAC is 22-2-2-2-2-22, A will also think that my computer is B, we imagine such an environment,
A's firewall only trusts B whose IP address is 192.168.0.2 and MAC is 22-22-22-22-22, and A opens port 21 to provide FTP services, under normal circumstances, because of the firewall, our computer cannot connect to,
So we can try to let B down, or change our IP address to 192.168.0.2 of B when it is shut down, and then send an ARP response packet to, tell A to update the ARP cache list and map the IP address 192.168.0.2 to our
The MAC address came up, so A miracle occurred. we can connect to the FTP of A, and the firewall failed. ^_^
However, this method can only take effect within the same network segment. If we and A are not in the same network segment, it will be much more complicated. We also need to use ICMP redirection to control the routing of packets, I will explain the ICMP packet in detail later.
3. Monitoring Principles Based on ARP Spoofing
There are a lot of listening techniques, but our common sniffer tool can only play a role in the hub-based network, even the switch is powerless, at this time, our ARP spoofing technology will come in handy.
Assume there are three hosts, A, B, and our hosts in the same LAN.
A is communicating with B. If we want to probe A?> B communication content, so we can send A forged ARP response packet to A, telling A that the MAC entry corresponding to B's IP address is our MAC address, so, A will refresh its ARP cache accordingly, and send the data sent to B to our host continuously. In this way, I can analyze the received data packets, achieve the purpose of listening. Of course, because the dynamic ARP cache is dynamic and has A timeout time, we have to send an ARP response packet to A every time.
Although we have achieved this goal, the communication between A and B has been stopped. To prevent B from discovering, We have to forward all the packets received each time to B, in this way, everything is seamless.
Similarly, if we want to listen to packets of B à A, we also send an ARP response packet to B, telling B that the MAC corresponding to the IP address of A is the MAC address of our host, therefore, packets from B to A are continuously sent to our host. Of course, we also need to forward these packets,
A <------> our host <------> B
If everything is correct, the communication content between A and B will be listened to by ^_^.

I think this post is a good reposted ........